diff --git a/CHANGELOG.md b/CHANGELOG.md
index c61739843..ebfa61787 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -24,7 +24,10 @@ Versioning](https://semver.org/spec/v2.0.0.html).
 - Added a utility script to make it easier for maintainers to propose releases,
   regardless of the git remote configuration. See the previously closed
   [issue](https://github.com/ComplianceAsCode/compliance-operator/issues/8) for
-  more details.
+
+- There was a regression in `quay.io/compliance-operator/test-broken-content:kubelet_default`
+  on OCP 4.12 cluster, which caused the e2e test to fail. Since we have fix the test image,
+  here we updated datastream xml files for the test content image.
 
 ### Deprecations
 
diff --git a/images/testcontent/kubelet_default/ssg-eks-ds.xml b/images/testcontent/kubelet_default/ssg-eks-ds.xml
deleted file mode 100644
index 4d1079d7a..000000000
--- a/images/testcontent/kubelet_default/ssg-eks-ds.xml
+++ /dev/null
@@ -1,8343 +0,0 @@
-<?xml version="1.0"?>
-<ds:data-stream-collection xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" xmlns:cpe-dict="http://cpe.mitre.org/dictionary/2.0" xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:ocil="http://scap.nist.gov/schema/ocil/2.0" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="scap_org.open-scap_collection_from_xccdf_ssg-eks-xccdf-1.2.xml" schematron-version="1.3">
-  <ds:data-stream id="scap_org.open-scap_datastream_from_xccdf_ssg-eks-xccdf-1.2.xml" scap-version="1.3" use-case="OTHER">
-    <ds:dictionaries>
-      <ds:component-ref id="scap_org.open-scap_cref_ssg-eks-cpe-dictionary.xml" xlink:href="#scap_org.open-scap_comp_ssg-eks-cpe-dictionary.xml">
-        <cat:catalog>
-          <cat:uri name="ssg-eks-cpe-oval.xml" uri="#scap_org.open-scap_cref_ssg-eks-cpe-oval.xml"/>
-        </cat:catalog>
-      </ds:component-ref>
-    </ds:dictionaries>
-    <ds:checklists>
-      <ds:component-ref id="scap_org.open-scap_cref_ssg-eks-xccdf-1.2.xml" xlink:href="#scap_org.open-scap_comp_ssg-eks-xccdf-1.2.xml">
-        <cat:catalog>
-          <cat:uri name="ssg-eks-oval.xml" uri="#scap_org.open-scap_cref_ssg-eks-oval.xml"/>
-          <cat:uri name="ssg-eks-ocil.xml" uri="#scap_org.open-scap_cref_ssg-eks-ocil.xml"/>
-        </cat:catalog>
-      </ds:component-ref>
-    </ds:checklists>
-    <ds:checks>
-      <ds:component-ref id="scap_org.open-scap_cref_ssg-eks-oval.xml" xlink:href="#scap_org.open-scap_comp_ssg-eks-oval.xml"/>
-      <ds:component-ref id="scap_org.open-scap_cref_ssg-eks-ocil.xml" xlink:href="#scap_org.open-scap_comp_ssg-eks-ocil.xml"/>
-      <ds:component-ref id="scap_org.open-scap_cref_ssg-eks-cpe-oval.xml" xlink:href="#scap_org.open-scap_comp_ssg-eks-cpe-oval.xml"/>
-    </ds:checks>
-  </ds:data-stream>
-  <ds:component id="scap_org.open-scap_comp_ssg-eks-cpe-dictionary.xml" timestamp="2022-08-11T18:55:42">
-    <cpe-dict:cpe-list xsi:schemaLocation="http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd">
-      <cpe-dict:cpe-item name="cpe:/a:amazon:elastic_kubernetes_service:1">
-        <cpe-dict:title xml:lang="en-us">Amazon Elastic Kubernetes Service</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-eks-cpe-oval.xml">oval:ssg-installed_app_is_eks:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:amazon:elastic_kubernetes_service_node:1.21">
-        <cpe-dict:title xml:lang="en-us">Amazon Elastic Kubernetes Service 1.21</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-eks-cpe-oval.xml">oval:ssg-installed_app_is_eks_1_21:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/o:amazon:elastic_kubernetes_service_node:1">
-        <cpe-dict:title xml:lang="en-us">Amazon Elastic Kubernetes Service Node</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-eks-cpe-oval.xml">oval:ssg-installed_app_is_eks_node:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-    </cpe-dict:cpe-list>
-  </ds:component>
-  <ds:component id="scap_org.open-scap_comp_ssg-eks-xccdf-1.2.xml" timestamp="2022-08-11T18:55:42">
-    <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_EKS" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2022-08-11">draft</xccdf-1.2:status>
-      <xccdf-1.2:title>Guide to the Secure Configuration of Amazon Elastic Kubernetes Service</xccdf-1.2:title>
-      <xccdf-1.2:description>This guide presents a catalog of security-relevant
-configuration settings for Amazon Elastic Kubernetes Service. It is a rendering of
-content structured in the eXtensible Configuration Checklist Description Format (XCCDF)
-in order to support security automation.  The SCAP content is
-is available in the <html:code>scap-security-guide</html:code> package which is developed at
-
-    <html:a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</html:a>.
-<html:br/><html:br/>
-Providing system administrators with such guidance informs them how to securely
-configure systems under their control in a variety of network roles. Policy
-makers and baseline creators can use this catalog of settings, with its
-associated references to higher-level security control catalogs, in order to
-assist them in security baseline creation. This guide is a <html:em>catalog, not a
-checklist</html:em>, and satisfaction of every item is not likely to be possible or
-sensible in many operational scenarios. However, the XCCDF format enables
-granular selection and adjustment of settings, and their association with OVAL
-and OCIL content provides an automated checking capability. Transformations of
-this document, and its associated automated checking content, are capable of
-providing baselines that meet a diverse set of policy objectives. Some example
-XCCDF <html:em>Profiles</html:em>, which are selections of items that form checklists and
-can be used as baselines, are available with this guide. They can be
-processed, in an automated fashion, with tools that support the Security
-Content Automation Protocol (SCAP). The NIST National Checklist Program (NCP),
-which provides required settings for the United States Government, is one example
-of a baseline created from this guidance.
-</xccdf-1.2:description>
-      <xccdf-1.2:notice id="terms_of_use">Do not attempt to implement any of the settings in
-this guide without first testing them in a non-operational environment. The
-creators of this guidance assume no responsibility whatsoever for its use by
-other parties, and makes no guarantees, expressed or implied, about its
-quality, reliability, or any other characteristic.
-</xccdf-1.2:notice>
-      <xccdf-1.2:front-matter>The ComplianceAsCode Project<html:br/>
-
-    <html:a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</html:a>
-</xccdf-1.2:front-matter>
-      <xccdf-1.2:rear-matter>Red Hat and Red Hat Enterprise Linux are either registered
-trademarks or trademarks of Red Hat, Inc. in the United States and other
-countries. All other names are registered trademarks or trademarks of their
-respective companies.</xccdf-1.2:rear-matter>
-      <cpe-lang:platform-specification>
-        <cpe-lang:platform id="eks-node">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/o:amazon:elastic_kubernetes_service_node:1"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-      </cpe-lang:platform-specification>
-      <xccdf-1.2:platform idref="cpe:/a:amazon:elastic_kubernetes_service:1"/>
-      <xccdf-1.2:platform idref="cpe:/o:amazon:elastic_kubernetes_service_node:1"/>
-      <xccdf-1.2:platform idref="cpe:/a:amazon:elastic_kubernetes_service_node:1.21"/>
-      <xccdf-1.2:version update="https://github.com/ComplianceAsCode/content/releases/latest">0.1.64</xccdf-1.2:version>
-      <xccdf-1.2:metadata>
-        <dc:publisher>SCAP Security Guide Project</dc:publisher>
-        <dc:creator>SCAP Security Guide Project</dc:creator>
-        <dc:contributor>Frank J Cameron (CAM1244) &lt;cameron@ctc.com&gt;</dc:contributor>
-        <dc:contributor>0x66656c6978 &lt;0x66656c6978@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>H&#xE5;vard F. Aasen &lt;havard.f.aasen@pfft.no&gt;</dc:contributor>
-        <dc:contributor>Jack Adolph &lt;jack.adolph@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Edgar Aguilar &lt;edgar.aguilar@oracle.com&gt;</dc:contributor>
-        <dc:contributor>Gabe Alford &lt;redhatrises@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Firas AlShafei &lt;firas.alshafei@us.abb.com&gt;</dc:contributor>
-        <dc:contributor>Rodrigo Alvares &lt;ralvares@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Christopher Anderson &lt;cba@fedoraproject.org&gt;</dc:contributor>
-        <dc:contributor>angystardust &lt;angystardust@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>anivan-suse &lt;anastasija.ivanovic@suse.com&gt;</dc:contributor>
-        <dc:contributor>anixon-rh &lt;55244503+anixon-rh@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Ikko Ashimine &lt;eltociear@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Chuck Atkins &lt;chuck.atkins@kitware.com&gt;</dc:contributor>
-        <dc:contributor>ayfantis &lt;ayfantis@localhost.localdomain&gt;</dc:contributor>
-        <dc:contributor>Ryan Ballanger &lt;root@rballang-admin-2.fastenal.com&gt;</dc:contributor>
-        <dc:contributor>Alex Baranowski &lt;alex@euro-linux.com&gt;</dc:contributor>
-        <dc:contributor>Eduardo Barretto &lt;eduardo.barretto@canonical.com&gt;</dc:contributor>
-        <dc:contributor>Molly Jo Bault &lt;Molly.Jo.Bault@ballardtech.com&gt;</dc:contributor>
-        <dc:contributor>Andrew Becker &lt;A-Beck@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Gabriel Becker &lt;ggasparb@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Alexander Bergmann &lt;abergmann@suse.com&gt;</dc:contributor>
-        <dc:contributor>Dale Bewley &lt;dale@bewley.net&gt;</dc:contributor>
-        <dc:contributor>Jose Luis BG &lt;bgjoseluis@gmail.com&gt;</dc:contributor>
-        <dc:contributor>binyanling &lt;binyanling@uniontech.com&gt;</dc:contributor>
-        <dc:contributor>Joseph Bisch &lt;joseph.bisch@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Jeffrey Blank &lt;blank@eclipse.ncsc.mil&gt;</dc:contributor>
-        <dc:contributor>Olivier Bonhomme &lt;ptitoliv@ptitoliv.net&gt;</dc:contributor>
-        <dc:contributor>Lance Bragstad &lt;lbragstad@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Ted Brunell &lt;tbrunell@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Marcus Burghardt &lt;maburgha@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Matthew Burket &lt;mburket@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Blake Burkhart &lt;blake.burkhart@us.af.mil&gt;</dc:contributor>
-        <dc:contributor>Patrick Callahan &lt;pmc@patrickcallahan.com&gt;</dc:contributor>
-        <dc:contributor>George Campbell &lt;gcampbell@palantir.com&gt;</dc:contributor>
-        <dc:contributor>Nick Carboni &lt;ncarboni@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Carlos &lt;64919342+carlosmmatos@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>James Cassell &lt;james.cassell@ll.mit.edu&gt;</dc:contributor>
-        <dc:contributor>Frank Caviggia &lt;fcaviggi@ra.iad.redhat.com&gt;</dc:contributor>
-        <dc:contributor>Eric Christensen &lt;echriste@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Dan Clark &lt;danclark@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Jayson Cofell &lt;1051437+70k10@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Caleb Cooper &lt;coopercd@ornl.gov&gt;</dc:contributor>
-        <dc:contributor>Richard Maciel Costa &lt;richard.maciel.costa@canonical.com&gt;</dc:contributor>
-        <dc:contributor>Deric Crago &lt;deric.crago@gmail.com&gt;</dc:contributor>
-        <dc:contributor>crleekwc &lt;crleekwc@gmail.com&gt;</dc:contributor>
-        <dc:contributor>cyarbrough76 &lt;42849651+cyarbrough76@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Maura Dailey &lt;maura@eclipse.ncsc.mil&gt;</dc:contributor>
-        <dc:contributor>Klaas Demter &lt;demter@atix.de&gt;</dc:contributor>
-        <dc:contributor>dhanushkar-wso2 &lt;dhanushkar@wso2.com&gt;</dc:contributor>
-        <dc:contributor>Andrew DiPrinzio &lt;andrew.diprinzio@jhuapl.edu&gt;</dc:contributor>
-        <dc:contributor>dom &lt;dominique.blaze@devinci.fr&gt;</dc:contributor>
-        <dc:contributor>Jean-Baptiste Donnette &lt;jean-baptiste.donnette@epita.fr&gt;</dc:contributor>
-        <dc:contributor>Marco De Donno &lt;mdedonno1337@gmail.com&gt;</dc:contributor>
-        <dc:contributor>dperrone &lt;dperrone@redhat.com&gt;</dc:contributor>
-        <dc:contributor>drax &lt;applezip@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Sebastian Dunne &lt;sdunne@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Fran&#xE7;ois Duthilleul &lt;francoisduthilleul@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Greg Elin &lt;gregelin@gitmachines.com&gt;</dc:contributor>
-        <dc:contributor>eradot4027 &lt;jrtonmac@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Alexis Facques &lt;alexis.facques@mythalesgroup.io&gt;</dc:contributor>
-        <dc:contributor>Leah Fisher &lt;lfisher047@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Yavor Georgiev &lt;strandjata@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Alijohn Ghassemlouei &lt;alijohn@secureagc.com&gt;</dc:contributor>
-        <dc:contributor>Swarup Ghosh &lt;swghosh@redhat.com&gt;</dc:contributor>
-        <dc:contributor>ghylock &lt;ghylock@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Andrew Gilmore &lt;agilmore2@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Joshua Glemza &lt;jglemza@nasa.gov&gt;</dc:contributor>
-        <dc:contributor>Nick Gompper &lt;forestgomp@yahoo.com&gt;</dc:contributor>
-        <dc:contributor>Loren Gordon &lt;lorengordon@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Patrik Greco &lt;sikevux@sikevux.se&gt;</dc:contributor>
-        <dc:contributor>Steve Grubb &lt;sgrubb@redhat.com&gt;</dc:contributor>
-        <dc:contributor>guangyee &lt;gyee@suse.com&gt;</dc:contributor>
-        <dc:contributor>Marek Haicman &lt;mhaicman@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Vern Hart &lt;vern.hart@canonical.com&gt;</dc:contributor>
-        <dc:contributor>Alex Haydock &lt;alex@alexhaydock.co.uk&gt;</dc:contributor>
-        <dc:contributor>Rebekah Hayes &lt;rhayes@corp.rivierautilities.com&gt;</dc:contributor>
-        <dc:contributor>Trey Henefield &lt;thenefield@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Henning Henkel &lt;henning.henkel@helvetia.ch&gt;</dc:contributor>
-        <dc:contributor>hex2a &lt;hex2a@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>John Hooks &lt;jhooks@starscream.pa.jhbcomputers.com&gt;</dc:contributor>
-        <dc:contributor>Jakub Hrozek &lt;jhrozek@redhat.com&gt;</dc:contributor>
-        <dc:contributor>De Huo &lt;De.Huo@windriver.com&gt;</dc:contributor>
-        <dc:contributor>Robin Price II &lt;robin@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Yasir Imam &lt;yimam@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Jiri Jaburek &lt;jjaburek@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Keith Jackson &lt;keithkjackson@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Jeremiah Jahn &lt;jeremiah@goodinassociates.com&gt;</dc:contributor>
-        <dc:contributor>Jakub Jelen &lt;jjelen@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Jessicahfy &lt;Jessicahfy@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Stephan Joerrens &lt;Stephan.Joerrens@fiduciagad.de&gt;</dc:contributor>
-        <dc:contributor>Hunter Jones &lt;hjones2199@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Jono &lt;jono@ubuntu-18.localdomain&gt;</dc:contributor>
-        <dc:contributor>justchris1 &lt;justchris1@justchris1.email&gt;</dc:contributor>
-        <dc:contributor>Kai Kang &lt;kai.kang@windriver.com&gt;</dc:contributor>
-        <dc:contributor>Charles Kernstock &lt;charles.kernstock@ultra-ats.com&gt;</dc:contributor>
-        <dc:contributor>Yuli Khodorkovskiy &lt;ykhodorkovskiy@tresys.com&gt;</dc:contributor>
-        <dc:contributor>Sherine Khoury &lt;skhoury@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Nathan Kinder &lt;nkinder@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Lee Kinser &lt;lee.kinser@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Evgeny Kolesnikov &lt;ekolesni@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Peter 'Pessoft' Kol&#xED;nek &lt;github@pessoft.com&gt;</dc:contributor>
-        <dc:contributor>Luke Kordell &lt;luke.t.kordell@lmco.com&gt;</dc:contributor>
-        <dc:contributor>Malte Kraus &lt;malte.kraus@suse.com&gt;</dc:contributor>
-        <dc:contributor>Seth Kress &lt;seth.kress@dsainc.com&gt;</dc:contributor>
-        <dc:contributor>Felix Krohn &lt;felix.krohn@helvetia.ch&gt;</dc:contributor>
-        <dc:contributor>kspargur &lt;kspargur@kspargur.csb&gt;</dc:contributor>
-        <dc:contributor>Amit Kumar &lt;amitkuma@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Fen Labalme &lt;fen@civicactions.com&gt;</dc:contributor>
-        <dc:contributor>Ade Lee &lt;alee@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Christopher Lee &lt;Crleekwc@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Ian Lee &lt;lee1001@llnl.gov&gt;</dc:contributor>
-        <dc:contributor>Jarrett Lee &lt;jarrettl@umd.edu&gt;</dc:contributor>
-        <dc:contributor>Joseph Lenox &lt;joseph.lenox@collins.com&gt;</dc:contributor>
-        <dc:contributor>Jan Lieskovsky &lt;jlieskov@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Markus Linnala &lt;Markus.Linnala@knowit.fi&gt;</dc:contributor>
-        <dc:contributor>&#x160;imon Luka&#x161;&#xED;k &lt;slukasik@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Milan Lysonek &lt;mlysonek@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Fredrik Lys&#xE9;n &lt;fredrik@pipemore.se&gt;</dc:contributor>
-        <dc:contributor>Caitlin Macleod &lt;caitelatte@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Nick Maludy &lt;nmaludy@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Lokesh Mandvekar &lt;lsm5@fedoraproject.org&gt;</dc:contributor>
-        <dc:contributor>Matus Marhefka &lt;mmarhefk@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Jamie Lorwey Martin &lt;jlmartin@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Carlos Matos &lt;cmatos@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Robert McAllister &lt;rmcallis@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Karen McCarron &lt;kmccarro@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Michael McConachie &lt;michael@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Marcus Meissner &lt;meissner@suse.de&gt;</dc:contributor>
-        <dc:contributor>Khary Mendez &lt;kmendez@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Rodney Mercer &lt;rmercer@harris.com&gt;</dc:contributor>
-        <dc:contributor>mgjadoul &lt;mgjadoul@laptomatic.auth-o-matic.corp&gt;</dc:contributor>
-        <dc:contributor>Matt Micene &lt;nzwulfin@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Brian Millett &lt;bmillett@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Takuya Mishina &lt;tmishina@jp.ibm.com&gt;</dc:contributor>
-        <dc:contributor>Mixer9 &lt;35545791+Mixer9@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>mmosel &lt;mmosel@kde.example.com&gt;</dc:contributor>
-        <dc:contributor>Zbynek Moravec &lt;zmoravec@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Kazuo Moriwaka &lt;moriwaka@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Michael Moseley &lt;michael@eclipse.ncsc.mil&gt;</dc:contributor>
-        <dc:contributor>Renaud M&#xE9;trich &lt;rmetrich@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Joe Nall &lt;joe@nall.com&gt;</dc:contributor>
-        <dc:contributor>Neiloy &lt;neiloy@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Axel Nennker &lt;axel@nennker.de&gt;</dc:contributor>
-        <dc:contributor>Michele Newman &lt;mnewman@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Sean O'Keeffe &lt;seanokeeffe797@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Jiri Odehnal &lt;jodehnal@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Ilya Okomin &lt;ilya.okomin@oracle.com&gt;</dc:contributor>
-        <dc:contributor>Kaustubh Padegaonkar &lt;theTuxRacer@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Michael Palmiotto &lt;mpalmiotto@tresys.com&gt;</dc:contributor>
-        <dc:contributor>Eryx Paredes &lt;eryxp@lyft.com&gt;</dc:contributor>
-        <dc:contributor>Max R.D. Parmer &lt;maxp@trystero.is&gt;</dc:contributor>
-        <dc:contributor>Arnaud Patard &lt;apatard@hupstream.com&gt;</dc:contributor>
-        <dc:contributor>Jan Pazdziora &lt;jpazdziora@redhat.com&gt;</dc:contributor>
-        <dc:contributor>pcactr &lt;paul.c.arnold4.ctr@mail.mil&gt;</dc:contributor>
-        <dc:contributor>Kenneth Peeples &lt;kennethwpeeples@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Nathan Peters &lt;Nathaniel.Peters@ca.com&gt;</dc:contributor>
-        <dc:contributor>Frank Lin PIAT &lt;fpiat@klabs.be&gt;</dc:contributor>
-        <dc:contributor>Stefan Pietsch &lt;mail.ipv4v6+gh@gmail.com&gt;</dc:contributor>
-        <dc:contributor>piggyvenus &lt;piggyvenus@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Vojtech Polasek &lt;vpolasek@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Orion Poplawski &lt;orion@nwra.com&gt;</dc:contributor>
-        <dc:contributor>Nick Poyant &lt;npoyant@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Martin Preisler &lt;mpreisle@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Wesley Ceraso Prudencio &lt;wcerasop@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Raphael Sanchez Prudencio &lt;rsprudencio@redhat.com&gt;</dc:contributor>
-        <dc:contributor>T.O. Radzy Radzykewycz &lt;radzy@windriver.com&gt;</dc:contributor>
-        <dc:contributor>Kenyon Ralph &lt;kenyon@kenyonralph.com&gt;</dc:contributor>
-        <dc:contributor>Mike Ralph &lt;mralph@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Federico Ramirez &lt;federico.r.ramirez@oracle.com&gt;</dc:contributor>
-        <dc:contributor>rchikov &lt;rumen.chikov@suse.com&gt;</dc:contributor>
-        <dc:contributor>Rick Renshaw &lt;Richard_Renshaw@xtoenergy.com&gt;</dc:contributor>
-        <dc:contributor>Chris Reynolds &lt;c.reynolds82@gmail.com&gt;</dc:contributor>
-        <dc:contributor>rhayes &lt;rhayes@rivierautilities.com&gt;</dc:contributor>
-        <dc:contributor>Pat Riehecky &lt;riehecky@fnal.gov&gt;</dc:contributor>
-        <dc:contributor>rlucente-se-jboss &lt;rlucente@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Juan Antonio Osorio Robles &lt;juan.osoriorobles@eu.equinix.com&gt;</dc:contributor>
-        <dc:contributor>Matt Rogers &lt;mrogers@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Jesse Roland &lt;jesse.roland@onyxpoint.com&gt;</dc:contributor>
-        <dc:contributor>Joshua Roys &lt;roysjosh@gmail.com&gt;</dc:contributor>
-        <dc:contributor>rrenshaw &lt;bofh69@yahoo.com&gt;</dc:contributor>
-        <dc:contributor>Chris Ruffalo &lt;chris.ruffalo@gmail.com&gt;</dc:contributor>
-        <dc:contributor>rumch-se &lt;77793453+rumch-se@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Ray Shaw (Cont ARL/CISD) rvshaw &lt;rvshaw@esme.arl.army.mil&gt;</dc:contributor>
-        <dc:contributor>Earl Sampson &lt;ESampson@suse.com&gt;</dc:contributor>
-        <dc:contributor>sampsone &lt;esampson@suse.com&gt;</dc:contributor>
-        <dc:contributor>Willy Santos &lt;wsantos@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Nagarjuna Sarvepalli &lt;snagarju@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Anderson Sasaki &lt;33833274+ansasaki@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Gautam Satish &lt;gautams@hpe.com&gt;</dc:contributor>
-        <dc:contributor>Watson Sato &lt;wsato@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Satoru SATOH &lt;satoru.satoh@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Alexander Scheel &lt;ascheel@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Bryan Schneiders &lt;pschneiders@trisept.com&gt;</dc:contributor>
-        <dc:contributor>shaneboulden &lt;shane.boulden@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Vincent Shen &lt;47534281+Vincent056@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Dhriti Shikhar &lt;dhriti.shikhar.rokz@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Spencer Shimko &lt;sshimko@tresys.com&gt;</dc:contributor>
-        <dc:contributor>Mark Shoger &lt;mshoger@redhat.com&gt;</dc:contributor>
-        <dc:contributor>THOBY Simon &lt;Simon.THOBY@viveris.fr&gt;</dc:contributor>
-        <dc:contributor>Thomas Sj&#xF6;gren &lt;konstruktoid@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Francisco Slavin &lt;fslavin@tresys.com&gt;</dc:contributor>
-        <dc:contributor>David Smith &lt;dsmith@eclipse.ncsc.mil&gt;</dc:contributor>
-        <dc:contributor>Kevin Spargur &lt;kspargur@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Kenneth Stailey &lt;kstailey.lists@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Leland Steinke &lt;leland.j.steinke.ctr@mail.mil&gt;</dc:contributor>
-        <dc:contributor>Justin Stephenson &lt;jstephen@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Brian Stinson &lt;brian@bstinson.com&gt;</dc:contributor>
-        <dc:contributor>Jake Stookey &lt;jakestookey@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Jonathan Sturges &lt;jsturges@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Ian Tewksbury &lt;itewk@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Philippe Thierry &lt;phil@reseau-libre.net&gt;</dc:contributor>
-        <dc:contributor>Derek Thurston &lt;thegrit@gmail.com&gt;</dc:contributor>
-        <dc:contributor>tianzhenjia &lt;jiatianzhen@cmss.chinamobile.com&gt;</dc:contributor>
-        <dc:contributor>Greg Tinsley &lt;gtinsley@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Paul Tittle &lt;ptittle@cmf.nrl.navy.mil&gt;</dc:contributor>
-        <dc:contributor>tom &lt;tom@localhost.localdomain&gt;</dc:contributor>
-        <dc:contributor>tomas.hudik &lt;tomas.hudik@embedit.cz&gt;</dc:contributor>
-        <dc:contributor>Jeb Trayer &lt;jeb.d.trayer@uscg.mil&gt;</dc:contributor>
-        <dc:contributor>TrilokGeer &lt;tgeer@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Viktors Trubovics &lt;viktors.trubovics@suse.com&gt;</dc:contributor>
-        <dc:contributor>Nico Truzzolino &lt;nico.truzzolino@gmx.de&gt;</dc:contributor>
-        <dc:contributor>Brian Turek &lt;brian.turek@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Mat&#x11B;j T&#xFD;&#x10D; &lt;matyc@redhat.com&gt;</dc:contributor>
-        <dc:contributor>VadimDor &lt;29509093+VadimDor@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Trevor Vaughan &lt;tvaughan@onyxpoint.com&gt;</dc:contributor>
-        <dc:contributor>vtrubovics &lt;82443408+vtrubovics@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Samuel Warren &lt;swarren@redhat.com&gt;</dc:contributor>
-        <dc:contributor>wcushen &lt;54533890+wcushen@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Shawn Wells &lt;shawn@shawndwells.io&gt;</dc:contributor>
-        <dc:contributor>Daniel E. White &lt;linuxdan@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Bernhard M. Wiedemann &lt;bwiedemann@suse.de&gt;</dc:contributor>
-        <dc:contributor>Roy Williams &lt;roywilli@roywilli.redhat.com&gt;</dc:contributor>
-        <dc:contributor>Willumpie &lt;willumpie@xs4all.nl&gt;</dc:contributor>
-        <dc:contributor>Rob Wilmoth &lt;rwilmoth@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Lucas Yamanishi &lt;lucas.yamanishi@onyxpoint.com&gt;</dc:contributor>
-        <dc:contributor>Xirui Yang &lt;xirui.yang@oracle.com&gt;</dc:contributor>
-        <dc:contributor>yarunachalam &lt;yarunachalam@suse.com&gt;</dc:contributor>
-        <dc:contributor>Guang Yee &lt;guang.yee@suse.com&gt;</dc:contributor>
-        <dc:contributor>Achilleas John Yfantis &lt;ayfantis@redhat.com&gt;</dc:contributor>
-        <dc:contributor>YiLin.Li &lt;YiLin.Li@linux.alibaba.com&gt;</dc:contributor>
-        <dc:contributor>YuQing &lt;yyq0391@163.com&gt;</dc:contributor>
-        <dc:contributor>Kevin Zimmerman &lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>
-        <dc:contributor>Luigi Mario Zuccarelli &lt;luzuccar@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Jan &#x10C;ern&#xFD; &lt;jcerny@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Michal &#x160;ruba&#x159; &lt;msrubar@redhat.com&gt;</dc:contributor>
-        <dc:source>https://github.com/ComplianceAsCode/content/releases/latest</dc:source>
-      </xccdf-1.2:metadata>
-      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_cis-node">
-        <xccdf-1.2:title override="true">CIS Amazon Elastic Kubernetes Service (EKS) Benchmark - Node</xccdf-1.2:title>
-        <xccdf-1.2:description override="true">This profile defines a baseline that aligns to the Center for Internet Security&#xAE;
-Amazon Elastic Kubernetes Service (EKS) Benchmark&#x2122;, V1.0.1.
-
-This profile includes Center for Internet Security&#xAE;
-Amazon Elastic Kubernetes Service (EKS)&#x2122; content.
-
-This profile is applicable to EKS 1.21 and greater.</xccdf-1.2:description>
-        <xccdf-1.2:platform idref="cpe:/o:amazon:elastic_kubernetes_service_node:1"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_kubelet_conf" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_kubelet_conf" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_disable_hostname_override" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_defaults" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_authentication" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_logging" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_networking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_registry" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_secrets" selected="false"/>
-      </xccdf-1.2:Profile>
-      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_cis">
-        <xccdf-1.2:title override="true">CIS Amazon Elastic Kubernetes Service Benchmark - Platform</xccdf-1.2:title>
-        <xccdf-1.2:description override="true">This profile defines a baseline that aligns to the Center for Internet Security&#xAE;
-Amazon Elastic Kubernetes Service (EKS) Benchmark&#x2122;, V1.0.1.
-
-This profile includes Center for Internet Security&#xAE;
-Amazon Elastic Kubernetes Service (EKS)&#x2122; content.
-
-This profile is applicable to EKS 1.21 and greater.</xccdf-1.2:description>
-        <xccdf-1.2:platform idref="cpe:/a:amazon:elastic_kubernetes_service:1"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_approved_registries" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_logging" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_network_policy" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_tls" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_control_plane_access" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_dedicated_service_accounts" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_endpoint_configuration" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_fargate" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_iam_integration" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_image_scanning" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_private_nodes" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_read_only_registry_access" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_registry_access" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_secret_encryption" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_kubelet" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_worker" selected="false"/>
-      </xccdf-1.2:Profile>
-      <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_intro">
-        <xccdf-1.2:title>Introduction</xccdf-1.2:title>
-        <xccdf-1.2:description>The purpose of this guidance is to provide security configuration
-recommendations and baselines for Amazon Elastic Kubernetes Service.
-The guide is intended for system and/or application administrators. Readers are assumed to
-possess basic system administration skills for the application's operating systems, as well
-as some familiarity with the product's documentation and administration
-conventions. Some instructions within this guide are complex.
-All directions should be followed completely and with understanding of
-their effects in order to avoid serious adverse effects on the system
-and its security.</xccdf-1.2:description>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_general-principles">
-          <xccdf-1.2:title>General Principles</xccdf-1.2:title>
-          <xccdf-1.2:description>The following general principles motivate much of the advice in this
-guide and should also influence any configuration decisions that are
-not explicitly covered.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">
-            <xccdf-1.2:title>Encrypt Transmitted Data Whenever Possible</xccdf-1.2:title>
-            <xccdf-1.2:description>Data transmitted over a network, whether wired or wireless, is susceptible
-to passive monitoring. Whenever practical solutions for encrypting
-such data exist, they should be applied. Even if data is expected to
-be transmitted only over a local network, it should still be encrypted.
-Encrypting authentication data, such as passwords, is particularly
-important. Networks of Amazon Elastic Kubernetes Service machines can and should be configured
-so that no unencrypted authentication data is ever transmitted between
-machines.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_principle-least-privilege">
-            <xccdf-1.2:title>Least Privilege</xccdf-1.2:title>
-            <xccdf-1.2:description>Grant the least privilege necessary for user accounts and software to perform tasks.
-For example, <html:code>sudo</html:code> can be implemented to limit authorization to super user
-accounts on the system only to designated personnel. Another example is to limit
-logins on server systems to only those administrators who need to log into them in
-order to perform administration tasks.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_principle-separate-servers">
-            <xccdf-1.2:title>Run Different Network Services on Separate Systems</xccdf-1.2:title>
-            <xccdf-1.2:description>Whenever possible, a server should be dedicated to serving exactly one
-network service. This limits the number of other services that can
-be compromised in the event that an attacker is able to successfully
-exploit a software flaw in one network service.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_principle-use-security-tools">
-            <xccdf-1.2:title>Configure Security Tools to Improve System Robustness</xccdf-1.2:title>
-            <xccdf-1.2:description>Several tools exist which can be effectively used to improve a system's
-resistance to and detection of unknown attacks. These tools can improve
-robustness against attack at the cost of relatively little configuration
-effort.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_how-to-use">
-          <xccdf-1.2:title>How to Use This Guide</xccdf-1.2:title>
-          <xccdf-1.2:description>Readers should heed the following points when using the guide.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_intro-formatting-conventions">
-            <xccdf-1.2:title>Formatting Conventions</xccdf-1.2:title>
-            <xccdf-1.2:description>Commands intended for shell execution, as well as configuration file text,
-are featured in a <html:code>monospace font</html:code>. <html:i>Italics</html:i> are used
-to indicate instances where the system administrator must substitute
-the appropriate information into a command or configuration file.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_intro-read-sections-completely">
-            <xccdf-1.2:title>Read Sections Completely and in Order</xccdf-1.2:title>
-            <xccdf-1.2:description>Each section may build on information and recommendations discussed in
-prior sections. Each section should be read and understood completely;
-instructions should never be blindly applied. Relevant discussion may
-occur after instructions for an action.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_intro-reboot-required">
-            <xccdf-1.2:title>Reboot Required</xccdf-1.2:title>
-            <xccdf-1.2:description>A system or service reboot is implicitly required after some actions in order to
-complete the reconfiguration of the system. In many cases, the changes
-will not take effect until a reboot is performed. In order to ensure
-that changes are applied properly and to test functionality, always
-reboot the system after applying a set of recommendations from this guide.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_intro-root-shell-assumed">
-            <xccdf-1.2:title>Root Shell Environment Assumed</xccdf-1.2:title>
-            <xccdf-1.2:description>Most of the actions listed in this document are written with the
-assumption that they will be executed by the root user running the
-<html:code>/bin/bash</html:code> shell. Commands preceded with a hash mark (#)
-assume that the administrator will execute the commands as root, i.e.
-apply the command via <html:code>sudo</html:code> whenever possible, or use
-<html:code>su</html:code> to gain root privileges if <html:code>sudo</html:code> cannot be
-used. Commands which can be executed as a non-root user are are preceded
-by a dollar sign ($) prompt.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_intro-test-non-production">
-            <xccdf-1.2:title>Test in Non-Production Environment</xccdf-1.2:title>
-            <xccdf-1.2:description>This guidance should always be tested in a non-production environment
-before deployment. This test environment should simulate the setup in
-which the system will be deployed as closely as possible.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-      </xccdf-1.2:Group>
-      <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_openshift">
-        <xccdf-1.2:title>Kubernetes Settings</xccdf-1.2:title>
-        <xccdf-1.2:description>Each section of this configuration guide includes information about the
-configuration of a Kubernetes cluster and a set of recommendations for
-hardening the configuration. For each hardening recommendation, information
-on how to implement the control and/or how to verify or audit the control
-is provided. In some cases, remediation information is also provided.
-
-Some of the settings in the hardening guide are in place by default. The
-audit information for these settings is provided in order to verify that
-the cluster admininstrator has not made changes that would be less secure.
-A small number of items require configuration.
-
-Finally, there are some recommendations that require decisions by the
-system operator, such as audit log size, retention, and related settings.</xccdf-1.2:description>
-        <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_ocp_data_root" type="string">
-          <xccdf-1.2:title>Root of files obtained from OCP nodes</xccdf-1.2:title>
-          <xccdf-1.2:description>When scanning OpenShift clusters, some settings are not exposed as files.
-In the case that they are exported from the cluster (typically as yaml files),
-this variable determines the directory where they will end up.</xccdf-1.2:description>
-          <xccdf-1.2:value>/kubernetes-api-resources</xccdf-1.2:value>
-        </xccdf-1.2:Value>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_accounts">
-          <xccdf-1.2:title>Kubernetes - Account and Access Control</xccdf-1.2:title>
-          <xccdf-1.2:description>In traditional Unix security, if an attacker gains
-shell access to a certain login account, they can perform any action
-or access any file to which that account has access. The same
-idea applies to cloud technology such as Kubernetes. Therefore,
-making it more difficult for unauthorized people to gain shell
-access to accounts, particularly to privileged accounts, is a
-necessary part of securing a system. This section introduces
-mechanisms for restricting access to accounts under
-Kubernetes.</xccdf-1.2:description>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_dedicated_service_accounts" severity="unknown">
-            <xccdf-1.2:title>Use Dedicated Service Accounts</xccdf-1.2:title>
-            <xccdf-1.2:description>Kubernetes workloads should not use cluster node service accounts to
-authenticate to Amazon EKS APIs. Each Kubernetes workload that needs to
-authenticate to other AWS services using AWS IAM should be provisioned with a
-dedicated Service account.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Manual approaches for authenticating Kubernetes workloads running on Amazon
-EKS against AWS APIs are: storing service account keys as a Kubernetes secret
-(which introduces manual key rotation and potential for key compromise); or
-use of the underlying nodes' IAM Service account, which violates the
-principle of least privilege on a multi-tenanted node, when one pod needs
-to have access to a service, but every other pod on the node that uses the
-Service account does not.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-87818-1</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-dedicated_service_accounts_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_authentication">
-          <xccdf-1.2:title>Authentication</xccdf-1.2:title>
-          <xccdf-1.2:description>In cloud workloads, there are many ways to create and configure
-to multiple authentication services. Some of these authentication
-methods by not be secure or common methodologies, or they may not
-be secure by default. This section introduces mechanisms for
-configuring authentication systems Kubernetes.</xccdf-1.2:description>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_oauth_inactivity_timeout" type="string">
-            <xccdf-1.2:title>OAuth Token Inactivity Timeout</xccdf-1.2:title>
-            <xccdf-1.2:description>Enter OAuth Token Inactivity Timeout</xccdf-1.2:description>
-            <xccdf-1.2:value selector="10m0s">10m0s</xccdf-1.2:value>
-            <xccdf-1.2:value>10m0s</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_iam_integration" severity="unknown">
-            <xccdf-1.2:title>Manage Users with AWS IAM</xccdf-1.2:title>
-            <xccdf-1.2:description>Amazon EKS uses IAM to provide authentication to your Kubernetes cluster
-through the AWS IAM Authenticator for Kubernetes. You can configure the stock
-kubectl client to work with Amazon EKS by installing the AWS IAM
-Authenticator for Kubernetes and modifying your kubectl configuration file to
-use it for authentication.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>On- and off-boarding users is often difficult to automate and prone to error.
-Using a single source of truth for user permissions reduces the number of
-locations that an individual must be off-boarded from, and prevents users
-gaining unique permissions sets that increase the cost of audit.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-86301-9</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-iam_integration_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_general">
-          <xccdf-1.2:title>Kubernetes - General Security Practices</xccdf-1.2:title>
-          <xccdf-1.2:description>Contains evaluations for general security practices for operating a Kubernetes environment.</xccdf-1.2:description>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_fargate" severity="unknown">
-            <xccdf-1.2:title>Consider Fargate for Untrusted Workloads</xccdf-1.2:title>
-            <xccdf-1.2:description>It is Best Practice to restrict or fence untrusted workloads when running in
-a multi-tenant environment.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.6.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>AWS Fargate is a technology that provides on-demand, right-sized compute
-capacity for containers. With AWS Fargate, you no longer have to provision,
-configure, or scale groups of virtual machines to run containers. This
-removes the need to choose server types, decide when to scale your node
-groups, or optimize cluster packing.
-
-You can control which pods start on Fargate and how they run with Fargate
-profiles, which are defined as part of your Amazon EKS cluster.
-
-Amazon EKS integrates Kubernetes with AWS Fargate by using controllers that
-are built by AWS using the upstream, extensible model provided by Kubernetes.
-These controllers run as part of the Amazon EKS managed Kubernetes control
-plane and are responsible for scheduling native Kubernetes pods onto Fargate.
-The Fargate controllers include a new scheduler that runs alongside the
-default Kubernetes scheduler in addition to several mutating and validating
-admission controllers. When you start a pod that meets the criteria for
-running on Fargate, the Fargate controllers running in the cluster recognize,
-update, and schedule the pod onto Fargate.
-
-Each pod running on Fargate has its own isolation boundary and does not share
-the underlying kernel, CPU resources, memory resources, or elastic network
-interface with another pod.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-89091-3</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-fargate_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_kubelet">
-          <xccdf-1.2:title>Kubernetes Kubelet Settings</xccdf-1.2:title>
-          <xccdf-1.2:description>The Kubernetes Kubelet is an agent that runs on each node in the cluster. It
-makes sure that containers are running in a pod.
-
-The kubelet takes a set of PodSpecs that are provided through various
-mechanisms and ensures that the containers described in those PodSpecs are
-running and healthy. The kubelet doesn&#x2019;t manage containers which were not
-created by Kubernetes.</xccdf-1.2:description>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_event_record_qps" type="number">
-            <xccdf-1.2:title>Configure Kubelet Event Limit</xccdf-1.2:title>
-            <xccdf-1.2:description>Maximum event creations per second.</xccdf-1.2:description>
-            <xccdf-1.2:value>5</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kube_authorization_mode" type="string">
-            <xccdf-1.2:title>kubelet - Authorization Options</xccdf-1.2:title>
-            <xccdf-1.2:description>ABAC - Attribute-Based Access Control (ABAC) mode allows you to configure policies using local files.
-<html:br/>RBAC - Role-based access control (RBAC) mode allows you to create and store policies using the Kubernetes API.
-<html:br/>Webhook - WebHook is an HTTP callback mode that allows you to manage authorization using a remote REST endpoint.
-<html:br/>Node Node - authorization is a special-purpose authorization mode that specifically authorizes API requests made by kubelets.
-<html:br/>AlwaysDeny - This flag blocks all requests. Use this flag only for testing.</xccdf-1.2:description>
-            <xccdf-1.2:value>Webhook</xccdf-1.2:value>
-            <xccdf-1.2:value selector="abac">ABAC</xccdf-1.2:value>
-            <xccdf-1.2:value selector="rbac">RBAC</xccdf-1.2:value>
-            <xccdf-1.2:value selector="webhook">Webhook</xccdf-1.2:value>
-            <xccdf-1.2:value selector="node">Node</xccdf-1.2:value>
-            <xccdf-1.2:value selector="alwaysdeny">AlwaysDeny</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_imagefs_available" type="string">
-            <xccdf-1.2:title>Configure Kubelet EvictonHard Image FS Avilable</xccdf-1.2:title>
-            <xccdf-1.2:description>Image FS Available for the EvictonHard threshold to trigger.</xccdf-1.2:description>
-            <xccdf-1.2:value>10%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="5pc">5%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="10pc">10%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="15pc">15%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="20pc">20%</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_imagefs_inodesfree" type="string">
-            <xccdf-1.2:title>Configure Kubelet EvictonHard Image FS inodes Free</xccdf-1.2:title>
-            <xccdf-1.2:description>Image FS inodes Free for the EvictonHard threshold to trigger.</xccdf-1.2:description>
-            <xccdf-1.2:value>5%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="5pc">5%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="10pc">10%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="15pc">15%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="20pc">20%</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_memory_available" type="string">
-            <xccdf-1.2:title>Configure Kubelet EvictonHard Memory Avilable</xccdf-1.2:title>
-            <xccdf-1.2:description>Memory Available for the EvictonHard threshold to trigger.</xccdf-1.2:description>
-            <xccdf-1.2:value>200Mi</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_nodefs_available" type="string">
-            <xccdf-1.2:title>Configure Kubelet EvictonHard NodeFS Available</xccdf-1.2:title>
-            <xccdf-1.2:description>Node FS Available for the EvictonHard threshold to trigger.</xccdf-1.2:description>
-            <xccdf-1.2:value>5%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="5pc">5%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="10pc">10%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="15pc">15%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="20pc">20%</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_nodefs_inodesfree" type="string">
-            <xccdf-1.2:title>Configure Kubelet EvictonHard Node FS inodes Free</xccdf-1.2:title>
-            <xccdf-1.2:description>Node FS inodes Free for the EvictonHard threshold to trigger.</xccdf-1.2:description>
-            <xccdf-1.2:value>4%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="4pc">4%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="5pc">5%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="10pc">10%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="15pc">15%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="20pc">20%</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_imagefs_available" type="string">
-            <xccdf-1.2:title>Configure Kubelet EvictionSoft Image FS Avilable</xccdf-1.2:title>
-            <xccdf-1.2:description>Image FS Available for the EvictionSoft threshold to trigger.</xccdf-1.2:description>
-            <xccdf-1.2:value>15%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="5pc">5%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="10pc">10%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="15pc">15%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="20pc">20%</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_imagefs_inodesfree" type="string">
-            <xccdf-1.2:title>Configure Kubelet EvictionSoft Image FS inodes Free</xccdf-1.2:title>
-            <xccdf-1.2:description>Image FS inodes Free for the EvictionSoft threshold to trigger.</xccdf-1.2:description>
-            <xccdf-1.2:value>10%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="5pc">5%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="10pc">10%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="15pc">15%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="20pc">20%</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_memory_available" type="string">
-            <xccdf-1.2:title>Configure Kubelet EvictionSoft Memory Avilable</xccdf-1.2:title>
-            <xccdf-1.2:description>Memory Available for the EvictionSoft threshold to trigger.</xccdf-1.2:description>
-            <xccdf-1.2:value>500Mi</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_nodefs_available" type="string">
-            <xccdf-1.2:title>Configure Kubelet EvictionSoft NodeFS Available</xccdf-1.2:title>
-            <xccdf-1.2:description>Node FS Available for the EvictionSoft threshold to trigger.</xccdf-1.2:description>
-            <xccdf-1.2:value>10%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="5pc">5%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="10pc">10%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="15pc">15%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="20pc">20%</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_nodefs_inodesfree" type="string">
-            <xccdf-1.2:title>Configure Kubelet EvictionSoft Node FS inodes Free</xccdf-1.2:title>
-            <xccdf-1.2:description>Node FS inodes Free for the EvictionSoft threshold to trigger.</xccdf-1.2:description>
-            <xccdf-1.2:value>5%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="5pc">5%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="10pc">10%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="15pc">15%</xccdf-1.2:value>
-            <xccdf-1.2:value selector="20pc">20%</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kubelet_tls_cipher_suites" type="string">
-            <xccdf-1.2:title>Configure Kubelet use of the Strong Cryptographic Ciphers</xccdf-1.2:title>
-            <xccdf-1.2:description>Cryptographic Ciphers Available for Kubelet, seperated by comma</xccdf-1.2:description>
-            <xccdf-1.2:value>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kubelet_tls_cipher_suites_regex" type="string">
-            <xccdf-1.2:title>Configure Kubelet use of the Strong Cryptographic Ciphers</xccdf-1.2:title>
-            <xccdf-1.2:description>Cryptographic Ciphers Available for Kubelet</xccdf-1.2:description>
-            <xccdf-1.2:value>^(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)$</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_role" type="string">
-            <xccdf-1.2:title>Configure which node to scan based on role</xccdf-1.2:title>
-            <xccdf-1.2:description>Configure which node to scan based on role</xccdf-1.2:description>
-            <xccdf-1.2:value>worker</xccdf-1.2:value>
-            <xccdf-1.2:value selector="master">master</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_streaming_connection_timeouts" type="string" interactive="true">
-            <xccdf-1.2:title>Streaming Connection Timeout Options</xccdf-1.2:title>
-            <xccdf-1.2:description>Time until connection timeouts. Use (s) for seconds, (m) for minutes,
-and (h) for hours.</xccdf-1.2:description>
-            <xccdf-1.2:value>5m0s</xccdf-1.2:value>
-            <xccdf-1.2:value selector="5min">5m0s</xccdf-1.2:value>
-            <xccdf-1.2:value selector="10min">10m0s</xccdf-1.2:value>
-            <xccdf-1.2:value selector="30min">30m0s</xccdf-1.2:value>
-            <xccdf-1.2:value selector="1hour">1h</xccdf-1.2:value>
-            <xccdf-1.2:value selector="2hours">2h</xccdf-1.2:value>
-            <xccdf-1.2:value selector="4hours">4h</xccdf-1.2:value>
-            <xccdf-1.2:value selector="6hours">6h</xccdf-1.2:value>
-            <xccdf-1.2:value selector="8hours">8h</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth_worker" severity="medium">
-            <xccdf-1.2:title>Disable Anonymous Authentication to the Kubelet</xccdf-1.2:title>
-            <xccdf-1.2:description>By default, anonymous access to the Kubelet server is enabled. This
-configuration check ensures that anonymous requests to the Kubelet
-server are disabled. Edit the Kubelet server configuration file
-<html:code>/etc/kubernetes/kubelet/kubelet-config.json</html:code> on the kubelet node(s)
-and set the below parameter:
-<html:pre>
-authentication:
-  ...
-  anonymous:
-    enabled: false
-  ...
-</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>When enabled, requests that are not rejected by other configured
-authentication methods are treated as anonymous requests. These
-requests are then served by the Kubelet server. OpenShift Operators should
-rely on authentication to authorize access and disallow anonymous
-requests.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#eks-node"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-eks-oval.xml" name="oval:ssg-kubelet_anonymous_auth_worker:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-kubelet_anonymous_auth_worker_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_authorization_mode_worker" severity="medium">
-            <xccdf-1.2:title>Ensure authorization is set to Webhook</xccdf-1.2:title>
-            <xccdf-1.2:description>Unauthenticated/unauthorized users should have no access to OpenShift nodes.
-The Kubelet should be set to only allow Webhook authorization.
-To ensure that the Kubelet requires authorization,
-validate that <html:code>authorization</html:code> is configured to <html:code>Webhook</html:code>
-in <html:code>/etc/kubernetes/kubelet/kubelet-config.json</html:code>:
-<html:pre>
-authorization:
-  mode: Webhook
-  ...
-</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Ensuring that the authorization is configured correctly helps enforce that
-unauthenticated/unauthorized users have no access to OpenShift nodes.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#eks-node"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-eks-oval.xml" name="oval:ssg-kubelet_authorization_mode_worker:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-kubelet_authorization_mode_worker_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca_worker" severity="medium">
-            <xccdf-1.2:title>kubelet - Configure the Client CA Certificate</xccdf-1.2:title>
-            <xccdf-1.2:description>By default, the kubelet is not configured with a CA certificate which
-can subject the kubelet to man-in-the-middle attacks.
-
-To configure a client CA certificate, edit the kubelet configuration
-file <html:code>/etc/kubernetes/kubelet/kubelet-config.json</html:code>
-on the kubelet node(s) and set the below parameter:
-<html:pre>
-authentication:
-...
-  x509:
-    clientCAFile: /etc/kubernetes/pki/ca.crt
-...
-</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Not having a CA certificate for the kubelet will subject the kubelet to possible
-man-in-the-middle attacks especially on unsafe or untrusted networks.
-Certificate validation for the kubelet allows the API server to validate
-the kubelet's identity.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#eks-node"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-eks-oval.xml" name="oval:ssg-kubelet_configure_client_ca_worker:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-kubelet_configure_client_ca_worker_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_disable_hostname_override" severity="low">
-            <xccdf-1.2:title>kubelet - Hostname Override handling</xccdf-1.2:title>
-            <xccdf-1.2:description>Normally, OpenShift lets the kubelet get the hostname from either the
-cloud provider itself, or from the node's hostname. This ensures that
-the PKI allocated by the deployment uses the appropriate values, is valid
-and keeps working throughout the lifecycle of the cluster. IP addresses
-are not used, and hence this makes it easier for security analysts to
-associate kubelet logs with the appropriate node.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-3 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-3 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.2.8</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Allowing hostnames to be overridden creates issues around resolving nodes
-in addition to TLS configuration, certificate validation, and log correlation
-and validation.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#eks-node"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-eks-oval.xml" name="oval:ssg-kubelet_disable_hostname_override:def:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation_worker" severity="medium">
-            <xccdf-1.2:title>kubelet - Enable Certificate Rotation</xccdf-1.2:title>
-            <xccdf-1.2:description>To enable the kubelet to rotate client certificates, edit the kubelet configuration
-file <html:code>/etc/kubernetes/kubelet/kubelet-config.json</html:code>
-on the kubelet node(s) and set the below parameter:
-<html:pre>
-...
-rotateCertificates: true
-...
-</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.2.10</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Allowing the kubelet to auto-update the certificates ensure that there is no downtime
-in certificate renewal as well as ensures confidentiality and integrity.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#eks-node"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-eks-oval.xml" name="oval:ssg-kubelet_enable_cert_rotation_worker:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-kubelet_enable_cert_rotation_worker_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation" severity="medium">
-            <xccdf-1.2:title>kubelet - Enable Client Certificate Rotation</xccdf-1.2:title>
-            <xccdf-1.2:description>To enable the kubelet to rotate client certificates, edit the kubelet configuration
-file <html:code>/etc/kubernetes/kubelet/kubelet-config.json</html:code>
-on the kubelet node(s) and set the below parameter:
-<html:pre>
-featureGates:
-...
-  RotateKubeletClientCertificate: true
-...
-</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.2.10</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Allowing the kubelet to auto-update the certificates ensure that there is no downtime
-in certificate renewal as well as ensures confidentiality and integrity.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#eks-node"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-eks-oval.xml" name="oval:ssg-kubelet_enable_client_cert_rotation:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-kubelet_enable_client_cert_rotation_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains" severity="medium">
-            <xccdf-1.2:title>kubelet - Allow Automatic Firewall Configuration</xccdf-1.2:title>
-            <xccdf-1.2:description>The kubelet has the ability to automatically configure the firewall to allow
-the containers required ports and connections to networking resources and destinations
-parameters potentially creating a security incident.
-To allow the kubelet to modify the firewall, edit the kubelet configuration
-file <html:code>/etc/kubernetes/kubelet/kubelet-config.json</html:code>
-on the kubelet node(s) and set the below parameter:
-<html:pre>makeIPTablesUtilChains: true</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.2.7</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The kubelet should automatically configure the firewall settings to allow access and
-networking traffic through. This ensures that when a pod or container is running that
-the correct ports are configured as well as removing the ports when a pod or
-container is no longer in existence.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#eks-node"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-eks-oval.xml" name="oval:ssg-kubelet_enable_iptables_util_chains:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-kubelet_enable_iptables_util_chains_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_defaults" severity="medium">
-            <xccdf-1.2:title>kubelet - Enable Protect Kernel Defaults</xccdf-1.2:title>
-            <xccdf-1.2:description>
-              <html:p>
-Protect tuned kernel parameters from being overwritten by the kubelet.
-</html:p>
-            </xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.2.6</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Kernel parameters are usually tuned and hardened by the system administrators
-before putting the systems into production. These parameters protect the
-kernel and the system. Your kubelet kernel defaults that rely on such
-parameters should be appropriately set to match the desired secured system
-state. Ignoring this could potentially lead to running pods with undesired
-kernel behavior.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#eks-node"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-eks-oval.xml" name="oval:ssg-kubelet_enable_protect_kernel_defaults:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-kubelet_enable_protect_kernel_defaults_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation_worker" severity="medium">
-            <xccdf-1.2:title>kubelet - Enable Server Certificate Rotation</xccdf-1.2:title>
-            <xccdf-1.2:description>To enable the kubelet to rotate server certificates, edit the kubelet configuration
-file <html:code>/etc/kubernetes/kubelet/kubelet-config.json</html:code>
-on the kubelet node(s) and set the below parameter:
-<html:pre>
-featureGates:
-...
-  RotateKubeletServerCertificate: true
-...
-</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.2.11</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Allowing the kubelet to auto-update the certificates ensure that there is no downtime
-in certificate renewal as well as ensures confidentiality and integrity.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#eks-node"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-eks-oval.xml" name="oval:ssg-kubelet_enable_server_cert_rotation_worker:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-kubelet_enable_server_cert_rotation_worker_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections_worker" severity="medium">
-            <xccdf-1.2:title>kubelet - Do Not Disable Streaming Timeouts</xccdf-1.2:title>
-            <xccdf-1.2:description>Timouts for streaming connections should not be disabled as they help to prevent
-denial-of-service attacks.
-To configure streaming connection timeouts, edit the kubelet configuration
-file <html:code>/etc/kubernetes/kubelet/kubelet-config.json</html:code>
-on the kubelet node(s) and set the below parameter:
-<html:pre>streamingConnectionIdleTimeout: <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_streaming_connection_timeouts" use="legacy"/></html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.2.5</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Ensuring connections have timeouts helps to protect against denial-of-service attacks as
-well as disconnect inactive connections. In addition, setting connections timeouts helps
-to prevent from running out of ephemeral ports.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#eks-node"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-var_streaming_connection_timeouts:var:1" value-id="xccdf_org.ssgproject.content_value_var_streaming_connection_timeouts"/>
-              <xccdf-1.2:check-content-ref href="ssg-eks-oval.xml" name="oval:ssg-kubelet_enable_streaming_connections_worker:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-kubelet_enable_streaming_connections_worker_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_read_only_port_secured_worker" severity="medium">
-            <xccdf-1.2:title>kubelet - Ensure that the --read-only-port is secured</xccdf-1.2:title>
-            <xccdf-1.2:description>Disable the read-only port.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The Kubelet process provides a read-only API in addition to the main Kubelet API.
-Unauthenticated access is provided to this read-only API which could possibly retrieve
-potentially sensitive information about the cluster.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#eks-node"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-eks-oval.xml" name="oval:ssg-kubelet_read_only_port_secured_worker:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-kubelet_read_only_port_secured_worker_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_logging">
-          <xccdf-1.2:title>OpenShift - Logging Settings</xccdf-1.2:title>
-          <xccdf-1.2:description>Contains evaluations for the cluster's logging configuration settings.</xccdf-1.2:description>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_openshift_audit_profile" type="string">
-            <xccdf-1.2:title>Configure the OpenShift Audit Profile</xccdf-1.2:title>
-            <xccdf-1.2:description>Audit log profiles define how to log requests that come to the OpenShift
-API server, the Kubernetes API server, and the OAuth API server.</xccdf-1.2:description>
-            <xccdf-1.2:value>Default</xccdf-1.2:value>
-            <xccdf-1.2:value selector="Default">Default</xccdf-1.2:value>
-            <xccdf-1.2:value selector="WriteRequestBodies">WriteRequestBodies</xccdf-1.2:value>
-            <xccdf-1.2:value selector="AllRequestBodies">AllRequestBodies</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_logging" severity="unknown">
-            <xccdf-1.2:title>Ensure Audit Logging is Enabled</xccdf-1.2:title>
-            <xccdf-1.2:description>The audit logs are part of the EKS managed Kubernetes control plane logs that
-are managed by Amazon EKS. Amazon EKS is integrated with AWS CloudTrail, a
-service that provides a record of actions taken by a user, role, or an AWS
-service in Amazon EKS. CloudTrail captures all API calls for Amazon EKS as
-events. The calls captured include calls from the Amazon EKS console and code
-calls to the Amazon EKS API operations.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">2.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Exporting logs and metrics to a dedicated, persistent datastore such as
-CloudTrail ensures availability of audit data following a cluster security
-event, and provides a central location for analysis of log and metric data
-collated from multiple sources.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-87445-3</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-audit_logging_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_networking">
-          <xccdf-1.2:title>Kubernetes - Network Configuration and Firewalls</xccdf-1.2:title>
-          <xccdf-1.2:description>Most systems must be connected to a network of some
-sort, and this brings with it the substantial risk of network
-attack. This section discusses the security impact of decisions
-about networking which must be made when configuring a system.
-<html:br/><html:br/>
-This section also discusses firewalls, network access
-controls, and other network security frameworks, which allow
-system-level rules to be written that can limit an attackers' ability
-to connect to your system. These rules can specify that network
-traffic should be allowed or denied from certain IP addresses,
-hosts, and networks. The rules can also specify which of the
-system's network services are available to particular hosts or
-networks.</xccdf-1.2:description>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces" severity="high">
-            <xccdf-1.2:title>Ensure that application Namespaces have Network Policies defined.</xccdf-1.2:title>
-            <xccdf-1.2:description>Use network policies to isolate traffic in your cluster network.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-<html:ul><html:li><html:code class="ocp-api-endpoint" id="51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300">/apis/networking.k8s.io/v1/networkpolicies</html:code>
-    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
-    <html:code class="ocp-api-filter" id="filter-51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300">[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique</html:code>
-    and persist it to the local
-    <html:code class="ocp-dump-location" id="dump-51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/networking.k8s.io/v1/networkpolicies#51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300</html:code>
-    file.
-  </html:li><html:li><html:code class="ocp-api-endpoint" id="34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d">/api/v1/namespaces</html:code>
-    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
-    <html:code class="ocp-api-filter" id="filter-34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d">[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default")]</html:code>
-    and persist it to the local
-    <html:code class="ocp-dump-location" id="dump-34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/api/v1/namespaces#34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d</html:code>
-    file.
-  </html:li></html:ul></xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4(21)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(5)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(3)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(5)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(8)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(12)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(13)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(18)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(10)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(22)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000038-CTR-000105</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000039-CTR-000110</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000141-CTR-000315</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000141-CTR-000320</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000142-CTR-000325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000142-CTR-000330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000645-CTR-001410</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Running different applications on the same Kubernetes cluster creates a risk of one
-compromised application attacking a neighboring application. Network segmentation is
-important to ensure that containers can communicate only with those they are supposed
-to. When a network policy is introduced to a given namespace, all traffic not allowed
-by the policy is denied. However, if there are no network policies in a namespace all
-traffic will be allowed into and out of the pods in that namespace.</xccdf-1.2:rationale>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-eks-oval.xml" name="oval:ssg-configure_network_policies_namespaces:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-configure_network_policies_namespaces_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_configure_network_policy" severity="unknown">
-            <xccdf-1.2:title>Ensure Network Policy is Enabled</xccdf-1.2:title>
-            <xccdf-1.2:description>Use Network Policy to restrict pod to pod traffic within a cluster and
-segregate workloads.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>By default, all pod to pod traffic within a cluster is allowed. Network
-Policy creates a pod- level firewall that can be used to restrict traffic
-between sources. Pod traffic is restricted by having a Network Policy that
-selects it (through the use of labels). Once there is any Network Policy in a
-namespace selecting a particular pod, that pod will reject any connections
-that are not allowed by any Network Policy. Other pods in the namespace that
-are not selected by any Network Policy will continue to accept all traffic.
-
-Network Policies are managed via the Kubernetes Network Policy API and
-enforced by a network plugin, simply creating the resource without a
-compatible network plugin to implement it will have no effect. EKS supports
-Network Policy enforcement through the use of Calico.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-88207-6</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-configure_network_policy_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_configure_tls" severity="unknown">
-            <xccdf-1.2:title>Encrypt Traffic to Load Balancers and Workloads</xccdf-1.2:title>
-            <xccdf-1.2:description>Encrypt traffic to HTTPS load balancers using TLS certificates.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Encrypting traffic between users and your Kubernetes workload is fundamental
-to protecting data sent over the web.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-89133-3</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-configure_tls_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_control_plane_access" severity="unknown">
-            <xccdf-1.2:title>Restrict Access to the Control Plane Endpoint</xccdf-1.2:title>
-            <xccdf-1.2:description>Enable Endpoint Private Access to restrict access to the cluster's control
-plane to only an allowlist of authorized IPs.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Authorized networks are a way of specifying a restricted range of IP
-addresses that are permitted to access your cluster's control plane.
-Kubernetes Engine uses both Transport Layer Security (TLS) and authentication
-to provide secure access to your cluster's control plane from the public
-internet. This provides you the flexibility to administer your cluster from
-anywhere; however, you might want to further restrict access to a set of IP
-addresses that you control. You can set this restriction by specifying an
-authorized network. Restricting access to an authorized network can provide
-additional security benefits for your container cluster, including:
-
-<html:ul><html:li>Better protection from outsider attacks: Authorized networks provide an
-additional layer of security by limiting external access to a specific set
-of addresses you designate, such as those that originate from your
-premises. This helps protect access to your cluster in the case of a
-vulnerability in the cluster's authentication or authorization
-mechanism.</html:li><html:li>Better protection from insider attacks: Authorized networks help protect
-your cluster from accidental leaks of master certificates from your
-company's premises. Leaked certificates used from outside Amazon EC2 and
-outside the authorized IP ranges (for example, from addresses outside your
-company) are still denied access.</html:li></html:ul></xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-86182-3</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-control_plane_access_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_endpoint_configuration" severity="unknown">
-            <xccdf-1.2:title>Ensure Private Endpoint Access</xccdf-1.2:title>
-            <xccdf-1.2:description>Disable access to the Kubernetes API from outside the node network if it is
-not required.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>In a private cluster, the master node has two endpoints, a private and public
-endpoint. The private endpoint is the internal IP address of the master,
-behind an internal load balancer in the master's VPC network. Nodes
-communicate with the master using the private endpoint. The public endpoint
-enables the Kubernetes API to be accessed from outside the master's VPC
-network.
-
-Although Kubernetes API requires an authorized token to perform sensitive
-actions, a vulnerability could potentially expose the Kubernetes publically
-with unrestricted access. Additionally, an attacker may be able to identify
-the current cluster and Kubernetes API version and determine whether it is
-vulnerable to an attack. Unless required, disabling public endpoint will help
-prevent such threats, and require the attacker to be on the master's VPC
-network to perform any attack on the Kubernetes API.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-88813-1</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-endpoint_configuration_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_private_nodes" severity="unknown">
-            <xccdf-1.2:title>Ensure Cluster Private Nodes</xccdf-1.2:title>
-            <xccdf-1.2:description>Disable public IP addresses for cluster nodes, so that they only have private
-IP addresses. Private Nodes are nodes with no public IP addresses.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Disabling public IP addresses on cluster nodes restricts access to only
-internal networks, forcing attackers to obtain local network access before
-attempting to compromise the underlying Kubernetes hosts.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-88669-7</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-private_nodes_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_registry">
-          <xccdf-1.2:title>Kubernetes - Registry Security Practices</xccdf-1.2:title>
-          <xccdf-1.2:description>Contains evaluations for Kubernetes registry security practices, and cluster-wide registry configuration.</xccdf-1.2:description>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_approved_registries" severity="unknown">
-            <xccdf-1.2:title>Only use approved container registries</xccdf-1.2:title>
-            <xccdf-1.2:description>Use approved container registries.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Allowing unrestricted access to external container registries provides the
-opportunity for malicious or unapproved containers to be deployed into the
-cluster. Allowlisting only approved container registries reduces this risk.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-86901-6</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-approved_registries_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_image_scanning" severity="unknown">
-            <xccdf-1.2:title>Ensure Image Vulnerability Scanning</xccdf-1.2:title>
-            <xccdf-1.2:description>Scan images being deployed to Amazon EKS for vulnerabilities.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Vulnerabilities in software packages can be exploited by hackers or malicious
-users to obtain unauthorized access to local cloud resources. Amazon ECR and
-other third party products allow images to be scanned for known
-vulnerabilities.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-88990-7</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-image_scanning_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_read_only_registry_access" severity="unknown">
-            <xccdf-1.2:title>Ensure Cluster Service Account with read-only access to Amazon ECR</xccdf-1.2:title>
-            <xccdf-1.2:description>Configure the Cluster Service Account with Storage Object Viewer Role to only
-allow read- only access to Amazon ECR.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The Cluster Service Account does not require administrative access to Amazon
-ECR, only requiring pull access to containers to deploy onto Amazon EKS.
-Restricting permissions follows the principles of least privilege and
-prevents credentials from being abused beyond the required role.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-86681-4</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-read_only_registry_access_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_registry_access" severity="unknown">
-            <xccdf-1.2:title>Minimize user access to Amazon ECR</xccdf-1.2:title>
-            <xccdf-1.2:description>Restrict user access to Amazon ECR, limiting interaction with build images to
-only authorized personnel and service accounts.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Weak access control to Amazon ECR may allow malicious users to replace built
-images with vulnerable containers.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-89643-1</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-registry_access_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_secrets">
-          <xccdf-1.2:title>Kubernetes Secrets Management</xccdf-1.2:title>
-          <xccdf-1.2:description>Secrets let you store and manage sensitive information,
-such as passwords, OAuth tokens, and ssh keys.
-Such information might otherwise be put in a Pod
-specification or in an image.		</xccdf-1.2:description>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_secret_encryption" severity="unknown">
-            <xccdf-1.2:title>Ensure Kubernetes Secrets are Encrypted</xccdf-1.2:title>
-            <xccdf-1.2:description>Encrypt Kubernetes secrets, stored in etcd, using secrets encryption feature
-during Amazon EKS cluster creation.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Kubernetes can store secrets that pods can access via a mounted volume.
-Today, Kubernetes secrets are stored with Base64 encoding, but encrypting is
-the recommended approach. Amazon EKS clusters version 1.13 and higher support
-the capability of encrypting your Kubernetes secrets using AWS Key Management
-Service (KMS) Customer Managed Keys (CMK). The only requirement is to enable
-the encryption provider support during EKS cluster creation.
-
-Use AWS Key Management Service (KMS) keys to provide envelope encryption of
-Kubernetes secrets stored in Amazon EKS. Implementing envelope encryption is
-considered a security best practice for applications that store sensitive
-data and is part of a defense in depth security strategy.
-
-Application-layer Secrets Encryption provides an additional layer of security
-for sensitive data, such as user defined Secrets and Secrets required for the
-operation of the cluster, such as service account keys, which are all stored
-in etcd.
-
-Using this functionality, you can use a key, that you manage in AWS KMS, to
-encrypt data at the application layer. This protects against attackers in the
-event that they manage to gain access to etcd.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90708-9</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-secret_encryption_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_worker">
-          <xccdf-1.2:title>Kubernetes - Worker Node Settings</xccdf-1.2:title>
-          <xccdf-1.2:description>Contains evaluations for the worker node configuration settings.</xccdf-1.2:description>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Kubelet Configuration File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/kubernetes/kubelet/kubelet-config.json</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/kubernetes/kubelet/kubelet-config.json</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The kubelet configuration file contains information about the configuration of the
-OpenShift node that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#eks-node"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-eks-oval.xml" name="oval:ssg-file_groupowner_kubelet_conf:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-file_groupowner_kubelet_conf_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Worker Kubeconfig File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the group owner of <html:code>/var/lib/kubelet/kubeconfig</html:code>, run the command: <html:pre>$ sudo chgrp root /var/lib/kubelet/kubeconfig</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The worker kubeconfig file contains information about the administrative configuration of the
-OpenShift cluster that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#eks-node"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-eks-oval.xml" name="oval:ssg-file_groupowner_worker_kubeconfig:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-file_groupowner_worker_kubeconfig_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_kubelet_conf" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Kubelet Configuration File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/kubernetes/kubelet/kubelet-config.json</html:code>, run the command: <html:pre>$ sudo chown root /etc/kubernetes/kubelet/kubelet-config.json </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The kubelet configuration file contains information about the configuration of the
-OpenShift node that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#eks-node"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-eks-oval.xml" name="oval:ssg-file_owner_kubelet_conf:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-file_owner_kubelet_conf_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Worker Kubeconfig File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the owner of <html:code>/var/lib/kubelet/kubeconfig</html:code>, run the command: <html:pre>$ sudo chown root /var/lib/kubelet/kubeconfig </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The worker kubeconfig file contains information about the administrative configuration of the
-OpenShift cluster that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#eks-node"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-eks-oval.xml" name="oval:ssg-file_owner_worker_kubeconfig:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-file_owner_worker_kubeconfig_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_kubelet_conf" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on The Kubelet Configuration File</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/kubernetes/kubelet/kubelet-config.json</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/kubernetes/kubelet/kubelet-config.json</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If the kubelet configuration file is writable by a group-owner or the
-world the risk of its compromise is increased. The file contains the configuration of
-an OpenShift node that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#eks-node"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-eks-oval.xml" name="oval:ssg-file_permissions_kubelet_conf:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-file_permissions_kubelet_conf_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Worker Kubeconfig File</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/lib/kubelet/kubeconfig</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /var/lib/kubelet/kubeconfig</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If the worker kubeconfig file is writable by a group-owner or the
-world the risk of its compromise is increased. The file contains the administration configuration of the
-OpenShift cluster that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#eks-node"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-eks-oval.xml" name="oval:ssg-file_permissions_worker_kubeconfig:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-eks-ocil.xml" name="ocil:ssg-file_permissions_worker_kubeconfig_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-      </xccdf-1.2:Group>
-    </xccdf-1.2:Benchmark>
-  </ds:component>
-  <ds:component id="scap_org.open-scap_comp_ssg-eks-oval.xml" timestamp="2022-08-11T18:55:42">
-    <oval-def:oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
-      <oval-def:generator>
-        <oval:product_name>combine_ovals.py from SCAP Security Guide</oval:product_name>
-        <oval:product_version>ssg: [0, 1, 64], python: 3.10.6</oval:product_version>
-        <oval:schema_version>5.11</oval:schema_version>
-        <oval:timestamp>2022-08-11T18:55:39</oval:timestamp>
-      </oval-def:generator>
-      <oval-def:definitions>
-        <oval-def:definition class="compliance" id="oval:ssg-configure_network_policies_namespaces:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure that application Namespaces have Network Policies defined.</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure that application Namespaces have Network Policies defined</oval-def:description>
-            <oval-def:reference ref_id="configure_network_policies_namespaces" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Make sure that the file '/apis/networking.k8s.io/v1/networkpolicies#51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300 exists." test_ref="oval:ssg-test_file_for_configure_network_policies_namespaces:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces#34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d' exists." test_ref="oval:ssg-test_file_for_configure_network_policies_filtered_namespaces:tst:1"/>
-            <oval-def:criterion comment="Make sure that all target elements exists for elements at path '.items[:].spec.host'" test_ref="oval:ssg-test_elements_count_for_configure_network_policies_namespaces:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_kubelet_conf:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Kubelet Configuration File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/kubernetes/kubelet/kubelet-config.json is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_groupowner_kubelet_conf" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/kubernetes/kubelet/kubelet-config.json" test_ref="oval:ssg-test_file_groupowner_kubelet_conf_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_worker_kubeconfig:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Worker Kubeconfig File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/lib/kubelet/kubeconfig is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_groupowner_worker_kubeconfig" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /var/lib/kubelet/kubeconfig" test_ref="oval:ssg-test_file_groupowner_worker_kubeconfig_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_kubelet_conf:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Kubelet Configuration File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/kubernetes/kubelet/kubelet-config.json is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_owner_kubelet_conf" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/kubernetes/kubelet/kubelet-config.json" test_ref="oval:ssg-test_file_owner_kubelet_conf_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_worker_kubeconfig:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Worker Kubeconfig File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/lib/kubelet/kubeconfig is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_owner_worker_kubeconfig" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /var/lib/kubelet/kubeconfig" test_ref="oval:ssg-test_file_owner_worker_kubeconfig_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_kubelet_conf:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Permissions on The Kubelet Configuration File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/kubernetes/kubelet/kubelet-config.json has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_kubelet_conf" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/kubernetes/kubelet/kubelet-config.json" test_ref="oval:ssg-test_file_permissions_kubelet_conf_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_worker_kubeconfig:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the Worker Kubeconfig File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/lib/kubelet/kubeconfig has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_worker_kubeconfig" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /var/lib/kubelet/kubeconfig" test_ref="oval:ssg-test_file_permissions_worker_kubeconfig_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_anonymous_auth_worker:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Anonymous Authentication to the Kubelet</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.authentication.anonymous.enabled' all: value equals 'false'</oval-def:description>
-            <oval-def:reference ref_id="kubelet_anonymous_auth_worker" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.authentication.anonymous.enabled' all" test_ref="oval:ssg-test_kubelet_anonymous_auth_worker:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_authorization_mode_worker:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure authorization is set to Webhook</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.authorization.mode' all: value equals 'AlwaysAllow'</oval-def:description>
-            <oval-def:reference ref_id="kubelet_authorization_mode_worker" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.authorization.mode' all" test_ref="oval:ssg-test_kubelet_authorization_mode_worker:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_client_ca_worker:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>kubelet - Configure the Client CA Certificate</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.authentication.x509.clientCAFile' all: value equals '/etc/kubernetes/pki/ca.crt'</oval-def:description>
-            <oval-def:reference ref_id="kubelet_configure_client_ca_worker" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.authentication.x509.clientCAFile' all" test_ref="oval:ssg-test_kubelet_configure_client_ca_worker:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_disable_hostname_override:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>kubelet - Hostname Override handling</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.hostname-override' all: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="kubelet_disable_hostname_override" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.hostname-override' all" test_ref="oval:ssg-test_kubelet_disable_hostname_override:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_cert_rotation_worker:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>kubelet - Enable Certificate Rotation</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.rotateCertificates' all: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="kubelet_enable_cert_rotation_worker" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.rotateCertificates' all" test_ref="oval:ssg-test_kubelet_enable_cert_rotation_worker:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_client_cert_rotation:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>kubelet - Enable Client Certificate Rotation</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.featureGates.RotateKubeletClientCertificate' all: value equals 'false'</oval-def:description>
-            <oval-def:reference ref_id="kubelet_enable_client_cert_rotation" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.featureGates.RotateKubeletClientCertificate' all" test_ref="oval:ssg-test_kubelet_enable_client_cert_rotation:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_iptables_util_chains:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>kubelet - Allow Automatic Firewall Configuration</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.makeIPTablesUtilChains' all: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="kubelet_enable_iptables_util_chains" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.makeIPTablesUtilChains' all" test_ref="oval:ssg-test_kubelet_enable_iptables_util_chains:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_defaults:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>kubelet - Enable Protect Kernel Defaults</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.protectKernelDefaults' all: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="kubelet_enable_protect_kernel_defaults" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.protectKernelDefaults' all" test_ref="oval:ssg-test_kubelet_enable_protect_kernel_defaults:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_server_cert_rotation_worker:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>kubelet - Enable Server Certificate Rotation</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.featureGates.RotateKubeletServerCertificate' all: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="kubelet_enable_server_cert_rotation_worker" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.featureGates.RotateKubeletServerCertificate' all" test_ref="oval:ssg-test_kubelet_enable_server_cert_rotation_worker:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_streaming_connections_worker:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>kubelet - Do Not Disable Streaming Timeouts</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.streamingConnectionIdleTimeout' all: </oval-def:description>
-            <oval-def:reference ref_id="kubelet_enable_streaming_connections_worker" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.streamingConnectionIdleTimeout' all" test_ref="oval:ssg-test_kubelet_enable_streaming_connections_worker:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_read_only_port_secured_worker:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>kubelet - Ensure that the --read-only-port is secured</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.readOnlyPort' all: value equals '0'</oval-def:description>
-            <oval-def:reference ref_id="kubelet_read_only_port_secured_worker" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet/kubelet-config.json' at path '.readOnlyPort' all" test_ref="oval:ssg-test_kubelet_read_only_port_secured_worker:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_GConf2_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>package_GConf2_installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package GConf2 should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_GConf2_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package GConf2 is installed" test_ref="oval:ssg-test_package_GConf2_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_avahi_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>package_avahi_installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package avahi should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_avahi_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package avahi is installed" test_ref="oval:ssg-test_package_avahi_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_dconf_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>package_dconf_installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package dconf should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_dconf_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package dconf is installed" test_ref="oval:ssg-test_package_dconf_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_esc_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>package_esc_installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package esc should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_esc_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package esc is installed" test_ref="oval:ssg-test_package_esc_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_gdm_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>package_gdm_installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package gdm should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_gdm_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package gdm is installed" test_ref="oval:ssg-test_package_gdm_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_pam_ldap_removed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>package_pam_ldap_removed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package pam_ldap should be removed.</oval-def:description>
-            <oval-def:reference ref_id="package_pam_ldap_removed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package pam_ldap is removed" test_ref="oval:ssg-test_package_pam_ldap_removed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_prelink_removed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>package_prelink_removed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package prelink should be removed.</oval-def:description>
-            <oval-def:reference ref_id="package_prelink_removed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package prelink is removed" test_ref="oval:ssg-test_package_prelink_removed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_samba-common_removed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>package_samba-common_removed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package samba-common should be removed.</oval-def:description>
-            <oval-def:reference ref_id="package_samba-common_removed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package samba-common is removed" test_ref="oval:ssg-test_package_samba-common_removed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_syslog_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>service_syslog_disabled</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The syslog service should be disabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="service_syslog_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package rsyslog removed or service syslog is not configured to start" operator="OR">
-            <oval-def:criterion comment="rsyslog removed" test_ref="oval:ssg-test_service_syslog_package_rsyslog_removed:tst:1"/>
-            <oval-def:criteria operator="AND" comment="service syslog is not configured to start">
-              <oval-def:criterion comment="syslog is not running" test_ref="oval:ssg-test_service_not_running_syslog:tst:1"/>
-              <oval-def:criterion comment="Property LoadState of service syslog is masked" test_ref="oval:ssg-test_service_loadstate_is_masked_syslog:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_includes_config_files:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>sshd_includes_config_files</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check presence of Include /etc/ssh/sshd_config.d/*.conf in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_includes_config_files" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND" comment="Test conditions - presence of the file plus 0 extra definitions.">
-            <oval-def:criterion comment="Check that /etc/ssh/sshd_config contains a line with certain text" test_ref="oval:ssg-test_sshd_includes_config_files:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_password_pam_faillock:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Check pam_faillock Existence in system-auth</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that pam_faillock.so exists in system-auth</oval-def:description>
-            <oval-def:reference ref_id="accounts_password_pam_faillock" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Conditions for pam_faillock are satisfied" test_ref="oval:ssg-test_accounts_password_pam_faillock:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_password_pam_pwquality:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Check pam_pwquality Existence in system-auth</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that pam_pwquality.so exists in system-auth</oval-def:description>
-            <oval-def:reference ref_id="accounts_password_pam_pwquality" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Conditions for pam_pwquality are satisfied" test_ref="oval:ssg-test_password_pam_pwquality:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_auditctl:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Any Attempts to Run semanage</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Test if auditctl is in use for audit rules.</oval-def:description>
-            <oval-def:reference ref_id="audit_rules_auditctl" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="audit auditctl" test_ref="oval:ssg-test_audit_rules_auditctl:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_augenrules:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Any Attempts to Run semanage</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Test if augenrules is enabled for audit rules.</oval-def:description>
-            <oval-def:reference ref_id="audit_rules_augenrules" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="audit augenrules" test_ref="oval:ssg-test_audit_rules_augenrules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_networkconfig_modification_domainname:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Network Environment</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The network environment should not be modified by anything other than
-      administrator action. Any change to network parameters should be audited.</oval-def:description>
-            <oval-def:reference ref_id="audit_rules_networkconfig_modification_domainname" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit setdomainname" test_ref="oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit setdomainname" test_ref="oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit setdomainname" test_ref="oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit setdomainname" test_ref="oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_networkconfig_modification_hostname:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Network Environment</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The network environment should not be modified by anything other than
-      administrator action. Any change to network parameters should be audited.</oval-def:description>
-            <oval-def:reference ref_id="audit_rules_networkconfig_modification_hostname" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit sethostname" test_ref="oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit sethostname" test_ref="oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit sethostname" test_ref="oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit sethostname" test_ref="oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_conf_log_file_not_set:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>'log_file' Not Set In /etc/audit/auditd.conf</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Verify 'log_file' is not set in /etc/audit/auditd.conf.</oval-def:description>
-            <oval-def:reference ref_id="auditd_conf_log_file_not_set" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_auditd_conf_log_file_not_set:tst:1" comment="Verify 'log_file' not set in /etc/audit/auditd.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_conf_log_group_not_root:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>'log_group' Not Set To 'root' In /etc/audit/auditd.conf</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Verify 'log_group' is not set to 'root' in
-      /etc/audit/auditd.conf.</oval-def:description>
-            <oval-def:reference ref_id="auditd_conf_log_group_not_root" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_auditd_conf_log_group_not_root:tst:1" comment="Verify 'log_group' not set to 'root' in /etc/audit/auditd.conf"/>
-            <oval-def:criterion test_ref="oval:ssg-test_auditd_conf_log_group_is_set:tst:1" comment="Verify 'log_group' is set in /etc/audit/auditd.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-bootloader_disable_recovery_set_to_true:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify GRUB_DISABLE_RECOVERY Set to true</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>GRUB_DISABLE_RECOVERY set to 'true' in
-      /etc/default/grub</oval-def:description>
-            <oval-def:reference ref_id="bootloader_disable_recovery_set_to_true" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1" comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-chronyd_specify_multiple_servers:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Specify Multiple Remote chronyd NTP Servers for Time Data</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Multiple chronyd NTP Servers for time synchronization should be specified.</oval-def:description>
-            <oval-def:reference ref_id="chronyd_specify_multiple_servers" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="chrony.conf conditions are met">
-            <oval-def:criterion test_ref="oval:ssg-test_chronyd_multiple_servers:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_default_exists:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>GRUB_CMDLINE_LINUX_DEFAULT existance check</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub.</oval-def:description>
-            <oval-def:reference ref_id="grub2_default_exists" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_grub2_default_exists:tst:1" comment="check for GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_entries_reference_kernelopts:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Use $kernelopts in /boot/loader/entries/*.conf</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure that grubenv-defined kernel options are referenced in individual boot loader entries</oval-def:description>
-            <oval-def:reference ref_id="grub2_entries_reference_kernelopts" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_grub2_entries_reference_kernelopts:tst:1" comment="check kernel command line parameters for referenced boot entries reference the $kernelopts variable."/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_alinux2:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Alibaba Cloud Linux 2</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:Alibaba Cloud Linux:2" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Alibaba Cloud Linux 2</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_alinux2" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="Alibaba Cloud Linux 2 is installed" test_ref="oval:ssg-test_alinux2:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_alinux3:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Alibaba Cloud Linux 3</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:Alibaba Cloud Linux:3" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Alibaba Cloud Linux 3</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_alinux3" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="Alibaba Cloud Linux 3 is installed" test_ref="oval:ssg-test_alinux3:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_centos7:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>CentOS 7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:centos:centos:7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      CentOS 7</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_centos7" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="CentOS7 is installed" test_ref="oval:ssg-test_centos7:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_centos8:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>CentOS 8</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:centos:centos:8" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      CentOS 8</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_centos8" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="OS is CentOS" test_ref="oval:ssg-test_centos8_name:tst:1"/>
-            <oval-def:criterion comment="OS version is 8" test_ref="oval:ssg-test_centos8_version:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_centos9:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>CentOS Stream 9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:centos:centos:9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      CentOS Stream 9</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_centos9" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="OS is CentOS Stream" test_ref="oval:ssg-test_centos9_name:tst:1"/>
-            <oval-def:criterion comment="OS version is 9" test_ref="oval:ssg-test_centos9_version:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_debian:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Debian</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The operating system installed is a Debian System</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_debian" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="System is Debian" operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="Debian is installed" test_ref="oval:ssg-test_debian:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_debian10:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Debian Linux 10</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:debian:debian_linux:10" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Debian 10</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_debian10" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Debian Linux is version 10" operator="AND">
-            <oval-def:extend_definition comment="Debian is installed" definition_ref="oval:ssg-installed_OS_is_debian:def:1"/>
-            <oval-def:criterion comment="Debian10 is installed" test_ref="oval:ssg-test_debian_10:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_debian11:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Debian Linux 11</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:debian:debian_linux:11" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Debian 11</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_debian11" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Debian Linux is version 11" operator="AND">
-            <oval-def:extend_definition comment="Debian is installed" definition_ref="oval:ssg-installed_OS_is_debian:def:1"/>
-            <oval-def:criterion comment="Debian11 is installed" test_ref="oval:ssg-test_debian_11:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_debian9:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Debian 9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:debian:debian_linux:9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Debian 9</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_debian9" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="current Debian version is Debian Stretch" operator="AND">
-            <oval-def:extend_definition comment="Debian is installed" definition_ref="oval:ssg-installed_OS_is_debian:def:1"/>
-            <oval-def:criterion comment="Debian9 is installed" test_ref="oval:ssg-test_debian_9:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_fedora:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Installed operating system is Fedora</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:fedoraproject:fedora:33" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:fedoraproject:fedora:34" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:fedoraproject:fedora:35" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:fedoraproject:fedora:36" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Fedora</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_fedora" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="fedora-release RPM packages are installed" test_ref="oval:ssg-test_fedora_release_rpm:tst:1"/>
-            <oval-def:criterion comment="CPE vendor is 'fedoraproject' and product is 'fedora'" test_ref="oval:ssg-test_fedora_vendor_product:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ol7_family:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Oracle Linux 7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:oracle:linux:7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Oracle Linux 7</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_ol7_family" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Oracle Linux 7 System is installed" test_ref="oval:ssg-test_ol7_system:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ol8_family:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Oracle Linux 8</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:oracle:linux:8" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Oracle Linux 8</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_ol8_family" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Oracle Linux 8 System is installed" test_ref="oval:ssg-test_ol8_system:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ol9_family:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Oracle Linux 9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:oracle:linux:9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Oracle Linux 9</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_ol9_family" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Oracle Linux 9 System is installed" test_ref="oval:ssg-test_ol9_system:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_opensuse:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>openSUSE</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The operating system installed on the system is openSUSE.</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_opensuse" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="openSUSE is installed" test_ref="oval:ssg-test_opensuse_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_opensuse_leap15:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>openSUSE Leap 15</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:opensuse:leap:15.0" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is openSUSE Leap 15.</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_opensuse_leap15" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="openSUSE is installed" definition_ref="oval:ssg-installed_OS_is_opensuse:def:1"/>
-            <oval-def:criterion comment="openSUSE Leap 15 is installed" test_ref="oval:ssg-test_opensuse_leap15_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_opensuse_leap42:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>openSUSE Leap 42</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:opensuse:leap:42.1" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:opensuse:leap:42.2" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:opensuse:leap:42.3" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is openSUSE Leap 42.</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_opensuse_leap42" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="openSUSE is installed" definition_ref="oval:ssg-installed_OS_is_opensuse:def:1"/>
-            <oval-def:criterion comment="openSUSE Leap 42 is installed" test_ref="oval:ssg-test_opensuse_leap42_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_part_of_Unix_family:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Installed operating system is part of the Unix family</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The operating system installed on the system is part of the Unix OS family</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_part_of_Unix_family" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_unix_family:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhcos4:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux CoreOS</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux_coreos:4" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Enterprise Linux CoreOS release 4</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhcos4" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="RHCOS is installed" test_ref="oval:ssg-test_rhcos:tst:1"/>
-              <oval-def:criterion comment="RHCOS version 4 is installed" test_ref="oval:ssg-test_rhcos4:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel7:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Enterprise Linux 7</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel7" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_rhel7_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="RHEL 7 Client is installed" test_ref="oval:ssg-test_rhel7_client:tst:1"/>
-              <oval-def:criterion comment="RHEL 7 Workstation is installed" test_ref="oval:ssg-test_rhel7_workstation:tst:1"/>
-              <oval-def:criterion comment="RHEL 7 Server is installed" test_ref="oval:ssg-test_rhel7_server:tst:1"/>
-              <oval-def:criterion comment="RHEL 7 Compute Node is installed" test_ref="oval:ssg-test_rhel7_computenode:tst:1"/>
-              <oval-def:criteria operator="AND" comment="Red Hat Enterprise Virtualization Host is installed">
-                <oval-def:criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="oval:ssg-test_rhvh4_version:tst:1"/>
-                <oval-def:criterion comment="Red Hat Enterprise Virtualization Host is based on RHEL 7" test_ref="oval:ssg-test_rhevh_rhel7_version:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Enterprise Linux 8</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_rhel8_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="RHEL 8 is installed" test_ref="oval:ssg-test_rhel8:tst:1"/>
-              <oval-def:criteria operator="AND" comment="Red Hat Enterprise Virtualization Host is installed">
-                <oval-def:criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="oval:ssg-test_rhvh4_version:tst:1"/>
-                <oval-def:criterion comment="Red Hat Enterprise Virtualization Host is based on RHEL 8" test_ref="oval:ssg-test_rhevh_rhel8_version:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_0:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.0</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.0" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.0</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_0" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.0 is installed" test_ref="oval:ssg-test_rhel8_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_1:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.1</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.1" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.1</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_1" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.1 is installed" test_ref="oval:ssg-test_rhel8_1:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_2:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.2</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.2" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.2</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_2" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.2 is installed" test_ref="oval:ssg-test_rhel8_2:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_3:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.3</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.3" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.3</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_3" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.3 is installed" test_ref="oval:ssg-test_rhel8_3:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_4:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.4</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.4" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.4</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_4" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.4 is installed" test_ref="oval:ssg-test_rhel8_4:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_5:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.5</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.5" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.5</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_5" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.5 is installed" test_ref="oval:ssg-test_rhel8_5:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_6:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.6</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.6" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.6</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_6" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.6 is installed" test_ref="oval:ssg-test_rhel8_6:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_7:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.7</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_7" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.7 is installed" test_ref="oval:ssg-test_rhel8_7:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_8:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.8</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.8" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.8</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_8" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.8 is installed" test_ref="oval:ssg-test_rhel8_8:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_9:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.9</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_9" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.9 is installed" test_ref="oval:ssg-test_rhel8_9:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_10:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.10</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.10" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.10</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_10" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.10 is installed" test_ref="oval:ssg-test_rhel8_10:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel9:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Enterprise Linux 9</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel9" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_rhel9_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="RHEL 9 is installed" test_ref="oval:ssg-test_rhel9:tst:1"/>
-              <oval-def:criteria operator="AND" comment="Red Hat Enterprise Virtualization Host is installed">
-                <oval-def:criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="oval:ssg-test_rhvh4_version:tst:1"/>
-                <oval-def:criterion comment="Red Hat Enterprise Virtualization Host is based on RHEL 9" test_ref="oval:ssg-test_rhevh_rhel9_version:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhv4:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Virtualization 4</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:virtualization:4" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Virtualization Host 4.4+ or Red Hat Enterprise Host.</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhv4" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="RHEL8 OS installed" definition_ref="oval:ssg-installed_OS_is_rhel8:def:1"/>
-            <oval-def:criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="oval:ssg-test_rhvh4_version:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_sl7:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Scientific Linux 7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:scientificlinux:scientificlinux:7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Scientific Linux 7</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_sl7" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="Scientific Linux 7 is installed" test_ref="oval:ssg-test_sl7:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_sle12:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>SUSE Linux Enterprise 12</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:suse:linux_enterprise_server:12" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:suse:linux_enterprise_desktop:12" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      SUSE Linux Enterprise 12.</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_sle12" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_sle12_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="SLE 12 Desktop is installed" test_ref="oval:ssg-test_sle12_desktop:tst:1"/>
-              <oval-def:criterion comment="SLE 12 Server is installed" test_ref="oval:ssg-test_sle12_server:tst:1"/>
-              <oval-def:criterion comment="SLES 12 for SAP Applications is installed" test_ref="oval:ssg-test_sles_12_for_sap:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_sle15:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>SUSE Linux Enterprise 15</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:suse:linux_enterprise_server:15" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:suse:linux_enterprise_desktop:15" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      SUSE Linux Enterprise 15.</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_sle15" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_sle15_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="SLE 15 Desktop is installed" test_ref="oval:ssg-test_sle15_desktop:tst:1"/>
-              <oval-def:criterion comment="SLE 15 Server is installed" test_ref="oval:ssg-test_sle15_server:tst:1"/>
-              <oval-def:criterion comment="SLES 15 for SAP Applications is installed" test_ref="oval:ssg-test_sles_15_for_sap:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ubuntu:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ubuntu</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The operating system installed is an Ubuntu System</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_ubuntu" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="System is Ubuntu" operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="lsb-based distrib" test_ref="oval:ssg-test_lsb:tst:1"/>
-            <oval-def:criterion comment="Ubuntu is installed" test_ref="oval:ssg-test_ubuntu:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ubuntu1604:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ubuntu 1604</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:canonical:ubuntu_linux:16.04" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Ubuntu 1604</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_ubuntu1604" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="current Ubuntu version is Xenial" operator="AND">
-            <oval-def:extend_definition comment="Ubuntu is installed" definition_ref="oval:ssg-installed_OS_is_ubuntu:def:1"/>
-            <oval-def:criterion comment="Xenial is installed" test_ref="oval:ssg-test_ubuntu_xenial:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ubuntu1804:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ubuntu 1804</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:canonical:ubuntu_linux:18.04" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Ubuntu 1804</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_ubuntu1804" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="current Ubuntu version is Bionic" operator="AND">
-            <oval-def:extend_definition comment="Ubuntu is installed" definition_ref="oval:ssg-installed_OS_is_ubuntu:def:1"/>
-            <oval-def:criterion comment="Bionic is installed" test_ref="oval:ssg-test_ubuntu_bionic:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ubuntu2004:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ubuntu 2004</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:canonical:ubuntu_linux:20.04" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Ubuntu 2004</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_ubuntu2004" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="current Ubuntu version is Focal" operator="AND">
-            <oval-def:extend_definition comment="Ubuntu is installed" definition_ref="oval:ssg-installed_OS_is_ubuntu:def:1"/>
-            <oval-def:criterion comment="Focal is installed" test_ref="oval:ssg-test_ubuntu_focal:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_uos20:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>UnionTech OS Server 20</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:UnionTech OS Server:20" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is UnionTech OS Server 20</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_uos20" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="UnionTech OS Server 20 is installed" test_ref="oval:ssg-test_uos20:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_app_is_eks:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Amazon Elastic Kubernetes Service</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/a:amazon:elastic_kubernetes_service:1" source="CPE"/>
-            <oval-def:description>The application installed installed on the system is EKS.</oval-def:description>
-            <oval-def:reference ref_id="installed_app_is_eks" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="cluster is EKS" test_ref="oval:ssg-test_eks:tst:1"/>
-            <oval-def:criterion comment="Make sure kubernetes version is present" test_ref="oval:ssg-test_file_for_eks:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_app_is_eks_1_21:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Amazon Elastic Kubernetes Service 1.21</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/a:amazon:elastic_kubernetes_service:1.21" source="CPE"/>
-            <oval-def:description>The application installed installed on the system is Amazon Elastic Kubernetes Service 1.21.</oval-def:description>
-            <oval-def:reference ref_id="installed_app_is_eks_1_21" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="cluster is EKS 1.21" test_ref="oval:ssg-test_eks_1_21:tst:1"/>
-            <oval-def:criterion comment="Make sure kubernetes version is present" test_ref="oval:ssg-test_file_for_eks:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_app_is_eks_node:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Amazon Elastic Kubernetes Service Node</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:amazon:elastic_kubernetes_service_node:1" source="CPE"/>
-            <oval-def:description>The application installed installed on the system is EKS 4.</oval-def:description>
-            <oval-def:reference ref_id="installed_app_is_eks_node" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Kubelet is installed" test_ref="oval:ssg-test_kubelet_kubeconfig_exists:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_app_is_rhv4:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Virtualization 4</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/a:redhat:virtualization:4" source="CPE"/>
-            <oval-def:description>The application installed installed on the system is
-      Red Hat Virtualization 4.</oval-def:description>
-            <oval-def:reference ref_id="installed_app_is_rhv4" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="RHEL7 OS installed" definition_ref="oval:ssg-installed_OS_is_rhel7:def:1"/>
-            <oval-def:criterion comment="Red Hat Virtualization Manager (RHVM)" test_ref="oval:ssg-test_rhevm4_version:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_audit_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package audit is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package audit is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:audit" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_audit_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package audit is installed" test_ref="oval:ssg-test_env_has_audit_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_chrony_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package chrony is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package chrony is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:chrony" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_chrony_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package chrony is installed" test_ref="oval:ssg-test_env_has_chrony_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_gdm_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package gdm is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package gdm is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:gdm" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_gdm_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package gdm is installed" test_ref="oval:ssg-test_env_has_gdm_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_grub2_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package grub2 is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package grub2-common is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:grub2" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_grub2_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Package grub2-common is installed" test_ref="oval:ssg-test_env_has_grub2_installed:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Test for ppcle64 architecture" test_ref="oval:ssg-test_system_info_architecture_ppcle_64:tst:1" negate="true"/>
-              <oval-def:criterion comment="Test if OPAL is not used" test_ref="oval:ssg-test_system_using_opal:tst:1" negate="true"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_libuser_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package libuser is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package libuser is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:libuser" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_libuser_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package libuser is installed" test_ref="oval:ssg-test_env_has_libuser_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_login_defs:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package providing /etc/login.defs is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package providing /etc/login.defs and is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:login_defs" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_login_defs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package providing /etc/login.defs is installed" test_ref="oval:ssg-test_env_has_login_defs_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_net-snmp_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package net-snmp is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package net-snmp is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:net-snmp" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_net-snmp_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package net-snmp is installed" test_ref="oval:ssg-test_env_has_net-snmp_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_no_ovirt:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Check if the system doesn't act as an oVirt host or manager</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if the system has neither ovirt-host nor ovirt-engine installed.</oval-def:description>
-            <oval-def:reference ref_id="installed_env_has_no_ovirt" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Package ovirt-host is not installed" definition_ref="oval:ssg-installed_env_has_ovirt:def:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_nss-pam-ldapd_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package nss-pam-ldapd is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package nss-pam-ldapd is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:nss-pam-ldapd" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_nss-pam-ldapd_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package nss-pam-ldapd is installed" test_ref="oval:ssg-test_env_has_nss-pam-ldapd_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_ntp_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package ntp is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package ntp is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:ntp" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_ntp_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package ntp is installed" test_ref="oval:ssg-test_env_has_ntp_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_ovirt:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Check if the system acts as an oVirt host or manager</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if the system has ovirt-host or ovirt-engine installed</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:ovirt-host" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_ovirt" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="Package ovirt-host is installed" test_ref="oval:ssg-test_env_has_ovirt-host_installed:tst:1"/>
-            <oval-def:criterion comment="Package ovirt-engine is installed" test_ref="oval:ssg-test_env_has_ovirt-engine_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_pam_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package pam is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package pam is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:pam" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_pam_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package pam is installed" test_ref="oval:ssg-test_env_has_pam_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_polkit_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package polkit is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package polkit is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:polkit" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_polkit_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package polkit is installed" test_ref="oval:ssg-test_env_has_polkit_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_postfix_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package postfix is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package postfix is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:postfix" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_postfix_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package postfix is installed" test_ref="oval:ssg-test_env_has_postfix_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_sssd-common_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package sssd-common is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package sssd-common is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:sssd" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_sssd-common_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package sssd-common is installed" test_ref="oval:ssg-test_env_has_sssd-common_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_sudo_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package sudo is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package sudo is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:sudo" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_sudo_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package sudo is installed" test_ref="oval:ssg-test_env_has_sudo_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_systemd_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package systemd is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package systemd is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:systemd" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_systemd_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package systemd is installed" test_ref="oval:ssg-test_env_has_systemd_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_tftp_server_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package tftp-server is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package tftp-server is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:tftp-server" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_tftp_server_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package tftp-server is installed" test_ref="oval:ssg-test_env_has_tftp_server_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_tmux_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package tmux is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package tmux is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:tmux" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_tmux_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package tmux is installed" test_ref="oval:ssg-test_env_has_tmux_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_usbguard_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package usbguard is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package usbguard is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:usbguard" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_usbguard_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package usbguard is installed" test_ref="oval:ssg-test_env_has_usbguard_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_wifi_interface:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>WiFi interface is present</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if any wifi interface is present.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:wifi-iface" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_wifi_interface" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="WiFi interface is present" test_ref="oval:ssg-test_proc_net_wireless_exists:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_yum_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package yum is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package yum is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:yum" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_yum_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package yum is installed" test_ref="oval:ssg-test_env_has_yum_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_zipl_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>System uses zIPL</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if system uses zIPL bootloader.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:zipl" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_zipl_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package s390utils-base is installed" test_ref="oval:ssg-test_env_has_zipl_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_is_a_container:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Check if the scan target is a container</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check for presence of files characterizing container filesystems.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:container" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_is_a_container" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="Check if /.dockerenv exists" test_ref="oval:ssg-test_installed_env_is_a_docker_container:tst:1"/>
-            <oval-def:criterion comment="Check if /run/.containerenv exists" test_ref="oval:ssg-test_installed_env_is_a_podman_container:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_is_a_machine:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Check if the scan target is a machine</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check for absence of files characterizing container filesystems.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:machine" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_is_a_machine" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="If environment is not a container, it is machine" definition_ref="oval:ssg-installed_env_is_a_container:def:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-krb5_server_older_than_1_17_18:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Kerberos server is older than 1.17-18</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/a:krb5_server_older_than_1_17-18" source="CPE"/>
-            <oval-def:description>Check if version of Kerberos server is lesser than 1.17-18
-            </oval-def:description>
-            <oval-def:reference ref_id="krb5_server_older_than_1_17_18" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Kerberos server version is lesser than 1.17-18" operator="OR">
-            <oval-def:criterion comment="Check if version of Kerberos server is lesser than 1.17-18" test_ref="oval:ssg-test_krb5_server_version_1_17_18:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-krb5_workstation_older_than_1_17_18:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Kerberos workstation is older than 1.17-18</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/a:krb5_workstation_older_than_1_17-18" source="CPE"/>
-            <oval-def:description>Check if version of Kerberos workstation is lesser than 1.17-18
-            </oval-def:description>
-            <oval-def:reference ref_id="krb5_workstation_older_than_1_17_18" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Kerberos workstation version is lesser than 1.17-18" operator="OR">
-            <oval-def:criterion comment="Check if version of Kerberos workstation is lesser than 1.17-18" test_ref="oval:ssg-test_krb5_workstation_version_1_17_18:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-no_cd_dvd_drive_in_etc_fstab:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>No CD/DVD drive is configured to automount in /etc/fstab</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check the /etc/fstab and check if a CD/DVD drive
-      is not configured for automount.</oval-def:description>
-            <oval-def:reference ref_id="no_cd_dvd_drive_in_etc_fstab" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_no_cd_dvd_drive_in_etc_fstab:tst:1" comment="Check if CD/DVD drive is not configured to automout in /etc/fstab"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test that the architecture is aarch64</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is aarch64</oval-def:description>
-            <oval-def:reference ref_id="proc_sys_kernel_osrelease_arch_aarch64" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Architecture is aarch64" test_ref="oval:ssg-test_proc_sys_kernel_osrelease_arch_aarch64:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_not_aarch64:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for different architecture than aarch64</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is not aarch64</oval-def:description>
-            <oval-def:reference ref_id="proc_sys_kernel_osrelease_arch_not_aarch64" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Architecture is not aarch64" definition_ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for different architecture than s390x</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x</oval-def:description>
-            <oval-def:reference ref_id="proc_sys_kernel_osrelease_arch_not_s390x" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Architecture is not s390x" definition_ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test that the architecture is ppc64le</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is ppc64le</oval-def:description>
-            <oval-def:reference ref_id="proc_sys_kernel_osrelease_arch_ppc64le" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Architecture is ppc64le" test_ref="oval:ssg-test_proc_sys_kernel_osrelease_arch_ppc64le:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test that the architecture is s390x</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is s390x</oval-def:description>
-            <oval-def:reference ref_id="proc_sys_kernel_osrelease_arch_s390x" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Architecture is s390x" test_ref="oval:ssg-test_proc_sys_kernel_osrelease_arch_s390x:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-removable_partition_doesnt_exist:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Device Files for Removable Media Partitions Does Not Exist on the System</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Verify if device file representing removable partitions
-      exist on the system</oval-def:description>
-            <oval-def:reference ref_id="removable_partition_doesnt_exist" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_removable_partition_doesnt_exist:tst:1" comment="Check if removable partition really exists on the system"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_not_required_or_unset:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>SSHD is not required to be installed or requirement not set</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>If SSHD is not required, we check it is not installed. If SSH requirement is unset, we are good.</oval-def:description>
-            <oval-def:reference ref_id="sshd_not_required_or_unset" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="SSH not required or not set" operator="OR">
-            <oval-def:criterion test_ref="oval:ssg-test_sshd_not_required:tst:1"/>
-            <oval-def:extend_definition comment="SSH requirement is unset" definition_ref="oval:ssg-sshd_requirement_unset:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_required_or_unset:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>SSHD is required to be installed or requirement not set</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>If SSHD is required, we check it is installed. If SSH requirement is unset, we are good.</oval-def:description>
-            <oval-def:reference ref_id="sshd_required_or_unset" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="SSH required or not set" operator="OR">
-            <oval-def:criterion test_ref="oval:ssg-test_sshd_required:tst:1"/>
-            <oval-def:extend_definition comment="SSH requirement is unset" definition_ref="oval:ssg-sshd_requirement_unset:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_requirement_unset:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>It doesn't matter if sshd is installed or not</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Test if value sshd_required is 0.</oval-def:description>
-            <oval-def:reference ref_id="sshd_requirement_unset" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_sshd_requirement_unset:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_version_equal_or_higher_than_74:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>OpenSSH Server is 7.4 or newer</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if version of OpenSSH Server is equal or higher than 7.4</oval-def:description>
-            <oval-def:reference ref_id="sshd_version_equal_or_higher_than_74" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="OpenSSH Server version is equal or higher than 7.4" operator="OR">
-            <oval-def:criterion comment="Check if OpenSSH Server is equal or higher than 7.4" test_ref="oval:ssg-test_openssh-server_version:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-sssd_conf_uses_ldap:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>SSSD is configured to use LDAP</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Identification provider is not set to ad within /etc/sssd/sssd.conf</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:sssd-ldap" source="CPE"/>
-            <oval-def:reference ref_id="sssd_conf_uses_ldap" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Identification provider is not set to ad within /etc/sssd/sssd.conf" test_ref="oval:ssg-test_id_provider_is_set_to_ad:tst:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-system_boot_mode_is_non_uefi:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Non-UEFI system boot mode check</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if System boot mode is non-UEFI.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:non-uefi" source="CPE"/>
-            <oval-def:reference ref_id="system_boot_mode_is_non_uefi" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition definition_ref="oval:ssg-system_boot_mode_is_uefi:def:1" negate="true" comment="Pass if System boot mode is non-UEFI"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-system_boot_mode_is_uefi:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>UEFI system boot mode check</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if system boot mode is UEFI.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:uefi" source="CPE"/>
-            <oval-def:reference ref_id="system_boot_mode_is_uefi" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_efi_dir_existence:tst:1" comment="check if /sys/firmware/efi folder exists"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-system_info_architecture_64bit:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for 64-bit Architecture</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Generic test for 64-bit architectures to be used by other tests</oval-def:description>
-            <oval-def:reference ref_id="system_info_architecture_64bit" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="Generic test for x86_64 architecture" definition_ref="oval:ssg-system_info_architecture_x86_64:def:1"/>
-            <oval-def:extend_definition comment="Generic test for ppc64 architecture" definition_ref="oval:ssg-system_info_architecture_ppc_64:def:1"/>
-            <oval-def:extend_definition comment="Generic test for aarch64 architecture" definition_ref="oval:ssg-system_info_architecture_aarch_64:def:1"/>
-            <oval-def:extend_definition comment="Generic test for s390x architecture" definition_ref="oval:ssg-system_info_architecture_s390_64:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-system_info_architecture_aarch_64:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for aarch_64 Architecture</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Generic test for aarch_64 architecture to be used by other tests</oval-def:description>
-            <oval-def:reference ref_id="system_info_architecture_aarch_64" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Generic test for aarch_64 architecture" test_ref="oval:ssg-test_system_info_architecture_aarch_64:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-system_info_architecture_ppc_64:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for PPC and PPCLE Architecture</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Generic test for PPC PPC64LE architecture to be used by other tests</oval-def:description>
-            <oval-def:reference ref_id="system_info_architecture_ppc_64" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="Generic test for ppc64 architecture" test_ref="oval:ssg-test_system_info_architecture_ppc_64:tst:1"/>
-            <oval-def:criterion comment="Generic test for ppcle64 architecture" test_ref="oval:ssg-test_system_info_architecture_ppcle_64:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-system_info_architecture_s390_64:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for s390_64 Architecture</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Generic test for s390_64 architecture to be used by other tests</oval-def:description>
-            <oval-def:reference ref_id="system_info_architecture_s390_64" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Generic test for s390_64 architecture" test_ref="oval:ssg-test_system_info_architecture_s390_64:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-system_info_architecture_x86:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for x86 Architecture</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Generic test for x86 architecture to be used by other tests</oval-def:description>
-            <oval-def:reference ref_id="system_info_architecture_x86" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Generic test for x86 architecture" test_ref="oval:ssg-test_system_info_architecture_x86:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-system_info_architecture_x86_64:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for x86_64 Architecture</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Generic test for x86_64 architecture to be used by other tests</oval-def:description>
-            <oval-def:reference ref_id="system_info_architecture_x86_64" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Generic test for x86_64 architecture" test_ref="oval:ssg-test_system_info_architecture_x86_64:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-tmux_conf_readable_by_others:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title/>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check /etc/tmux.conf is readable by others</oval-def:description>
-            <oval-def:reference ref_id="tmux_conf_readable_by_others" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Check /etc/tmux.conf is readable by others" test_ref="oval:ssg-test_tmux_conf_readable_by_others:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-usbguard_rules_not_empty_not_missing:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Check that file storing USBGuard rules exists and is not empty</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that file storing USBGuard rules at /etc/usbguard/rules.conf exists and is not empty</oval-def:description>
-            <oval-def:reference ref_id="usbguard_rules_not_empty_not_missing" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Check that file storing USBGuard rules exists and is not empty" operator="AND">
-            <oval-def:criterion comment="Check that the usbguard rules in either /etc/usbguard/rules.conf or /etc/usbguard/rules.d/ contain at least one non white space character." test_ref="oval:ssg-test_usbguard_rules_nonempty:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-var_accounts_user_umask_as_number:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Value of 'var_accounts_user_umask' variable represented as octal number</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Value of 'var_accounts_user_umask' variable represented as octal number</oval-def:description>
-            <oval-def:reference ref_id="var_accounts_user_umask_as_number" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-var_removable_partition_is_cd_dvd_drive:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Value of 'var_removable_partition' variable is set to '/dev/cdrom'</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Verify if value of 'var_removable_partition' variable is set
-      to '/dev/cdrom'</oval-def:description>
-            <oval-def:reference ref_id="var_removable_partition_is_cd_dvd_drive" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1" comment="Check if removable partition value represents CD/DVD drive"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-var_umask_for_daemons_as_number:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Value of 'var_umask_for_daemons' variable represented as octal number</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Value of 'var_umask_for_daemons' variable represented as octal number</oval-def:description>
-            <oval-def:reference ref_id="var_umask_for_daemons_as_number" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_existence_of_var_umask_for_daemons_as_number_variable:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-      </oval-def:definitions>
-      <oval-def:tests>
-        <unix:file_test id="oval:ssg-test_file_for_configure_network_policies_namespaces:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/apis/networking.k8s.io/v1/networkpolicies#51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300')." version="1">
-          <unix:object object_ref="oval:ssg-object_file_for_configure_network_policies_namespaces:obj:1"/>
-        </unix:file_test>
-        <unix:file_test id="oval:ssg-test_file_for_configure_network_policies_filtered_namespaces:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/api/v1/namespaces#34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d')." version="1">
-          <unix:object object_ref="oval:ssg-object_file_for_configure_network_policies_filtered_namespaces:obj:1"/>
-        </unix:file_test>
-        <ind:variable_test version="1" id="oval:ssg-test_elements_count_for_configure_network_policies_namespaces:tst:1" check="all" comment="Count elements at both paths and compare">
-          <ind:object object_ref="oval:ssg-object_elements_count_for_configure_network_policies_namespaces:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_elements_count_for_configure_network_policies_namespaces:ste:1"/>
-        </ind:variable_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing group ownership of /etc/kubernetes/kubelet/kubelet-config.json" id="oval:ssg-test_file_groupowner_kubelet_conf_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_groupowner_kubelet_conf_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing group ownership of /var/lib/kubelet/kubeconfig" id="oval:ssg-test_file_groupowner_worker_kubeconfig_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_groupowner_worker_kubeconfig_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /etc/kubernetes/kubelet/kubelet-config.json" id="oval:ssg-test_file_owner_kubelet_conf_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_owner_kubelet_conf_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /var/lib/kubelet/kubeconfig" id="oval:ssg-test_file_owner_worker_kubeconfig_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_owner_worker_kubeconfig_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /etc/kubernetes/kubelet/kubelet-config.json" id="oval:ssg-test_file_permissions_kubelet_conf_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_kubelet_conf_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /var/lib/kubelet/kubeconfig" id="oval:ssg-test_file_permissions_worker_kubeconfig_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_worker_kubeconfig_0:obj:1"/>
-        </unix:file_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_anonymous_auth_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet/kubelet-config.json' find only one object at path '.authentication.anonymous.enabled'." version="1">
-          <ind:object object_ref="oval:ssg-object_kubelet_anonymous_auth_worker:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kubelet_anonymous_auth_worker:ste:1"/>
-        </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_authorization_mode_worker:tst:1" check="all" check_existence="any_exist" comment="In the file '/etc/kubernetes/kubelet/kubelet-config.json' find only one object at path '.authorization.mode'." version="1">
-          <ind:object object_ref="oval:ssg-object_kubelet_authorization_mode_worker:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kubelet_authorization_mode_worker:ste:1"/>
-        </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_configure_client_ca_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet/kubelet-config.json' find only one object at path '.authentication.x509.clientCAFile'." version="1">
-          <ind:object object_ref="oval:ssg-object_kubelet_configure_client_ca_worker:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kubelet_configure_client_ca_worker:ste:1"/>
-        </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_disable_hostname_override:tst:1" check="all" check_existence="none_exist" comment="In the file '/etc/kubernetes/kubelet/kubelet-config.json' find only one object at path '.hostname-override'." version="1">
-          <ind:object object_ref="oval:ssg-object_kubelet_disable_hostname_override:obj:1"/>
-        </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_cert_rotation_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet/kubelet-config.json' find only one object at path '.rotateCertificates'." version="1">
-          <ind:object object_ref="oval:ssg-object_kubelet_enable_cert_rotation_worker:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kubelet_enable_cert_rotation_worker:ste:1"/>
-        </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_client_cert_rotation:tst:1" check="all" check_existence="any_exist" comment="In the file '/etc/kubernetes/kubelet/kubelet-config.json' find only one object at path '.featureGates.RotateKubeletClientCertificate'." version="1">
-          <ind:object object_ref="oval:ssg-object_kubelet_enable_client_cert_rotation:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kubelet_enable_client_cert_rotation:ste:1"/>
-        </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_iptables_util_chains:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet/kubelet-config.json' find only one object at path '.makeIPTablesUtilChains'." version="1">
-          <ind:object object_ref="oval:ssg-object_kubelet_enable_iptables_util_chains:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kubelet_enable_iptables_util_chains:ste:1"/>
-        </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_protect_kernel_defaults:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet/kubelet-config.json' find only one object at path '.protectKernelDefaults'." version="1">
-          <ind:object object_ref="oval:ssg-object_kubelet_enable_protect_kernel_defaults:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kubelet_enable_protect_kernel_defaults:ste:1"/>
-        </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_server_cert_rotation_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet/kubelet-config.json' find only one object at path '.featureGates.RotateKubeletServerCertificate'." version="1">
-          <ind:object object_ref="oval:ssg-object_kubelet_enable_server_cert_rotation_worker:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kubelet_enable_server_cert_rotation_worker:ste:1"/>
-        </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_streaming_connections_worker:tst:1" check="all" check_existence="all_exist" comment="In the file '/etc/kubernetes/kubelet/kubelet-config.json' find only one object at path '.streamingConnectionIdleTimeout'." version="1">
-          <ind:object object_ref="oval:ssg-object_kubelet_enable_streaming_connections_worker:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kubelet_enable_streaming_connections_worker:ste:1"/>
-        </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_read_only_port_secured_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet/kubelet-config.json' find only one object at path '.readOnlyPort'." version="1">
-          <ind:object object_ref="oval:ssg-object_kubelet_read_only_port_secured_worker:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kubelet_read_only_port_secured_worker:ste:1"/>
-        </ind:yamlfilecontent_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_GConf2_installed:tst:1" version="1" comment="package GConf2 is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_GConf2_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_avahi_installed:tst:1" version="1" comment="package avahi is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_avahi_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_dconf_installed:tst:1" version="1" comment="package dconf is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_dconf_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_esc_installed:tst:1" version="1" comment="package esc is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_esc_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_gdm_installed:tst:1" version="1" comment="package gdm is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_gdm_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_package_pam_ldap_removed:tst:1" version="1" comment="package pam_ldap is removed">
-          <linux:object object_ref="oval:ssg-obj_test_package_pam_ldap_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_package_prelink_removed:tst:1" version="1" comment="package prelink is removed">
-          <linux:object object_ref="oval:ssg-obj_test_package_prelink_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_package_samba-common_removed:tst:1" version="1" comment="package samba-common is removed">
-          <linux:object object_ref="oval:ssg-obj_test_package_samba-common_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_not_running_syslog:tst:1" check="all" check_existence="any_exist" comment="Test that the syslog service is not running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_not_running_syslog:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_not_running_syslog:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_loadstate_is_masked_syslog:tst:1" check="all" check_existence="any_exist" comment="Test that the property LoadState from the service syslog is masked" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_loadstate_is_masked_syslog:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_loadstate_is_masked_syslog:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_service_syslog_package_rsyslog_removed:tst:1" version="1" comment="package rsyslog is removed">
-          <linux:object object_ref="oval:ssg-obj_test_service_syslog_package_rsyslog_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" comment="tests the presence of 'Include /etc/ssh/sshd_config.d/*.conf' setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_includes_config_files:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_includes_config_files:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg-test_accounts_password_pam_faillock:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_accounts_password_pam_faillock:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg-test_password_pam_pwquality:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_password_pam_pwquality:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_audit_rules_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_audit_rules_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit setdomainname" id="oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_setdomainname_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit setdomainname" id="oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_setdomainname_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit setdomainname" id="oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_setdomainname_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit setdomainname" id="oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_setdomainname_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit sethostname" id="oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_sethostname_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit sethostname" id="oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_sethostname_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit sethostname" id="oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_sethostname_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit sethostname" id="oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_sethostname_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_auditd_conf_log_file_not_set:tst:1" check="all" check_existence="none_exist" comment="log_file not set" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_conf_log_file:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_auditd_conf_log_group_not_root:tst:1" check="all" check_existence="none_exist" comment="log_group = root" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_conf_log_group_root:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_auditd_conf_log_group_is_set:tst:1" check="all" check_existence="all_exist" comment="log_group is set" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_conf_log_group_is_set:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1" comment="Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_bootloader_disable_recovery_argument:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_bootloader_disable_recovery_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure more than one chronyd NTP server is set" id="oval:ssg-test_chronyd_multiple_servers:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_chronyd_multiple_servers:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_default_exists:tst:1" comment="check for GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_default_exists:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_entries_reference_kernelopts:tst:1" comment="check kernel command line parameters for referenced boot entries reference the $kernelopts variable." check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_entries_reference_kernelopts:obj:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="alinux-release is version 2" id="oval:ssg-test_alinux2:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_alinux2:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_alinux2:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="alinux-release is version 3" id="oval:ssg-test_alinux3:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_alinux3:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_alinux3:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="centos-release is version 7" id="oval:ssg-test_centos7:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_centos7:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_centos7:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check os-release ID" id="oval:ssg-test_centos8_name:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_name_centos8:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_name_centos8:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="Check os-release VERSION_ID" id="oval:ssg-test_centos8_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_version_centos8:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_version_centos8:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check os-release ID" id="oval:ssg-test_centos9_name:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_name_centos9:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_name_centos9:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="Check os-release VERSION_ID" id="oval:ssg-test_centos9_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_version_centos9:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_version_centos9:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="/etc/debian_version exists" id="oval:ssg-test_debian:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-obj_debian:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Debian version" id="oval:ssg-test_debian_10:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_debian_10:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Debian version" id="oval:ssg-test_debian_11:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_debian_11:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Debian version" id="oval:ssg-test_debian_9:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_debian_9:obj:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="fedora-release RPM packages are installed" id="oval:ssg-test_fedora_release_rpm:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_fedora_release_rpm:obj:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" comment="CPE vendor is 'fedoraproject' and 'product' is fedora" id="oval:ssg-test_fedora_vendor_product:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_fedora_vendor_product:obj:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="oraclelinux-release is version 7" id="oval:ssg-test_ol7_system:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_ol7_system:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_ol7_system:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="oraclelinux-release is version 8" id="oval:ssg-test_ol8_system:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_ol8_system:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_ol8_system:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="oraclelinux-release is version 9" id="oval:ssg-test_ol9_system:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_ol9_system:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_ol9_system:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="openSUSE is installed" id="oval:ssg-test_opensuse_installed:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_opensuse_installed:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_opensuse_installed:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="openSUSE Leap 15 is installed" id="oval:ssg-test_opensuse_leap15_installed:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_opensuse_leap15_installed:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_opensuse_leap15_installed:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="openSUSE Leap 42 is installed" id="oval:ssg-test_opensuse_leap42_installed:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_opensuse_leap42_installed:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_opensuse_leap42_installed:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:family_test id="oval:ssg-test_unix_family:tst:1" check="all" check_existence="at_least_one_exists" comment="Test installed OS is part of the unix family" version="1">
-          <ind:object object_ref="oval:ssg-object_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_unix_family:ste:1"/>
-        </ind:family_test>
-        <ind:textfilecontent54_test check="all" comment="os-release is rhcos" id="oval:ssg-test_rhcos:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhcos:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhcos:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="rhcoreos is version 4" id="oval:ssg-test_rhcos4:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhcos4:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhcos4:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_rhel7_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhel7_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhel7_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-client is version 7" id="oval:ssg-test_rhel7_client:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel7_client:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel7_client:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 7" id="oval:ssg-test_rhel7_workstation:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel7_workstation:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel7_workstation:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 7" id="oval:ssg-test_rhel7_server:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel7_server:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel7_server:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-computenode is version 7" id="oval:ssg-test_rhel7_computenode:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel7_computenode:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel7_computenode:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" comment="RHEVH base RHEL is version 7" id="oval:ssg-test_rhevh_rhel7_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhevh_rhel7_version:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhevh_rhel7_version:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_rhel8_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhel8_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhel8_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8" id="oval:ssg-test_rhel8:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.0" id="oval:ssg-test_rhel8_0:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_0:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_0:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.1" id="oval:ssg-test_rhel8_1:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_1:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_1:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.2" id="oval:ssg-test_rhel8_2:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_2:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_2:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.3" id="oval:ssg-test_rhel8_3:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_3:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_3:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.4" id="oval:ssg-test_rhel8_4:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_4:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_4:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.5" id="oval:ssg-test_rhel8_5:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_5:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_5:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.6" id="oval:ssg-test_rhel8_6:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_6:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_6:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.7" id="oval:ssg-test_rhel8_7:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_7:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_7:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.8" id="oval:ssg-test_rhel8_8:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_8:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_8:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.9" id="oval:ssg-test_rhel8_9:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_9:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_9:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.10" id="oval:ssg-test_rhel8_10:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_10:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_10:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" comment="RHEVH base RHEL is version 8" id="oval:ssg-test_rhevh_rhel8_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhevh_rhel8_version:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhevh_rhel8_version:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_rhel9_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhel9_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhel9_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 9" id="oval:ssg-test_rhel9:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel9:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel9:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" comment="RHEVH base RHEL is version 9" id="oval:ssg-test_rhevh_rhel9_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhevh_rhel9_version:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhevh_rhel9_version:ste:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="only_one_exists" comment="redhat-release-virtualization-host RPM package is installed" id="oval:ssg-test_rhvh4_version:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhvh4_version:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhvh4_version:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sl-release is version 7" id="oval:ssg-test_sl7:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sl7:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sl7:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_sle12_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sle12_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sle12_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sled-release is version 6" id="oval:ssg-test_sle12_desktop:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sle12_desktop:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sle12_desktop:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sles-release is version 6" id="oval:ssg-test_sle12_server:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sle12_server:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sle12_server:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="SLES_SAP-release is version 12" id="oval:ssg-test_sles_12_for_sap:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sles_12_for_sap:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sles_12_for_sap:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_sle15_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sle15_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sle15_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sled-release is version 15" id="oval:ssg-test_sle15_desktop:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sle15_desktop:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sle15_desktop:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sles-release is version 15" id="oval:ssg-test_sle15_server:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sle15_server:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sle15_server:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="SLES_SAP-release is version 15" id="oval:ssg-test_sles_15_for_sap:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sles_15_for_sap:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sles_15_for_sap:ste:1"/>
-        </linux:rpminfo_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="/etc/lsb-release exists" id="oval:ssg-test_lsb:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-obj_lsb:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu" id="oval:ssg-test_ubuntu:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ubuntu:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu version" id="oval:ssg-test_ubuntu_xenial:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ubuntu_xenial:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu version" id="oval:ssg-test_ubuntu_bionic:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ubuntu_bionic:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu version" id="oval:ssg-test_ubuntu_focal:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ubuntu_focal:obj:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="uos-release is version 20" id="oval:ssg-test_uos20:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_uos20:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_uos20:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_eks:tst:1" check="at least one" comment="Find one match" version="1">
-          <ind:object object_ref="oval:ssg-object_eks:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_eks:ste:1"/>
-        </ind:yamlfilecontent_test>
-        <unix:file_test id="oval:ssg-test_file_for_eks:tst:1" check="only one" comment="Find the actual file to be scanned." version="1">
-          <unix:object object_ref="oval:ssg-object_file_for_eks:obj:1"/>
-        </unix:file_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_eks_1_21:tst:1" check="at least one" comment="Find one match" version="1">
-          <ind:object object_ref="oval:ssg-object_eks:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_eks_1_21:ste:1"/>
-        </ind:yamlfilecontent_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Testing if /var/lib/kubelet/kubeconfig exists" id="oval:ssg-test_kubelet_kubeconfig_exists:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_kubelet_kubeconfig_exists:obj:1"/>
-        </unix:file_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="rhevm4-appliance is installed" id="oval:ssg-test_rhevm4_version:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhevm4_version:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhevm4_version:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_audit_installed:tst:1" version="1" comment="system has package audit installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_audit_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_env_has_chrony_installed:tst:1" version="1" comment="package chrony is installed">
-          <linux:object object_ref="oval:ssg-obj_test_env_has_chrony_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_gdm_installed:tst:1" version="1" comment="system has package gdm installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_gdm_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_grub2_installed:tst:1" version="1" comment="system has package grub2-common installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_grub2_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Check if /sys/firmware/opal exists" id="oval:ssg-test_system_using_opal:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_system_using_opal:obj:1"/>
-        </unix:file_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_libuser_installed:tst:1" version="1" comment="system has package libuser installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_libuser_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_login_defs_installed:tst:1" version="1" comment="system has package shadow-utils installed, which provides the /etc/login.defs file.">
-          <linux:object object_ref="oval:ssg-obj_env_has_login_defs_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_net-snmp_installed:tst:1" version="1" comment="system has package net-snmp installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_net-snmp_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_nss-pam-ldapd_installed:tst:1" version="1" comment="system has package nss-pam-ldapd installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_nss-pam-ldapd_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_env_has_ntp_installed:tst:1" version="1" comment="package ntp is installed">
-          <linux:object object_ref="oval:ssg-obj_test_env_has_ntp_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_ovirt-host_installed:tst:1" version="1" comment="system has package ovirt-host installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_ovirt-host_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_ovirt-engine_installed:tst:1" version="1" comment="system has package ovirt-engine installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_ovirt-engine_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_pam_installed:tst:1" version="1" comment="system has package pam installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_pam_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_env_has_polkit_installed:tst:1" version="1" comment="package polkit is installed">
-          <linux:object object_ref="oval:ssg-obj_test_env_has_polkit_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_env_has_postfix_installed:tst:1" version="1" comment="package postfix is installed">
-          <linux:object object_ref="oval:ssg-obj_test_env_has_postfix_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_sssd-common_installed:tst:1" version="1" comment="system has package sssd-common installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_sssd-common_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_sudo_installed:tst:1" version="1" comment="system has package sudo installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_sudo_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_systemd_installed:tst:1" version="1" comment="system has package systemd installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_systemd_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_tftp_server_installed:tst:1" version="1" comment="system has package tftp-server installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_tftp_server_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_tmux_installed:tst:1" version="1" comment="system has package tmux installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_tmux_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_usbguard_installed:tst:1" version="1" comment="system has package usbguard installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_usbguard_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Test if /proc/net/wireless exists" id="oval:ssg-test_proc_net_wireless_exists:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_proc_net_wireless_exists:obj:1"/>
-        </unix:file_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_yum_installed:tst:1" version="1" comment="system has package yum installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_yum_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_zipl_installed:tst:1" version="1" comment="system has package zipl installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_zipl_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Check if /.dockerenv exists" id="oval:ssg-test_installed_env_is_a_docker_container:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_installed_env_is_a_docker_container:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Check if /run/.containerenv exists" id="oval:ssg-test_installed_env_is_a_podman_container:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_installed_env_is_a_podman_container:obj:1"/>
-        </unix:file_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="Kerberos server version is lesser than 1.17-18" id="oval:ssg-test_krb5_server_version_1_17_18:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_krb5_server_version_1_17_18:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_krb5_server_version_1_17_18:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="Kerberos workstaton version is lesser than 1.17-18" id="oval:ssg-test_krb5_workstation_version_1_17_18:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_krb5_workstation_version_1_17_18:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_krb5_workstation_version_1_17_18:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_no_cd_dvd_drive_in_etc_fstab:tst:1" check_existence="none_exist" check="all" comment="'CD/DVD drive is not listed in /etc/fstab" version="1">
-          <ind:object object_ref="oval:ssg-object_no_cd_dvd_drive_in_etc_fstab:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="proc_sys_kernel is for aarch64 architecture" id="oval:ssg-test_proc_sys_kernel_osrelease_arch_aarch64:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_proc_sys_kernel_osrelease_arch_aarch64:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_proc_sys_kernel_osrelease_arch_aarch64:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="proc_sys_kernel is for ppc64le architecture" id="oval:ssg-test_proc_sys_kernel_osrelease_arch_ppc64le:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_proc_sys_kernel_osrelease_arch_ppc64le:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_proc_sys_kernel_osrelease_arch_ppc64le:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="proc_sys_kernel is for s390x architecture" id="oval:ssg-test_proc_sys_kernel_osrelease_arch_s390x:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_proc_sys_kernel_osrelease_arch_s390x:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_proc_sys_kernel_osrelease_arch_s390x:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test id="oval:ssg-test_removable_partition_doesnt_exist:tst:1" check="all" check_existence="none_exist" comment="Check if expected removable partitions truly exist on the system" version="1">
-          <unix:object object_ref="oval:ssg-object_removable_partition_doesnt_exist:obj:1"/>
-        </unix:file_test>
-        <ind:variable_test id="oval:ssg-test_sshd_not_required:tst:1" comment="Verify if Profile set Value sshd_required as not required" check="all" check_existence="at_least_one_exists" version="1">
-          <ind:object object_ref="oval:ssg-object_sshd_not_required:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_not_required:ste:1"/>
-        </ind:variable_test>
-        <ind:variable_test id="oval:ssg-test_sshd_required:tst:1" comment="Verify if Profile set Value sshd_required as required" check="all" check_existence="at_least_one_exists" version="1">
-          <ind:object object_ref="oval:ssg-object_sshd_required:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_required:ste:1"/>
-        </ind:variable_test>
-        <ind:variable_test id="oval:ssg-test_sshd_requirement_unset:tst:1" comment="Verify if Value of sshd_required is the default" check="all" check_existence="at_least_one_exists" version="1">
-          <ind:object object_ref="oval:ssg-object_sshd_requirement_unknown:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_requirement_unset:ste:1"/>
-        </ind:variable_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="OpenSSH is version 7.4 or higher" id="oval:ssg-test_openssh-server_version:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_openssh-server_version:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_openssh-server_version:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="SSSD Configuration is set to use Active Directory" id="oval:ssg-test_id_provider_is_set_to_ad:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_id_provider_is_set_to_ad:obj:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="at_least_one_exists" comment="Verify if /sys/firmware/efi folder exists" id="oval:ssg-test_efi_dir_existence:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_sys_firmware_efi:obj:1"/>
-        </unix:file_test>
-        <unix:uname_test check="all" comment="64 bit architecture" id="oval:ssg-test_system_info_architecture_aarch_64:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_system_info_architecture_aarch_64:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_system_info_architecture_aarch_64:ste:1"/>
-        </unix:uname_test>
-        <unix:uname_test check="all" comment="64 bit architecture" id="oval:ssg-test_system_info_architecture_ppc_64:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_system_info_architecture_ppc_64:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_system_info_architecture_ppc_64:ste:1"/>
-        </unix:uname_test>
-        <unix:uname_test check="all" comment="64 bit architecture" id="oval:ssg-test_system_info_architecture_ppcle_64:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_system_info_architecture_ppcle_64:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_system_info_architecture_ppcle_64:ste:1"/>
-        </unix:uname_test>
-        <unix:uname_test check="all" comment="64 bit architecture" id="oval:ssg-test_system_info_architecture_s390_64:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_system_info_architecture_s390_64:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_system_info_architecture_s390_64:ste:1"/>
-        </unix:uname_test>
-        <unix:uname_test check="all" comment="32 bit architecture" id="oval:ssg-test_system_info_architecture_x86:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_system_info_architecture_x86:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_system_info_architecture_x86:ste:1"/>
-        </unix:uname_test>
-        <unix:uname_test check="all" comment="64 bit architecture" id="oval:ssg-test_system_info_architecture_x86_64:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_system_info_architecture_x86_64:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_system_info_architecture_x86_64:ste:1"/>
-        </unix:uname_test>
-        <unix:file_test check="all" comment="Check /etc/tmux.conf is readable by others" id="oval:ssg-test_tmux_conf_readable_by_others:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_tmux_conf_readable_by_others:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_tmux_conf_readable_by_others:ste:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check_existence="at_least_one_exists" check="all" comment="Check the usbguard rules in either /etc/usbguard/rules.conf or /etc/usbguard/rules.d/ contain at least one non whitespace character and exists" id="oval:ssg-test_usbguard_rules_nonempty:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_usbguard_rules_nonempty:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test id="oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1" comment="Verify the existence of var_accounts_user_umask_as_number variable" check="all" check_existence="at_least_one_exists" version="1">
-          <ind:object object_ref="oval:ssg-object_var_accounts_user_umask_umask_as_number:obj:1"/>
-        </ind:variable_test>
-        <ind:variable_test id="oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1" check="all" comment="Check if removable partition variable value represents CD/DVD drive" version="1">
-          <ind:object object_ref="oval:ssg-object_var_removable_partition_is_cd_dvd_drive:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_removable_partition_is_cd_dvd_drive:ste:1"/>
-        </ind:variable_test>
-        <ind:variable_test id="oval:ssg-test_existence_of_var_umask_for_daemons_as_number_variable:tst:1" comment="Verify the existence of var_umask_for_daemons_as_number variable" check="all" check_existence="at_least_one_exists" version="1">
-          <ind:object object_ref="oval:ssg-object_var_umask_for_daemons_umask_as_number:obj:1"/>
-        </ind:variable_test>
-      </oval-def:tests>
-      <oval-def:objects>
-        <unix:file_object id="oval:ssg-object_file_for_configure_network_policies_namespaces:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-configure_network_policies_namespaces_file_location:var:1"/>
-        </unix:file_object>
-        <unix:file_object id="oval:ssg-object_file_for_configure_network_policies_filtered_namespaces:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-configure_network_policies_filtered_namespaces_file_location:var:1"/>
-        </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_configure_network_policies_namespaces:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-configure_network_policies_namespaces_file_location:var:1"/>
-          <ind:yamlpath>[:]</ind:yamlpath>
-        </ind:yamlfilecontent_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_configure_network_policies_filtered_namespaces:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-configure_network_policies_filtered_namespaces_file_location:var:1"/>
-          <ind:yamlpath>[:].metadata.name</ind:yamlpath>
-        </ind:yamlfilecontent_object>
-        <ind:variable_object id="oval:ssg-object_elements_count_for_configure_network_policies_namespaces:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_variable_counter_configure_network_policies_namespaces:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="/etc/kubernetes/kubelet/kubelet-config.json" id="oval:ssg-object_file_groupowner_kubelet_conf_0:obj:1" version="1">
-          <unix:filepath>/etc/kubernetes/kubelet/kubelet-config.json</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_groupowner_kubelet_conf_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_groupowner_kubelet_conf_gid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/lib/kubelet/kubeconfig" id="oval:ssg-object_file_groupowner_worker_kubeconfig_0:obj:1" version="1">
-          <unix:filepath>/var/lib/kubelet/kubeconfig</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_groupowner_worker_kubeconfig_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_groupowner_worker_kubeconfig_gid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/kubernetes/kubelet/kubelet-config.json" id="oval:ssg-object_file_owner_kubelet_conf_0:obj:1" version="1">
-          <unix:filepath>/etc/kubernetes/kubelet/kubelet-config.json</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_owner_kubelet_conf_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_owner_kubelet_conf_uid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/lib/kubelet/kubeconfig" id="oval:ssg-object_file_owner_worker_kubeconfig_0:obj:1" version="1">
-          <unix:filepath>/var/lib/kubelet/kubeconfig</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_owner_worker_kubeconfig_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_owner_worker_kubeconfig_uid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/kubernetes/kubelet/kubelet-config.json" id="oval:ssg-object_file_permissions_kubelet_conf_0:obj:1" version="1">
-          <unix:filepath>/etc/kubernetes/kubelet/kubelet-config.json</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__kubelet_conf:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_kubelet_conf_0_mode_0644or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/lib/kubelet/kubeconfig" id="oval:ssg-object_file_permissions_worker_kubeconfig_0:obj:1" version="1">
-          <unix:filepath>/var/lib/kubelet/kubeconfig</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__worker_kubeconfig:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_worker_kubeconfig_0_mode_0644or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object id="oval:ssg-object_file_for_kubelet_anonymous_auth_worker:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-kubelet_anonymous_auth_worker_file_location:var:1"/>
-        </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_anonymous_auth_worker:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-kubelet_anonymous_auth_worker_file_location:var:1"/>
-          <ind:yamlpath>.authentication.anonymous.enabled</ind:yamlpath>
-        </ind:yamlfilecontent_object>
-        <unix:file_object id="oval:ssg-object_file_for_kubelet_authorization_mode_worker:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-kubelet_authorization_mode_worker_file_location:var:1"/>
-        </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_authorization_mode_worker:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-kubelet_authorization_mode_worker_file_location:var:1"/>
-          <ind:yamlpath>.authorization.mode</ind:yamlpath>
-        </ind:yamlfilecontent_object>
-        <unix:file_object id="oval:ssg-object_file_for_kubelet_configure_client_ca_worker:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-kubelet_configure_client_ca_worker_file_location:var:1"/>
-        </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_configure_client_ca_worker:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-kubelet_configure_client_ca_worker_file_location:var:1"/>
-          <ind:yamlpath>.authentication.x509.clientCAFile</ind:yamlpath>
-        </ind:yamlfilecontent_object>
-        <unix:file_object id="oval:ssg-object_file_for_kubelet_disable_hostname_override:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-kubelet_disable_hostname_override_file_location:var:1"/>
-        </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_disable_hostname_override:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-kubelet_disable_hostname_override_file_location:var:1"/>
-          <ind:yamlpath>.hostname-override</ind:yamlpath>
-        </ind:yamlfilecontent_object>
-        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_cert_rotation_worker:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-kubelet_enable_cert_rotation_worker_file_location:var:1"/>
-        </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_cert_rotation_worker:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-kubelet_enable_cert_rotation_worker_file_location:var:1"/>
-          <ind:yamlpath>.rotateCertificates</ind:yamlpath>
-        </ind:yamlfilecontent_object>
-        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_client_cert_rotation:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-kubelet_enable_client_cert_rotation_file_location:var:1"/>
-        </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_client_cert_rotation:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-kubelet_enable_client_cert_rotation_file_location:var:1"/>
-          <ind:yamlpath>.featureGates.RotateKubeletClientCertificate</ind:yamlpath>
-        </ind:yamlfilecontent_object>
-        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_iptables_util_chains:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-kubelet_enable_iptables_util_chains_file_location:var:1"/>
-        </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_iptables_util_chains:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-kubelet_enable_iptables_util_chains_file_location:var:1"/>
-          <ind:yamlpath>.makeIPTablesUtilChains</ind:yamlpath>
-        </ind:yamlfilecontent_object>
-        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_protect_kernel_defaults:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-kubelet_enable_protect_kernel_defaults_file_location:var:1"/>
-        </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_protect_kernel_defaults:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-kubelet_enable_protect_kernel_defaults_file_location:var:1"/>
-          <ind:yamlpath>.protectKernelDefaults</ind:yamlpath>
-        </ind:yamlfilecontent_object>
-        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_server_cert_rotation_worker:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-kubelet_enable_server_cert_rotation_worker_file_location:var:1"/>
-        </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_server_cert_rotation_worker:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-kubelet_enable_server_cert_rotation_worker_file_location:var:1"/>
-          <ind:yamlpath>.featureGates.RotateKubeletServerCertificate</ind:yamlpath>
-        </ind:yamlfilecontent_object>
-        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_streaming_connections_worker:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-kubelet_enable_streaming_connections_worker_file_location:var:1"/>
-        </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_streaming_connections_worker:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-kubelet_enable_streaming_connections_worker_file_location:var:1"/>
-          <ind:yamlpath>.streamingConnectionIdleTimeout</ind:yamlpath>
-        </ind:yamlfilecontent_object>
-        <unix:file_object id="oval:ssg-object_file_for_kubelet_read_only_port_secured_worker:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-kubelet_read_only_port_secured_worker_file_location:var:1"/>
-        </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_read_only_port_secured_worker:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-kubelet_read_only_port_secured_worker_file_location:var:1"/>
-          <ind:yamlpath>.readOnlyPort</ind:yamlpath>
-        </ind:yamlfilecontent_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_GConf2_installed:obj:1" version="1">
-          <linux:name>GConf2</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_avahi_installed:obj:1" version="1">
-          <linux:name>avahi</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_dconf_installed:obj:1" version="1">
-          <linux:name>dconf</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_esc_installed:obj:1" version="1">
-          <linux:name>esc</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_gdm_installed:obj:1" version="1">
-          <linux:name>gdm</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_pam_ldap_removed:obj:1" version="1">
-          <linux:name>pam_ldap</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_prelink_removed:obj:1" version="1">
-          <linux:name>prelink</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_samba-common_removed:obj:1" version="1">
-          <linux:name>samba-common</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_not_running_syslog:obj:1" comment="Retrieve the ActiveState property of syslog" version="1">
-          <linux:unit operation="pattern match">^syslog\.(service|socket)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_loadstate_is_masked_syslog:obj:1" comment="Retrieve the LoadState property of syslog" version="1">
-          <linux:unit operation="pattern match">^syslog\.(service|socket)$</linux:unit>
-          <linux:property>LoadState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_syslog_package_rsyslog_removed:obj:1" version="1">
-          <linux:name>rsyslog</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_includes_config_files:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*Include /etc/ssh/sshd_config\.d/\*\.conf[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_accounts_password_pam_faillock:obj:1" version="1">
-          <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_faillock\.so.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_password_pam_pwquality:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-var_pam_pwquality_config_path:var:1" var_check="at least one"/>
-          <ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_auditctl:obj:1" version="1">
-          <ind:filepath>/usr/lib/systemd/system/auditd.service</ind:filepath>
-          <ind:pattern operation="pattern match">^ExecStartPost=\-\/sbin\/auditctl.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_augenrules:obj:1" version="1">
-          <ind:filepath>/usr/lib/systemd/system/auditd.service</ind:filepath>
-          <ind:pattern operation="pattern match">^(ExecStartPost=\-\/sbin\/augenrules.*$|Requires=augenrules.service)</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_setdomainname_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_setdomainname_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_setdomainname_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_setdomainname_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_sethostname_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_sethostname_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_sethostname_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_sethostname_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_conf_log_file:obj:1" version="1">
-          <ind:filepath operation="equals">/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^(log_file\s*=\s*.*)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_conf_log_group_root:obj:1" comment="log_group = root" version="1">
-          <ind:filepath operation="equals">/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*log_group[ ]+=[ ]+root[ ]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_conf_log_group_is_set:obj:1" comment="log_group is set" version="1">
-          <ind:filepath operation="equals">/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*log_group[ ]+=.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_bootloader_disable_recovery_argument:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_DISABLE_RECOVERY=(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object comment="Ensure more than one chronyd NTP server is set" id="oval:ssg-object_chronyd_multiple_servers:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
-          <ind:pattern operation="pattern match">^([\s]*server[\s]+.+$){2,}$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_default_exists:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT=.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_entries_reference_kernelopts:obj:1" version="1">
-          <ind:path>/boot/loader/entries/</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^options(?:\s+.*)?\s+\$kernelopts\b.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-obj_alinux2:obj:1" version="1">
-          <linux:name>alinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_alinux3:obj:1" version="1">
-          <linux:name>alinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_centos7:obj:1" version="1">
-          <linux:name>centos-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_name_centos8:obj:1" version="1" comment="Check os-release ID">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^ID="(\w+)"$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_version_centos8:obj:1" version="1" comment="Check os-release VERSION_ID">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^VERSION_ID="(\d)"$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_name_centos9:obj:1" version="1" comment="Check os-release ID">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^ID="(\w+)"$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_version_centos9:obj:1" version="1" comment="Check os-release VERSION_ID">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^VERSION_ID="(\d)"$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object comment="check /etc/debian_version file" id="oval:ssg-obj_debian:obj:1" version="1">
-          <unix:filepath>/etc/debian_version</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_debian_10:obj:1" version="1" comment="Check Debian version">
-          <ind:filepath>/etc/debian_version</ind:filepath>
-          <ind:pattern operation="pattern match">^10.[0-9]+$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_debian_11:obj:1" version="1" comment="Check Debian version">
-          <ind:filepath>/etc/debian_version</ind:filepath>
-          <ind:pattern operation="pattern match">^11.[0-9]+$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_debian_9:obj:1" version="1" comment="Check Debian version">
-          <ind:filepath>/etc/debian_version</ind:filepath>
-          <ind:pattern operation="pattern match">^9.[0-9]+$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-object_fedora_release_rpm:obj:1" version="1">
-          <linux:name operation="pattern match">fedora-release.*</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_fedora_vendor_product:obj:1" version="1">
-          <ind:filepath>/etc/system-release-cpe</ind:filepath>
-          <ind:pattern operation="pattern match">^cpe:\/o:fedoraproject:fedora:[\d]+$</ind:pattern>
-          <ind:instance datatype="int" operation="equals">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-obj_ol7_system:obj:1" version="1">
-          <linux:name>oraclelinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_ol8_system:obj:1" version="1">
-          <linux:name>oraclelinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_ol9_system:obj:1" version="1">
-          <linux:name>oraclelinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_opensuse_installed:obj:1" version="1">
-          <linux:name>openSUSE-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_opensuse_leap15_installed:obj:1" version="1">
-          <linux:name>openSUSE-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_opensuse_leap42_installed:obj:1" version="1">
-          <linux:name>openSUSE-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:family_object id="oval:ssg-object_unix_family:obj:1" version="1"/>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhcos:obj:1" version="1">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^ID="(\w+)"$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhcos4:obj:1" version="1">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^VERSION_ID="(\d)\.\d+"$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:family_object id="oval:ssg-obj_rhel7_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel7_client:obj:1" version="1">
-          <linux:name>redhat-release-client</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel7_workstation:obj:1" version="1">
-          <linux:name>redhat-release-workstation</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel7_server:obj:1" version="1">
-          <linux:name>redhat-release-server</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel7_computenode:obj:1" version="1">
-          <linux:name>redhat-release-computenode</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhevh_rhel7_version:obj:1" version="1">
-          <ind:filepath>/etc/redhat-release</ind:filepath>
-          <ind:pattern operation="pattern match">^Red Hat Enterprise Linux release (\d)\.\d+$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:family_object id="oval:ssg-obj_rhel8_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_0:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_1:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_2:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_3:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_4:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_5:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_6:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_7:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_8:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_9:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_10:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhevh_rhel8_version:obj:1" version="1">
-          <ind:filepath>/etc/redhat-release</ind:filepath>
-          <ind:pattern operation="pattern match">^Red Hat Enterprise Linux release (\d)\.\d+$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:family_object id="oval:ssg-obj_rhel9_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel9:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhevh_rhel9_version:obj:1" version="1">
-          <ind:filepath>/etc/redhat-release</ind:filepath>
-          <ind:pattern operation="pattern match">^Red Hat Enterprise Linux release (\d)\.\d+$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhvh4_version:obj:1" version="1">
-          <linux:name>redhat-release-virtualization-host</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sl7:obj:1" version="1">
-          <linux:name>sl-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:family_object id="oval:ssg-obj_sle12_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_sle12_desktop:obj:1" version="1">
-          <linux:name>sled-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sle12_server:obj:1" version="1">
-          <linux:name>sles-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sles_12_for_sap:obj:1" version="1">
-          <linux:name>SLES_SAP-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:family_object id="oval:ssg-obj_sle15_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_sle15_desktop:obj:1" version="1">
-          <linux:name>sled-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sle15_server:obj:1" version="1">
-          <linux:name>sles-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sles_15_for_sap:obj:1" version="1">
-          <linux:name>SLES_SAP-release</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object comment="check /etc/lsb-release file" id="oval:ssg-obj_lsb:obj:1" version="1">
-          <unix:filepath>/etc/lsb-release</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ubuntu:obj:1" version="1" comment="Check Ubuntu">
-          <ind:filepath>/etc/lsb-release</ind:filepath>
-          <ind:pattern operation="pattern match">^DISTRIB_ID=Ubuntu$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ubuntu_xenial:obj:1" version="1" comment="Check Ubuntu version">
-          <ind:filepath>/etc/lsb-release</ind:filepath>
-          <ind:pattern operation="pattern match">^DISTRIB_CODENAME=xenial$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ubuntu_bionic:obj:1" version="1" comment="Check Ubuntu version">
-          <ind:filepath>/etc/lsb-release</ind:filepath>
-          <ind:pattern operation="pattern match">^DISTRIB_CODENAME=bionic$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ubuntu_focal:obj:1" version="1" comment="Check Ubuntu version">
-          <ind:filepath>/etc/lsb-release</ind:filepath>
-          <ind:pattern operation="pattern match">^DISTRIB_CODENAME=focal$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-obj_uos20:obj:1" version="1">
-          <linux:name>uos-release</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object id="oval:ssg-object_file_for_eks:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-eks_dump_location:var:1"/>
-        </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_eks:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-eks_dump_location:var:1"/>
-          <ind:yamlpath>.gitVersion</ind:yamlpath>
-        </ind:yamlfilecontent_object>
-        <unix:file_object comment="/var/lib/kubelet/kubeconfig" id="oval:ssg-object_kubelet_kubeconfig_exists:obj:1" version="1">
-          <unix:filepath>/var/lib/kubelet/kubeconfig</unix:filepath>
-        </unix:file_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhevm4_version:obj:1" version="1">
-          <linux:name>rhvm-appliance</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_audit_installed:obj:1" version="1">
-          <linux:name>audit</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_env_has_chrony_installed:obj:1" version="1">
-          <linux:name>chrony</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_gdm_installed:obj:1" version="1">
-          <linux:name>gdm</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_grub2_installed:obj:1" version="1">
-          <linux:name>grub2-common</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object id="oval:ssg-object_system_using_opal:obj:1" version="1">
-          <unix:filepath>/sys/firmware/opal</unix:filepath>
-        </unix:file_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_libuser_installed:obj:1" version="1">
-          <linux:name>libuser</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_login_defs_installed:obj:1" version="1">
-          <linux:name>shadow-utils</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_net-snmp_installed:obj:1" version="1">
-          <linux:name>net-snmp</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_nss-pam-ldapd_installed:obj:1" version="1">
-          <linux:name>nss-pam-ldapd</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_env_has_ntp_installed:obj:1" version="1">
-          <linux:name>ntp</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_ovirt-host_installed:obj:1" version="1">
-          <linux:name>ovirt-host</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_ovirt-engine_installed:obj:1" version="1">
-          <linux:name>ovirt-engine</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_pam_installed:obj:1" version="1">
-          <linux:name>pam</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_env_has_polkit_installed:obj:1" version="1">
-          <linux:name>polkit</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_env_has_postfix_installed:obj:1" version="1">
-          <linux:name>postfix</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_sssd-common_installed:obj:1" version="1">
-          <linux:name>sssd-common</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_sudo_installed:obj:1" version="1">
-          <linux:name>sudo</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_systemd_installed:obj:1" version="1">
-          <linux:name>systemd</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_tftp_server_installed:obj:1" version="1">
-          <linux:name>tftp-server</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_tmux_installed:obj:1" version="1">
-          <linux:name>tmux</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_usbguard_installed:obj:1" version="1">
-          <linux:name>usbguard</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object comment="/proc/net/wireless file" id="oval:ssg-object_proc_net_wireless_exists:obj:1" version="1">
-          <unix:filepath>/proc/net/wireless</unix:filepath>
-        </unix:file_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_yum_installed:obj:1" version="1">
-          <linux:name>yum</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_zipl_installed:obj:1" version="1">
-          <linux:name>s390utils-base</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object comment="Check file /.dockerenv" id="oval:ssg-object_installed_env_is_a_docker_container:obj:1" version="1">
-          <unix:filepath datatype="string">/.dockerenv</unix:filepath>
-        </unix:file_object>
-        <unix:file_object comment="Check file /run/.containerenv" id="oval:ssg-object_installed_env_is_a_podman_container:obj:1" version="1">
-          <unix:filepath datatype="string">/run/.containerenv</unix:filepath>
-        </unix:file_object>
-        <linux:rpminfo_object id="oval:ssg-obj_krb5_server_version_1_17_18:obj:1" version="1">
-          <linux:name>krb5-server</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_krb5_workstation_version_1_17_18:obj:1" version="1">
-          <linux:name>krb5-workstation</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_no_cd_dvd_drive_in_etc_fstab:obj:1" version="1">
-          <ind:filepath>/etc/fstab</ind:filepath>
-          <ind:pattern operation="pattern match" datatype="string" var_ref="oval:ssg-variable_cd_dvd_drive_alternative_names:var:1" var_check="at least one"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_proc_sys_kernel_osrelease_arch_aarch64:obj:1" version="1">
-          <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-          <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_proc_sys_kernel_osrelease_arch_ppc64le:obj:1" version="1">
-          <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-          <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_proc_sys_kernel_osrelease_arch_s390x:obj:1" version="1">
-          <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-          <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-object_removable_partition_doesnt_exist:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-var_removable_partition:var:1" var_check="at least one"/>
-        </unix:file_object>
-        <ind:variable_object id="oval:ssg-object_sshd_not_required:obj:1" version="1">
-          <ind:var_ref>oval:ssg-sshd_required:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-object_sshd_required:obj:1" version="1">
-          <ind:var_ref>oval:ssg-sshd_required:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-object_sshd_requirement_unknown:obj:1" version="1">
-          <ind:var_ref>oval:ssg-sshd_required:var:1</ind:var_ref>
-        </ind:variable_object>
-        <linux:rpminfo_object id="oval:ssg-obj_openssh-server_version:obj:1" version="1">
-          <linux:name>openssh-server</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_id_provider_is_set_to_ad:obj:1" version="1">
-          <ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*id_provider[ \t]*=[ \t]*((?i)ad)[ \t]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object comment="/sys/firmware/efi" id="oval:ssg-object_file_sys_firmware_efi:obj:1" version="1">
-          <unix:path>/sys/firmware/efi</unix:path>
-          <unix:filename xsi:nil="true"/>
-        </unix:file_object>
-        <unix:uname_object comment="64 bit architecture" id="oval:ssg-object_system_info_architecture_aarch_64:obj:1" version="1"/>
-        <unix:uname_object comment="64 bit architecture" id="oval:ssg-object_system_info_architecture_ppc_64:obj:1" version="1"/>
-        <unix:uname_object comment="64 bit architecture" id="oval:ssg-object_system_info_architecture_ppcle_64:obj:1" version="1"/>
-        <unix:uname_object comment="64 bit architecture" id="oval:ssg-object_system_info_architecture_s390_64:obj:1" version="1"/>
-        <unix:uname_object comment="32 bit architecture" id="oval:ssg-object_system_info_architecture_x86:obj:1" version="1"/>
-        <unix:uname_object comment="64 bit architecture" id="oval:ssg-object_system_info_architecture_x86_64:obj:1" version="1"/>
-        <unix:file_object comment="/etc/tmux.conf" id="oval:ssg-object_tmux_conf_readable_by_others:obj:1" version="1">
-          <unix:filepath operation="equals">/etc/tmux.conf</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_usbguard_rules_nonempty:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/usbguard/(rules|rules\.d/.*)\.conf$</ind:filepath>
-          <ind:pattern operation="pattern match">^.*\S+.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_accounts_user_umask_umask_as_number:obj:1" version="1">
-          <ind:var_ref>oval:ssg-var_accounts_user_umask_umask_as_number:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-object_var_removable_partition_is_cd_dvd_drive:obj:1" version="1">
-          <ind:var_ref>oval:ssg-var_removable_partition:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-object_var_umask_for_daemons_umask_as_number:obj:1" version="1">
-          <ind:var_ref>oval:ssg-var_umask_for_daemons_umask_as_number:var:1</ind:var_ref>
-        </ind:variable_object>
-      </oval-def:objects>
-      <oval-def:states>
-        <ind:variable_state id="oval:ssg-state_elements_count_for_configure_network_policies_namespaces:ste:1" version="1">
-          <ind:value datatype="int" var_ref="oval:ssg-local_variable_counter_configure_network_policies_filtered_namespaces:var:1"/>
-        </ind:variable_state>
-        <unix:file_state id="oval:ssg-state_file_groupowner_kubelet_conf_gid_0_0:ste:1" version="1">
-          <unix:group_id datatype="int">0</unix:group_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_groupowner_kubelet_conf_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_groupowner_worker_kubeconfig_gid_0_0:ste:1" version="1">
-          <unix:group_id datatype="int">0</unix:group_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_groupowner_worker_kubeconfig_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_owner_kubelet_conf_uid_0_0:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_owner_kubelet_conf_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_owner_worker_kubeconfig_uid_0_0:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_owner_worker_kubeconfig_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_kubelet_conf_0_mode_0644or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks__kubelet_conf:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_worker_kubeconfig_0_mode_0644or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks__worker_kubeconfig:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_anonymous_auth_worker:ste:1" version="1">
-          <ind:value datatype="record">
-            <oval-def:field name="#" operation="equals">false</oval-def:field>
-          </ind:value>
-        </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_authorization_mode_worker:ste:1" version="1">
-          <ind:value datatype="record">
-            <oval-def:field name="#" operation="not equal">AlwaysAllow</oval-def:field>
-          </ind:value>
-        </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_configure_client_ca_worker:ste:1" version="1">
-          <ind:value datatype="record">
-            <oval-def:field name="#" operation="equals">/etc/kubernetes/pki/ca.crt</oval-def:field>
-          </ind:value>
-        </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_disable_hostname_override:ste:1" version="1">
-          <ind:value datatype="record">
-            <oval-def:field name="#" operation="pattern match">.*</oval-def:field>
-          </ind:value>
-        </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_cert_rotation_worker:ste:1" version="1">
-          <ind:value datatype="record">
-            <oval-def:field name="#" operation="equals">true</oval-def:field>
-          </ind:value>
-        </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_client_cert_rotation:ste:1" version="1">
-          <ind:value datatype="record">
-            <oval-def:field name="#" operation="not equal">false</oval-def:field>
-          </ind:value>
-        </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_iptables_util_chains:ste:1" version="1">
-          <ind:value datatype="record">
-            <oval-def:field name="#" operation="equals">true</oval-def:field>
-          </ind:value>
-        </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_protect_kernel_defaults:ste:1" version="1">
-          <ind:value datatype="record">
-            <oval-def:field name="#" operation="equals">true</oval-def:field>
-          </ind:value>
-        </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_server_cert_rotation_worker:ste:1" version="1">
-          <ind:value datatype="record">
-            <oval-def:field name="#" operation="equals">true</oval-def:field>
-          </ind:value>
-        </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_streaming_connections_worker:ste:1" version="1">
-          <ind:value datatype="record">
-            <oval-def:field name="#" operation="pattern match" var_ref="oval:ssg-var_streaming_connection_timeouts:var:1"/>
-          </ind:value>
-        </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_read_only_port_secured_worker:ste:1" version="1">
-          <ind:value datatype="record">
-            <oval-def:field name="#" operation="equals">0</oval-def:field>
-          </ind:value>
-        </ind:yamlfilecontent_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_not_running_syslog:ste:1" version="1" comment="syslog is not running">
-          <linux:value operation="pattern match">inactive|failed</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_loadstate_is_masked_syslog:ste:1" version="1" comment="LoadState is set to masked">
-          <linux:value>masked</linux:value>
-        </linux:systemdunitproperty_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_bootloader_disable_recovery_argument:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(true|"true")$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <linux:rpminfo_state id="oval:ssg-state_alinux2:ste:1" version="1">
-          <linux:version operation="pattern match">^2.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_alinux3:ste:1" version="1">
-          <linux:version operation="pattern match">^3.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_centos7:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_name_centos8:ste:1" version="1">
-          <ind:subexpression>centos</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_version_centos8:ste:1" version="1">
-          <ind:subexpression>8</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_name_centos9:ste:1" version="1">
-          <ind:subexpression>centos</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_version_centos9:ste:1" version="1">
-          <ind:subexpression>9</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <linux:rpminfo_state id="oval:ssg-state_ol7_system:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_ol8_system:ste:1" version="1">
-          <linux:version operation="pattern match">^8.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_ol9_system:ste:1" version="1">
-          <linux:version operation="pattern match">^9.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_opensuse_installed:ste:1" version="1">
-          <linux:name operation="pattern match">openSUSE-release</linux:name>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_opensuse_leap15_installed:ste:1" version="1">
-          <linux:version operation="pattern match">^15.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_opensuse_leap42_installed:ste:1" version="1">
-          <linux:version operation="pattern match">^42.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:family_state id="oval:ssg-state_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhcos:ste:1" version="1">
-          <ind:subexpression operation="pattern match">rhcos</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhcos4:ste:1" version="1">
-          <ind:subexpression operation="pattern match">4</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:family_state id="oval:ssg-state_rhel7_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel7_client:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel7_workstation:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel7_server:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel7_computenode:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhevh_rhel7_version:ste:1" version="1">
-          <ind:subexpression operation="pattern match">7</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:family_state id="oval:ssg-state_rhel8_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8:ste:1" version="1">
-          <linux:version operation="pattern match">^8.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_0:ste:1" version="1">
-          <linux:version operation="pattern match">^8.0*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_1:ste:1" version="1">
-          <linux:version operation="pattern match">^8.1*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_2:ste:1" version="1">
-          <linux:version operation="pattern match">^8.2*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_3:ste:1" version="1">
-          <linux:version operation="pattern match">^8.3*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_4:ste:1" version="1">
-          <linux:version operation="pattern match">^8.4*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_5:ste:1" version="1">
-          <linux:version operation="pattern match">^8.5*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_6:ste:1" version="1">
-          <linux:version operation="pattern match">^8.6*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_7:ste:1" version="1">
-          <linux:version operation="pattern match">^8.7*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_8:ste:1" version="1">
-          <linux:version operation="pattern match">^8.8*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_9:ste:1" version="1">
-          <linux:version operation="pattern match">^8.9*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_10:ste:1" version="1">
-          <linux:version operation="pattern match">^8.10*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhevh_rhel8_version:ste:1" version="1">
-          <ind:subexpression operation="pattern match">8</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:family_state id="oval:ssg-state_rhel9_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel9:ste:1" version="1">
-          <linux:version operation="pattern match">^9.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhevh_rhel9_version:ste:1" version="1">
-          <ind:subexpression operation="pattern match">9</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhvh4_version:ste:1" version="1">
-          <linux:evr datatype="evr_string" operation="greater than or equal">0:4.4</linux:evr>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sl7:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:family_state id="oval:ssg-state_sle12_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_sle12_desktop:ste:1" version="1">
-          <linux:version operation="pattern match">^12.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sle12_server:ste:1" version="1">
-          <linux:version operation="pattern match">^12.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sles_12_for_sap:ste:1" version="1">
-          <linux:version operation="pattern match">^12.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:family_state id="oval:ssg-state_sle15_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_sle15_desktop:ste:1" version="1">
-          <linux:version operation="pattern match">^15.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sle15_server:ste:1" version="1">
-          <linux:version operation="pattern match">^15.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sles_15_for_sap:ste:1" version="1">
-          <linux:version operation="pattern match">^15.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_uos20:ste:1" version="1">
-          <linux:version operation="pattern match">^20.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_eks:ste:1" version="1">
-          <ind:value datatype="record">
-            <oval-def:field name="#" datatype="string" operation="pattern match">^.*-eks-.*$</oval-def:field>
-          </ind:value>
-        </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_eks_1_21:ste:1" version="1">
-          <ind:value datatype="record">
-            <oval-def:field name="#" datatype="string" operation="pattern match">^v1\.21\..*</oval-def:field>
-          </ind:value>
-        </ind:yamlfilecontent_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhevm4_version:ste:1" version="1">
-          <linux:version operation="pattern match">^4.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_krb5_server_version_1_17_18:ste:1" version="1">
-          <linux:evr datatype="evr_string" operation="less than">0:1.17-18</linux:evr>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_krb5_workstation_version_1_17_18:ste:1" version="1">
-          <linux:evr datatype="evr_string" operation="less than">0:1.17-18</linux:evr>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_proc_sys_kernel_osrelease_arch_aarch64:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^aarch64$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_proc_sys_kernel_osrelease_arch_ppc64le:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^ppc64le$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_proc_sys_kernel_osrelease_arch_s390x:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_sshd_not_required:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:variable_state id="oval:ssg-state_sshd_required:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">2</ind:value>
-        </ind:variable_state>
-        <ind:variable_state id="oval:ssg-state_sshd_requirement_unset:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">0</ind:value>
-        </ind:variable_state>
-        <linux:rpminfo_state id="oval:ssg-state_openssh-server_version:ste:1" version="1">
-          <linux:evr datatype="evr_string" operation="greater than or equal">0:7.4</linux:evr>
-        </linux:rpminfo_state>
-        <unix:uname_state comment="64 bit architecture" id="oval:ssg-state_system_info_architecture_aarch_64:ste:1" version="1">
-          <unix:processor_type operation="equals">aarch64</unix:processor_type>
-        </unix:uname_state>
-        <unix:uname_state comment="64 bit architecture" id="oval:ssg-state_system_info_architecture_ppc_64:ste:1" version="1">
-          <unix:processor_type operation="equals">ppc64</unix:processor_type>
-        </unix:uname_state>
-        <unix:uname_state comment="64 bit architecture" id="oval:ssg-state_system_info_architecture_ppcle_64:ste:1" version="1">
-          <unix:processor_type operation="equals">ppc64le</unix:processor_type>
-        </unix:uname_state>
-        <unix:uname_state comment="64 bit architecture" id="oval:ssg-state_system_info_architecture_s390_64:ste:1" version="1">
-          <unix:processor_type operation="equals">s390x</unix:processor_type>
-        </unix:uname_state>
-        <unix:uname_state comment="32 bit architecture" id="oval:ssg-state_system_info_architecture_x86:ste:1" version="1">
-          <unix:processor_type operation="equals">i686</unix:processor_type>
-        </unix:uname_state>
-        <unix:uname_state comment="64 bit architecture" id="oval:ssg-state_system_info_architecture_x86_64:ste:1" version="1">
-          <unix:processor_type operation="equals">x86_64</unix:processor_type>
-        </unix:uname_state>
-        <unix:file_state id="oval:ssg-state_tmux_conf_readable_by_others:ste:1" version="1" operator="AND">
-          <unix:oread datatype="boolean">true</unix:oread>
-        </unix:file_state>
-        <ind:variable_state id="oval:ssg-state_var_removable_partition_is_cd_dvd_drive:ste:1" version="1">
-          <ind:value operation="equals">/dev/cdrom</ind:value>
-        </ind:variable_state>
-      </oval-def:states>
-      <oval-def:variables>
-        <oval-def:local_variable id="oval:ssg-configure_network_policies_namespaces_file_location:var:1" datatype="string" comment="Path of file containing filtered non-ctlplane namespaces with network policies." version="1">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
-            <oval-def:literal_component>/apis/networking.k8s.io/v1/networkpolicies#51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-configure_network_policies_filtered_namespaces_file_location:var:1" datatype="string" comment="Path of file containing filtered non-ctlplane namespaces." version="1">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
-            <oval-def:literal_component>/api/v1/namespaces#34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Items counter" datatype="int" id="oval:ssg-local_variable_counter_configure_network_policies_namespaces:var:1" version="1">
-          <oval-def:count>
-            <oval-def:object_component object_ref="oval:ssg-object_configure_network_policies_namespaces:obj:1" item_field="value" record_field="#"/>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Items counter control" datatype="int" id="oval:ssg-local_variable_counter_configure_network_policies_filtered_namespaces:var:1" version="1">
-          <oval-def:count>
-            <oval-def:object_component object_ref="oval:ssg-object_configure_network_policies_filtered_namespaces:obj:1" item_field="value" record_field="#"/>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="Root of OCP data dump" datatype="string" id="oval:ssg-ocp_data_root:var:1" version="1"/>
-        <oval-def:local_variable id="oval:ssg-kubelet_anonymous_auth_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
-          <oval-def:literal_component>/etc/kubernetes/kubelet/kubelet-config.json</oval-def:literal_component>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-kubelet_authorization_mode_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
-          <oval-def:literal_component>/etc/kubernetes/kubelet/kubelet-config.json</oval-def:literal_component>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-kubelet_configure_client_ca_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
-          <oval-def:literal_component>/etc/kubernetes/kubelet/kubelet-config.json</oval-def:literal_component>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-kubelet_disable_hostname_override_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
-          <oval-def:literal_component>/etc/kubernetes/kubelet/kubelet-config.json</oval-def:literal_component>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-kubelet_enable_cert_rotation_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
-          <oval-def:literal_component>/etc/kubernetes/kubelet/kubelet-config.json</oval-def:literal_component>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-kubelet_enable_client_cert_rotation_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
-          <oval-def:literal_component>/etc/kubernetes/kubelet/kubelet-config.json</oval-def:literal_component>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-kubelet_enable_iptables_util_chains_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
-          <oval-def:literal_component>/etc/kubernetes/kubelet/kubelet-config.json</oval-def:literal_component>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-kubelet_enable_protect_kernel_defaults_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
-          <oval-def:literal_component>/etc/kubernetes/kubelet/kubelet-config.json</oval-def:literal_component>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-kubelet_enable_server_cert_rotation_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
-          <oval-def:literal_component>/etc/kubernetes/kubelet/kubelet-config.json</oval-def:literal_component>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-kubelet_enable_streaming_connections_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
-          <oval-def:literal_component>/etc/kubernetes/kubelet/kubelet-config.json</oval-def:literal_component>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="variable" datatype="string" id="oval:ssg-var_streaming_connection_timeouts:var:1" version="1"/>
-        <oval-def:local_variable id="oval:ssg-kubelet_read_only_port_secured_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
-          <oval-def:literal_component>/etc/kubernetes/kubelet/kubelet-config.json</oval-def:literal_component>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_pam_pwquality_config_path:var:1" version="1" datatype="string" comment="correct path for pam_pwquality.so check">
-          <oval-def:value>/etc/pam.d/system-auth</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-audit_log_file_path:var:1" datatype="string" version="1" comment="path to audit log files">
-          <oval-def:regex_capture pattern="^log_file\s*=\s*(.*)">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-object_auditd_conf_log_file:obj:1"/>
-          </oval-def:regex_capture>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-eks_dump_location:var:1" datatype="string" comment="The actual filepath of the file to scan." version="1">
-          <oval-def:literal_component>/kubernetes-api-resources/version</oval-def:literal_component>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-variable_cd_dvd_drive_alternative_names:var:1" datatype="string" comment="CD/DVD drive alternative names whitelist" version="1">
-          <oval-def:value>/dev/cdrom</oval-def:value>
-          <oval-def:value>/dev/dvd</oval-def:value>
-          <oval-def:value>/dev/scd0</oval-def:value>
-          <oval-def:value>/dev/sr0</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:external_variable comment="removable partition" datatype="string" id="oval:ssg-var_removable_partition:var:1" version="1"/>
-        <oval-def:external_variable comment="May be defined by Profiles to explicitly say if sshd is required or not" datatype="int" id="oval:ssg-sshd_required:var:1" version="1"/>
-        <oval-def:external_variable id="oval:ssg-var_accounts_user_umask:var:1" datatype="string" version="1" comment="Value of var_accounts_user_umask (the required umask) as string"/>
-        <oval-def:local_variable id="oval:ssg-var_first_digit_of_umask_from_var_accounts_user_umask:var:1" comment="First octal digit of umask from var_accounts_user_umask" datatype="int" version="1">
-          <oval-def:substring substring_start="1" substring_length="1">
-            <oval-def:variable_component var_ref="oval:ssg-var_accounts_user_umask:var:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_second_digit_of_umask_from_var_accounts_user_umask:var:1" comment="Second octal digit of umask from var_accounts_user_umask" datatype="int" version="1">
-          <oval-def:substring substring_start="2" substring_length="1">
-            <oval-def:variable_component var_ref="oval:ssg-var_accounts_user_umask:var:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_third_digit_of_umask_from_var_accounts_user_umask:var:1" comment="Third octal digit of umask from var_accounts_user_umask" datatype="int" version="1">
-          <oval-def:substring substring_start="3" substring_length="1">
-            <oval-def:variable_component var_ref="oval:ssg-var_accounts_user_umask:var:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_accounts_user_umask_umask_as_number:var:1" comment="var_accounts_user_umask umask converted from string to a number" datatype="int" version="1">
-          <oval-def:arithmetic arithmetic_operation="add">
-            <oval-def:arithmetic arithmetic_operation="multiply">
-              <oval-def:literal_component datatype="int">64</oval-def:literal_component>
-              <oval-def:variable_component var_ref="oval:ssg-var_first_digit_of_umask_from_var_accounts_user_umask:var:1"/>
-            </oval-def:arithmetic>
-            <oval-def:arithmetic arithmetic_operation="multiply">
-              <oval-def:literal_component datatype="int">8</oval-def:literal_component>
-              <oval-def:variable_component var_ref="oval:ssg-var_second_digit_of_umask_from_var_accounts_user_umask:var:1"/>
-            </oval-def:arithmetic>
-            <oval-def:variable_component var_ref="oval:ssg-var_third_digit_of_umask_from_var_accounts_user_umask:var:1"/>
-          </oval-def:arithmetic>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-var_umask_for_daemons:var:1" datatype="string" version="1" comment="Value of var_umask_for_daemons (the required umask) as string"/>
-        <oval-def:local_variable id="oval:ssg-var_first_digit_of_umask_from_var_umask_for_daemons:var:1" comment="First octal digit of umask from var_umask_for_daemons" datatype="int" version="1">
-          <oval-def:substring substring_start="1" substring_length="1">
-            <oval-def:variable_component var_ref="oval:ssg-var_umask_for_daemons:var:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_second_digit_of_umask_from_var_umask_for_daemons:var:1" comment="Second octal digit of umask from var_umask_for_daemons" datatype="int" version="1">
-          <oval-def:substring substring_start="2" substring_length="1">
-            <oval-def:variable_component var_ref="oval:ssg-var_umask_for_daemons:var:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_third_digit_of_umask_from_var_umask_for_daemons:var:1" comment="Third octal digit of umask from var_umask_for_daemons" datatype="int" version="1">
-          <oval-def:substring substring_start="3" substring_length="1">
-            <oval-def:variable_component var_ref="oval:ssg-var_umask_for_daemons:var:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_umask_for_daemons_umask_as_number:var:1" comment="var_umask_for_daemons umask converted from string to a number" datatype="int" version="1">
-          <oval-def:arithmetic arithmetic_operation="add">
-            <oval-def:arithmetic arithmetic_operation="multiply">
-              <oval-def:literal_component datatype="int">64</oval-def:literal_component>
-              <oval-def:variable_component var_ref="oval:ssg-var_first_digit_of_umask_from_var_umask_for_daemons:var:1"/>
-            </oval-def:arithmetic>
-            <oval-def:arithmetic arithmetic_operation="multiply">
-              <oval-def:literal_component datatype="int">8</oval-def:literal_component>
-              <oval-def:variable_component var_ref="oval:ssg-var_second_digit_of_umask_from_var_umask_for_daemons:var:1"/>
-            </oval-def:arithmetic>
-            <oval-def:variable_component var_ref="oval:ssg-var_third_digit_of_umask_from_var_umask_for_daemons:var:1"/>
-          </oval-def:arithmetic>
-        </oval-def:local_variable>
-      </oval-def:variables>
-    </oval-def:oval_definitions>
-  </ds:component>
-  <ds:component id="scap_org.open-scap_comp_ssg-eks-ocil.xml" timestamp="2022-08-11T18:55:42">
-    <ocil:ocil>
-      <ocil:generator>
-        <ocil:product_name>build_shorthand.py from SCAP Security Guide</ocil:product_name>
-        <ocil:product_version>ssg: 0.1.64</ocil:product_version>
-        <ocil:schema_version>2.0</ocil:schema_version>
-        <ocil:timestamp>2022-08-11T18:55:40</ocil:timestamp>
-      </ocil:generator>
-      <ocil:questionnaires>
-        <ocil:questionnaire id="ocil:ssg-dedicated_service_accounts_ocil:questionnaire:1">
-          <ocil:title>Use Dedicated Service Accounts</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-dedicated_service_accounts_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-iam_integration_ocil:questionnaire:1">
-          <ocil:title>Manage Users with AWS IAM</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-iam_integration_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-fargate_ocil:questionnaire:1">
-          <ocil:title>Consider Fargate for Untrusted Workloads</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-fargate_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kubelet_anonymous_auth_worker_ocil:questionnaire:1">
-          <ocil:title>Disable Anonymous Authentication to the Kubelet</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kubelet_anonymous_auth_worker_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kubelet_authorization_mode_worker_ocil:questionnaire:1">
-          <ocil:title>Ensure authorization is set to Webhook</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kubelet_authorization_mode_worker_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kubelet_configure_client_ca_worker_ocil:questionnaire:1">
-          <ocil:title>kubelet - Configure the Client CA Certificate</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kubelet_configure_client_ca_worker_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kubelet_enable_cert_rotation_worker_ocil:questionnaire:1">
-          <ocil:title>kubelet - Enable Certificate Rotation</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kubelet_enable_cert_rotation_worker_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kubelet_enable_client_cert_rotation_ocil:questionnaire:1">
-          <ocil:title>kubelet - Enable Client Certificate Rotation</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kubelet_enable_iptables_util_chains_ocil:questionnaire:1">
-          <ocil:title>kubelet - Allow Automatic Firewall Configuration</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kubelet_enable_protect_kernel_defaults_ocil:questionnaire:1">
-          <ocil:title>kubelet - Enable Protect Kernel Defaults</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kubelet_enable_server_cert_rotation_worker_ocil:questionnaire:1">
-          <ocil:title>kubelet - Enable Server Certificate Rotation</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kubelet_enable_server_cert_rotation_worker_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kubelet_enable_streaming_connections_worker_ocil:questionnaire:1">
-          <ocil:title>kubelet - Do Not Disable Streaming Timeouts</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kubelet_enable_streaming_connections_worker_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kubelet_read_only_port_secured_worker_ocil:questionnaire:1">
-          <ocil:title>kubelet - Ensure that the --read-only-port is secured</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kubelet_read_only_port_secured_worker_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_logging_ocil:questionnaire:1">
-          <ocil:title>Ensure Audit Logging is Enabled</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_logging_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-configure_network_policies_namespaces_ocil:questionnaire:1">
-          <ocil:title>Ensure that application Namespaces have Network Policies defined.</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-configure_network_policies_namespaces_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-configure_network_policy_ocil:questionnaire:1">
-          <ocil:title>Ensure Network Policy is Enabled</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-configure_network_policy_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-configure_tls_ocil:questionnaire:1">
-          <ocil:title>Encrypt Traffic to Load Balancers and Workloads</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-configure_tls_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-control_plane_access_ocil:questionnaire:1">
-          <ocil:title>Restrict Access to the Control Plane Endpoint</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-control_plane_access_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-endpoint_configuration_ocil:questionnaire:1">
-          <ocil:title>Ensure Private Endpoint Access</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-endpoint_configuration_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-private_nodes_ocil:questionnaire:1">
-          <ocil:title>Ensure Cluster Private Nodes</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-private_nodes_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-approved_registries_ocil:questionnaire:1">
-          <ocil:title>Only use approved container registries</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-approved_registries_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-image_scanning_ocil:questionnaire:1">
-          <ocil:title>Ensure Image Vulnerability Scanning</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-image_scanning_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-read_only_registry_access_ocil:questionnaire:1">
-          <ocil:title>Ensure Cluster Service Account with read-only access to Amazon ECR</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-read_only_registry_access_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-registry_access_ocil:questionnaire:1">
-          <ocil:title>Minimize user access to Amazon ECR</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-registry_access_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-secret_encryption_ocil:questionnaire:1">
-          <ocil:title>Ensure Kubernetes Secrets are Encrypted</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-secret_encryption_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_groupowner_kubelet_conf_ocil:questionnaire:1">
-          <ocil:title>Verify Group Who Owns The Kubelet Configuration File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_groupowner_kubelet_conf_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_groupowner_worker_kubeconfig_ocil:questionnaire:1">
-          <ocil:title>Verify Group Who Owns The Worker Kubeconfig File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_groupowner_worker_kubeconfig_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_owner_kubelet_conf_ocil:questionnaire:1">
-          <ocil:title>Verify User Who Owns The Kubelet Configuration File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_owner_kubelet_conf_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_owner_worker_kubeconfig_ocil:questionnaire:1">
-          <ocil:title>Verify User Who Owns The Worker Kubeconfig File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_owner_worker_kubeconfig_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_kubelet_conf_ocil:questionnaire:1">
-          <ocil:title>Verify Permissions on The Kubelet Configuration File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_kubelet_conf_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_worker_kubeconfig_ocil:questionnaire:1">
-          <ocil:title>Verify Permissions on the Worker Kubeconfig File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_worker_kubeconfig_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-      </ocil:questionnaires>
-      <ocil:test_actions>
-        <ocil:boolean_question_test_action id="ocil:ssg-dedicated_service_accounts_action:testaction:1" question_ref="ocil:ssg-dedicated_service_accounts_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-iam_integration_action:testaction:1" question_ref="ocil:ssg-iam_integration_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-fargate_action:testaction:1" question_ref="ocil:ssg-fargate_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_anonymous_auth_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_anonymous_auth_worker_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_authorization_mode_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_authorization_mode_worker_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_configure_client_ca_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_configure_client_ca_worker_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_cert_rotation_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_cert_rotation_worker_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_client_cert_rotation_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_iptables_util_chains_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_protect_kernel_defaults_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_server_cert_rotation_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_server_cert_rotation_worker_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_streaming_connections_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_streaming_connections_worker_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_read_only_port_secured_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_read_only_port_secured_worker_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_logging_action:testaction:1" question_ref="ocil:ssg-audit_logging_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-configure_network_policies_namespaces_action:testaction:1" question_ref="ocil:ssg-configure_network_policies_namespaces_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-configure_network_policy_action:testaction:1" question_ref="ocil:ssg-configure_network_policy_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-configure_tls_action:testaction:1" question_ref="ocil:ssg-configure_tls_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-control_plane_access_action:testaction:1" question_ref="ocil:ssg-control_plane_access_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-endpoint_configuration_action:testaction:1" question_ref="ocil:ssg-endpoint_configuration_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-private_nodes_action:testaction:1" question_ref="ocil:ssg-private_nodes_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-approved_registries_action:testaction:1" question_ref="ocil:ssg-approved_registries_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-image_scanning_action:testaction:1" question_ref="ocil:ssg-image_scanning_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-read_only_registry_access_action:testaction:1" question_ref="ocil:ssg-read_only_registry_access_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-registry_access_action:testaction:1" question_ref="ocil:ssg-registry_access_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-secret_encryption_action:testaction:1" question_ref="ocil:ssg-secret_encryption_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_kubelet_conf_action:testaction:1" question_ref="ocil:ssg-file_groupowner_kubelet_conf_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_worker_kubeconfig_action:testaction:1" question_ref="ocil:ssg-file_groupowner_worker_kubeconfig_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_kubelet_conf_action:testaction:1" question_ref="ocil:ssg-file_owner_kubelet_conf_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_worker_kubeconfig_action:testaction:1" question_ref="ocil:ssg-file_owner_worker_kubeconfig_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_kubelet_conf_action:testaction:1" question_ref="ocil:ssg-file_permissions_kubelet_conf_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_worker_kubeconfig_action:testaction:1" question_ref="ocil:ssg-file_permissions_worker_kubeconfig_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-      </ocil:test_actions>
-      <ocil:questions>
-        <ocil:boolean_question id="ocil:ssg-dedicated_service_accounts_question:question:1">
-          <ocil:question_text>Audit:
-
-For each namespace in the cluster, review the rights assigned to the default
-service account and ensure that it has no roles or cluster roles bound to it
-apart from the defaults. Additionally ensure that the
-automountServiceAccountToken: false setting is in place for each
-default service account.
-
-Remediation:
-
-With IAM roles for service accounts on Amazon EKS clusters, you can associate
-an IAM role with a Kubernetes service account. This service account can then
-provide AWS permissions to the containers in any pod that uses that service
-account. With this feature, you no longer need to provide extended
-permissions to the worker node IAM role so that pods on that node can call
-AWS APIs.
-Applications must sign their AWS API requests with AWS credentials. This
-feature provides a strategy for managing credentials for your applications,
-similar to the way that Amazon EC2 instance profiles provide credentials to
-Amazon EC2 instances. Instead of creating and distributing your AWS
-credentials to the containers or using the Amazon EC2 instance&#x2019;s role, you
-can associate an IAM role with a Kubernetes service account. The applications
-in the pod&#x2019;s containers can then use an AWS SDK or the AWS CLI to make API
-requests to authorized AWS services.
-
-The IAM roles for service accounts feature provides the following benefits:
-
-
-  Least privilege &#x2014; By using the IAM roles for service accounts feature,
-  you no longer need to provide extended permissions to the worker node IAM
-  role so that pods on that node can call AWS APIs. You can scope IAM
-  permissions to a service account, and only pods that use that service
-  account have access to those permissions. This feature also eliminates the
-  need for third-party solutions such as kiam or kube2iam.
-  Credential isolation &#x2014; A container can only retrieve credentials for
-  the IAM role that is associated with the service account to which it
-  belongs. A container never has access to credentials that are intended for
-  another container that belongs to another pod.
-  Auditability &#x2014; Access and event logging is available through CloudTrail
-  to help ensure retrospective auditing.
-
-
-To get started, see Enabling IAM roles for service accounts on your cluster.
-For an end-to-end walkthrough using eksctl, see Walkthrough: Updating
-a DaemonSet to use IAM for service accounts.
-      Is it the case that dedicated service accounts are used?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-iam_integration_question:question:1">
-          <ocil:question_text>Audit:
-
-To Audit access to the namespace $NAMESPACE, assume the IAM role
-yourIAMRoleName for a user that you created, and then run the following
-command:
-
-$ kubectl get role -n $NAMESPACE
-The response lists the RBAC role that has access to this Namespace.
-
-Remediation:
-
-Refer to the 'Managing users or IAM roles for your cluster' in Amazon EKS
-documentation.
-
-https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html
-      Is it the case that authorization and authentication is managed using AWS IAM?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-fargate_question:question:1">
-          <ocil:question_text>Audit:
-Check the existence of Fargate profiles in the Amazon EKS cluster by using:
-
-aws --region ${AWS_REGION} eks list-fargate-profiles --cluster-name ${CLUSTER_NAME}
-Alternatively, to audit for the presence of a Fargate profile node run the
-following command:
-kubectl get nodes
-The response should include a NAME entry starting with "fargate-ip" for
-example:
-NAME STATUS ROLES AGE VERSION
-fargate-ip-192-168-104-74.us-east-2.compute.internal Ready 2m15s v1.14.8-eks
-
-Remediation:
-
-Create a Fargate profile for your cluster
-
-Before you can schedule pods running on Fargate in your cluster, you must define a Fargate
-profile that specifies which pods should use Fargate when they are launched. For more
-information, see AWS Fargate profile.
-
-Note
-If you created your cluster with eksctl using the --fargate option,
-then a Fargate profile has already been created for your cluster with
-selectors for all pods in the kube-system and default namespaces.
-Use the following procedure to create Fargate profiles for any other
-namespaces you would like to use with Fargate.
-
-via eksctl CLI
-
-Create your Fargate profile with the following eksctl command, replacing the
-variable text with your own values. You must specify a namespace, but the
-labels option is not required.
-eksctl create fargateprofile --cluster cluster_name --name
-fargate_profile_name --namespace kubernetes_namespace --labels key=value
-
-via AWS Management Console
-
-To create a Fargate profile for a cluster with the AWS Management Console
-
-
-  Open the Amazon EKS console at https://console.aws.amazon.com/eks/home#/clusters.
-  Choose the cluster to create a Fargate profile for.
-  Under Fargate profiles, choose Add Fargate profile.
-  On the Configure Fargate profile page, enter the following information
-  and choose. For Name, enter a unique name for your Fargate profile. For Pod
-  execution role, choose the pod execution role to use with your Fargate
-  profile. Only IAM roles with the eks-fargate-pods.amazonaws.com service principal
-  are shown. If you do not see any roles listed here, you must create one. For more
-  information, see Pod execution role. For Subnets, choose the subnets to use
-  for your pods. By default, all subnets in your cluster's VPC are selected.
-  Only private subnets are supported for pods running on Fargate; you must
-  deselect any public subnets. For Tags, you can optionally tag your Fargate
-  profile. These tags do not propagate to other resources associated with the
-  profile, such as its pods.
-  5. On the Configure pods selection page, enter the following
-  information and choose Next. list text hereFor Namespace, enter a namespace
-  to match for pods, such as kube-system or default. list text
-  here(Optional) Add Kubernetes labels to the selector that pods in the
-  specified namespace must have to match the selector. For example, you could
-  add the label infrastructure: fargate to the selector so that only pods in
-  the specified namespace that also have the infrastructure: fargate
-  Kubernetes label match the selector. 
-  On the Review and create page, review the information for your Fargate
-  profile and choose Create.
-
-      Is it the case that untrusted workloads are isolated?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_anonymous_auth_worker_question:question:1">
-          <ocil:question_text>Run the following command on the kubelet node(s):
-$ sudo grep -A1 anonymous /etc/kubernetes/kubelet/kubelet-config.json
-The output should return enabled: false.
-      Is it the case that &lt;tt&gt;anonymous&lt;/tt&gt; authentication is not set to &lt;tt&gt;false&lt;/tt&gt;?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_authorization_mode_worker_question:question:1">
-          <ocil:question_text>Run the following command on the kubelet node(s):
-$ sudo grep -A1 authorization /etc/kubernetes/kubelet/kubelet-config.json
-Verify that the output is not set to mode: AlwaysAllow, or missing
-(defaults to mode: Webhook).
-      Is it the case that &lt;tt&gt;authorization-mode&lt;/tt&gt; is not configured to &lt;tt&gt;Webhook&lt;/tt&gt;?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_configure_client_ca_worker_question:question:1">
-          <ocil:question_text>Run the following command on the kubelet node(s):
-$ sudo grep -A1 x509 /etc/kubernetes/kubelet/kubelet-config.json
-The output should contain a configured certificate like /etc/kubernetes/pki/ca.crt.
-      Is it the case that no client CA certificate has been configured?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_enable_cert_rotation_worker_question:question:1">
-          <ocil:question_text>Run the following command on the kubelet node(s):
-$ sudo grep rotateCertificates /etc/kubernetes/kubelet/kubelet-config.json
-The output should return nothing or true.
-      Is it the case that the kubelet cannot rotate client certificate?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_enable_client_cert_rotation_question:question:1">
-          <ocil:question_text>Run the following command on the kubelet node(s):
-$ sudo grep RotateKubeletClientCertificate /etc/kubernetes/kubelet/kubelet-config.json
-The output should return nothing or true.
-      Is it the case that the kubelet cannot rotate client certificate?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_enable_iptables_util_chains_question:question:1">
-          <ocil:question_text>Run the following command on the kubelet node(s):
-$ sudo grep makeIPTablesUtilChains /etc/kubernetes/kubelet/kubelet-config.json
-The output should return true.
-      Is it the case that the kubelet cannot modify the firewall settings?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_enable_protect_kernel_defaults_question:question:1">
-          <ocil:question_text>Run the following command on the kubelet node(s):
-$ sudo grep protectKernelDefaults /etc/kubernetes/kubelet/kubelet-config.json
-The output should return true.
-      Is it the case that the kubelet can modify kernel parameters?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_enable_server_cert_rotation_worker_question:question:1">
-          <ocil:question_text>Run the following command on the kubelet node(s):
-$ sudo grep RotateKubeletServerCertificate /etc/kubernetes/kubelet/kubelet-config.json
-The output should return true.
-      Is it the case that the kubelet cannot rotate server certificate?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_enable_streaming_connections_worker_question:question:1">
-          <ocil:question_text>Run the following command on the kubelet node(s):
-$ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet/kubelet-config.json
-The output should return .
-      Is it the case that the streaming connection timeouts are not disabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_read_only_port_secured_worker_question:question:1">
-          <ocil:question_text>First, SSH to the relevant node.
-
-Open the Kubelet config file:
-
-  cat /etc/kubernetes/kubelet/kubelet-config.json
-
-Verify that the "readOnlyPort" argument exists and is set to 0
-      Is it the case that readOnlyPort is not secured?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_logging_question:question:1">
-          <ocil:question_text>Perform the following to determine if CloudTrail is enabled for all regions:
-Via the Management Console
-1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
-2. Click on Cluster Name of the cluster you are auditing
-3. Click Logging
-4. Ensure all 5 choices are set to Enabled
-Via CLI
-aws --region "${REGION_CODE}" eks describe-cluster --name "${CLUSTER_NAME}"  --query 'cluster.logging.clusterLogging[?enabled==true].types'
-
-Perform the following to determine if CloudTrail is enabled for all regions:
-Via The Management Console
-1. Sign in to the AWS Management Console and open the EKS console at https://console.aws.amazon.com/eks
-2. Click on Cluster Name of the cluster you are auditing
-3. Click Logging
-4. Select Manage Logging from the button on the right hand side
-5. Toggle each selection to the Enabled position.
-6. Click Save Changes
-      Is it the case that audit logging is enable?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-configure_network_policies_namespaces_question:question:1">
-          <ocil:question_text>Verify that the every non-control plane namespace has an appropriate
-NetworkPolicy.
-
-To get all the non-control plane namespaces, you can do the
-following command oc get  namespaces -o json | jq '[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default") | .metadata.name ]'
-
-To get all the non-control plane namespaces with a NetworkPolicy, you can do the
-following command oc get --all-namespaces networkpolicies -o json | jq '[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique'
-
-Make sure that the namespaces displayed in the commands of the commands match.
-      Is it the case that Namespaced Network Policies needs review?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-configure_network_policy_question:question:1">
-          <ocil:question_text>Network Policy requires the Network Policy add-on. This add-on is included
-automatically when a cluster with Network Policy is created, but for an
-existing cluster, needs to be added prior to enabling Network Policy.
-
-Enabling/Disabling Network Policy causes a rolling update of all cluster
-nodes, similar to performing a cluster upgrade. This operation is
-long-running and will block other operations on the cluster (including
-delete) until it has run to completion.
-
-If Network Policy is used, a cluster must have at least 2 nodes of type
-n1-standard-1 or higher. The recommended minimum size cluster to run
-Network Policy enforcement is 3 n1-standard-1 instances.
-
-Enabling Network Policy enforcement consumes additional resources in nodes.
-Specifically, it increases the memory footprint of the kube-system
-process by approximately 128MB, and requires approximately 300 millicores of
-CPU.
-      Is it the case that network policy is enabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-configure_tls_question:question:1">
-          <ocil:question_text>For more information about protecting your workloads using TLS please refer
-to the AWS User Guide:
-
-https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/data-protection.html
-      Is it the case that connections to load balancers and workloads are encrypted with TLS?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-control_plane_access_question:question:1">
-          <ocil:question_text>Audit:
-Input:
-
-aws eks describe-cluster \
---region region \
---name clustername
-Output:
-...
-"endpointPublicAccess": false,
-"endpointPrivateAccess": true,
-"publicAccessCidrs": [
-"203.0.113.5/32"
-]
-...
-
-Remediation:
-Complete the following steps using the AWS CLI version 1.18.10 or later. You
-can check your current version with aws --version. To install or
-upgrade the AWS CLI, see Installing the AWS CLI.
-
-Update your cluster API server endpoint access with the following AWS CLI
-command. Substitute your cluster name and desired endpoint access values. If
-you set endpointPublicAccess=true, then you can (optionally) enter
-single CIDR block, or a comma- separated list of CIDR blocks for
-publicAccessCidrs. The blocks cannot include reserved addresses. If you
-specify CIDR blocks, then the public API server endpoint will only receive
-requests from the listed blocks. There is a maximum number of CIDR blocks
-that you can specify. For more information, see Amazon EKS Service Quotas. If
-you restrict access to your public endpoint using CIDR blocks, it is
-recommended that you also enable private endpoint access so that worker nodes
-and Fargate pods (if you use them) can communicate with the cluster. Without
-the private endpoint enabled, your public access endpoint CIDR sources must
-include the egress sources from your VPC. For example, if you have a worker
-node in a private subnet that communicates to the internet through a NAT
-Gateway, you will need to add the outbound IP address of the NAT gateway as
-part of a whitelisted CIDR block on your public endpoint. If you specify no
-CIDR blocks, then the public API server endpoint receives requests from all
-(0.0.0.0/0) IP addresses.
-
-Note
-The following command enables private access and public access from a single IP address
-for the API server endpoint. Replace 203.0.113.5/32 with a single CIDR block, or a comma-
-separated list of CIDR blocks that you want to restrict network access to.
-
-Example command:
-
-aws eks update-cluster-config \
---region region-code \
---name dev \
---resources-vpc-config \
-endpointPublicAccess=true, \
-publicAccessCidrs="203.0.113.5/32",\
-endpointPrivateAccess=true
-      Is it the case that the control plane endpoint is secure?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-endpoint_configuration_question:question:1">
-          <ocil:question_text>Configure the EKS cluster endpoint to be private. See Modifying Cluster
-Endpoint Access for further information on this topic.
-https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html
-      Is it the case that private acces is enabled and public access is disabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-private_nodes_question:question:1">
-          <ocil:question_text>To enable Private Nodes, the cluster has to also be configured with a private
-master IP range and IP Aliasing enabled. Private Nodes do not have outbound
-access to the public internet.
-
-If you want to provide outbound Internet access for your private nodes, you
-can use Cloud NAT or you can manage your own NAT gateway.
-      Is it the case that clusters are created with private nodes?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-approved_registries_question:question:1">
-          <ocil:question_text>Ensure all containers and images are coming from approved registries.
-
-References:
-
-https://aws.amazon.com/blogs/opensource/using-open-policy-agent-on-amazon-eks/
-      Is it the case that container images come from approved registries?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-image_scanning_question:question:1">
-          <ocil:question_text>Please follow AWS ECS or your 3rd party image scanning provider's guidelines
-for enabling Image Scanning.
-
-Remediation:
-
-To utilize AWS ECR for Image scanning please follow the steps below:
-
-To create a repository configured for scan on push (AWS CLI)
-
-aws ecr create-repository --repository-name $REPO_NAME --image-scanning- configuration scanOnPush=true --region $REGION_CODE
-
-To edit the settings of an existing repository (AWS CLI)
-
-aws ecr put-image-scanning-configuration --repository-name $REPO_NAME -- image-scanning-configuration scanOnPush=true --region $REGION_CODE
-
-Use the following steps to start a manual image scan using the AWS Management Console.
-
-1. Open the Amazon ECR console at https://console.aws.amazon.com/ecr/repositories.
-2. From the navigation bar, choose the Region to create your repository in.
-3. In the navigation pane, choose Repositories.
-4. On the Repositories page, choose the repository that contains the image to scan.
-5. On the Images page, select the image to scan and then choose Scan.
-      Is it the case that image vulnerability scanning is enabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-read_only_registry_access_question:question:1">
-          <ocil:question_text>Review AWS ECS worker node IAM role (NodeInstanceRole) IAM Policy Permissions
-to verify that they are set and the minimum required level. If utilizing a
-3rd party tool to scan images utilize the minimum required permission level
-required to interact with the cluster - generally this should be read-only.
-
-Remediation:
-
-You can use your Amazon ECR images with Amazon EKS, but you need to satisfy
-the following prerequisites.
-The Amazon EKS worker node IAM role (NodeInstanceRole) that you use with your
-worker nodes must possess the following IAM policy permissions for Amazon
-ECR.
-
-
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Action": [
-        "ecr:BatchCheckLayerAvailability",
-        "ecr:BatchGetImage",
-        "ecr:GetDownloadUrlForLayer",
-        "ecr:GetAuthorizationToken"
-      ],
-      "Resource": "*"
-    }
-  ]
-}
-
-      Is it the case that Cluster Service Account has read-only access to Amazon ECR?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-registry_access_question:question:1">
-          <ocil:question_text>Remediation:
-
-Before you use IAM to manage access to Amazon ECR, you should understand what
-IAM features are available to use with Amazon ECR. To get a high-level view
-of how Amazon ECR and other AWS services work with IAM, see AWS Services That
-Work with IAM in the IAM User Guide.
-
-Topics
-
-
-Amazon ECR Identity-Based Policies
-Amazon ECR Resource-Based Policies
-Authorization Based on Amazon ECR Tags
-Amazon ECR IAM Roles
-
-
-Amazon ECR Identity-Based Policies
-
-With IAM identity-based policies, you can specify allowed or denied actions
-and resources as well as the conditions under which actions are allowed or
-denied. Amazon ECR supports specific actions, resources, and condition keys.
-To learn about all of the elements that you use in a JSON policy, see IAM
-JSON Policy Elements Reference in the IAM User Guide.
-
-Actions
-
-The Action element of an IAM identity-based policy describes the specific
-action or actions that will be allowed or denied by the policy. Policy
-actions usually have the same name as the associated AWS API operation. The
-action is used in a policy to grant permissions to perform the associated
-operation.
-
-Policy actions in Amazon ECR use the following prefix before the action:
-ecr:. For example, to grant someone permission to create an Amazon ECR
-repository with the Amazon ECR CreateRepository API operation, you include
-the ecr:CreateRepository action in their policy. Policy statements must
-include either an Action or NotAction element. Amazon ECR defines its own set
-of actions that describe tasks that you can perform with this service. To
-specify multiple actions in a single statement, separate them with commas as
-follows: "Action": [ "ecr:action1", "ecr:action2" You can specify
-multiple actions using wildcards (*). For example, to specify all
-actions that begin with the word Describe, include the following action:
-"Action": "ecr:Describe*" To see a list of Amazon ECR actions, see
-Actions, Resources, and Condition Keys for Amazon Elastic Container
-Registry in the IAM User Guide.
-
-Resources
-
-The Resource element specifies the object or objects to which the action
-applies. Statements must include either a Resource or a NotResource element.
-You specify a resource using an ARN or using the wildcard (*) to
-indicate that the statement applies to all resources.
-
-An Amazon ECR repository resource has the following ARN:
-arn:${Partition}:ecr:${Region}:${Account}:repository/${Repository-name}
-For more information about the format of ARNs, see Amazon Resource Names
-(ARNs) and AWS Service Namespaces.
-For example, to specify the my-repo repository in the us-east-1 Region in
-your statement, use the following ARN:
-"Resource": "arn:aws:ecr:us-east-1:123456789012:repository/my-repo"
-To specify all repositories that belong to a specific account, use the
-wildcard (*): "Resource":
-"arn:aws:ecr:us-east-1:123456789012:repository/*"
-To specify multiple resources in a single statement, separate the ARNs with
-commas. "Resource": [ "resource1", "resource2"
-To see a list of Amazon ECR resource types and their ARNs, see Resources
-Defined by Amazon Elastic Container Registry in the IAM User Guide. To learn
-with which actions you can specify the ARN of each resource, see Actions
-Defined by Amazon Elastic Container Registry.
-
-Condition Keys
-
-The Condition element (or Condition block) lets you specify conditions in
-which a statement is in effect. The Condition element is optional. You can
-build conditional expressions that use condition operators, such as equals or
-less than, to match the condition in the policy with values in the request.
-If you specify multiple Condition elements in a statement, or multiple keys
-in a single Condition element, AWS evaluates them using a logical AND
-operation. If you specify multiple values for a single condition key, AWS
-evaluates the condition using a logical OR operation. All of the conditions
-must be met before the statement's permissions are granted.
-You can also use placeholder variables when you specify conditions. For
-example, you can grant an IAM user permission to access a resource only if it
-is tagged with their IAM user name. For more information, see IAM Policy
-Elements: Variables and Tags in the IAM User Guide.
-Amazon ECR defines its own set of condition keys and also supports using some global
-condition keys. To see all AWS global condition keys, see AWS Global Condition Context
-Keys in the IAM User Guide.
-Most Amazon ECR actions support the aws:ResourceTag and ecr:ResourceTag
-condition keys. For more information, see Using Tag-Based Access Control. To
-see a list of Amazon ECR condition keys, see Condition Keys Defined by Amazon
-Elastic Container Registry in the IAM User Guide. To learn with which actions
-and resources you can use a condition key, see Actions Defined by Amazon
-Elastic Container Registry.
-      Is it the case that access to the container image registry is restricted?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-secret_encryption_question:question:1">
-          <ocil:question_text>Audit:
-
-For Amazon EKS clusters with Secrets Encryption enabled, look for
-'encryptionConfig' configuration when you run:
-aws eks describe-cluster --name="cluster-name"
-
-Remediation:
-
-Enable 'Secrets Encryption' during Amazon EKS cluster creation as
-described in the links within the 'References' section.
-
-References:
-
-  https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html
-  https://eksworkshop.com/beginner/191_secrets/
-
-      Is it the case that kubernetes secrets are encrypted in etcd?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_groupowner_kubelet_conf_question:question:1">
-          <ocil:question_text>To check the group ownership of /etc/kubernetes/kubelet/kubelet-config.json,
-run the command:
-$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
-If properly configured, the output should indicate the following group-owner:
-root
-      Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have a group owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_groupowner_worker_kubeconfig_question:question:1">
-          <ocil:question_text>To check the group ownership of /var/lib/kubelet/kubeconfig,
-run the command:
-$ ls -lL /var/lib/kubelet/kubeconfig
-If properly configured, the output should indicate the following group-owner:
-root
-      Is it the case that /var/lib/kubelet/kubeconfig does not have a group owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_owner_kubelet_conf_question:question:1">
-          <ocil:question_text>To check the ownership of /etc/kubernetes/kubelet/kubelet-config.json,
-run the command:
-$ ls -lL /etc/kubernetes/kubelet/kubelet-config.json
-If properly configured, the output should indicate the following owner:
-root
-      Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have an owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_owner_worker_kubeconfig_question:question:1">
-          <ocil:question_text>To check the ownership of /var/lib/kubelet/kubeconfig,
-run the command:
-$ ls -lL /var/lib/kubelet/kubeconfig
-If properly configured, the output should indicate the following owner:
-root
-      Is it the case that /var/lib/kubelet/kubeconfig does not have an owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_kubelet_conf_question:question:1">
-          <ocil:question_text>To check the permissions of /etc/kubernetes/kubelet/kubelet-config.json,
-run the command:
-$ ls -l /etc/kubernetes/kubelet/kubelet-config.json
-If properly configured, the output should indicate the following permissions:
--rw-r--r--
-      Is it the case that /etc/kubernetes/kubelet/kubelet-config.json does not have unix mode -rw-r--r--?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_worker_kubeconfig_question:question:1">
-          <ocil:question_text>To check the permissions of /var/lib/kubelet/kubeconfig,
-run the command:
-$ ls -l /var/lib/kubelet/kubeconfig
-If properly configured, the output should indicate the following permissions:
--rw-r--r--
-      Is it the case that /var/lib/kubelet/kubeconfig does not have unix mode -rw-r--r--?
-      </ocil:question_text>
-        </ocil:boolean_question>
-      </ocil:questions>
-    </ocil:ocil>
-  </ds:component>
-  <ds:component id="scap_org.open-scap_comp_ssg-eks-cpe-oval.xml" timestamp="2022-08-11T18:55:42">
-    <oval-def:oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
-      <oval-def:generator>
-        <oval:product_name>combine_ovals.py from SCAP Security Guide</oval:product_name>
-        <oval:product_version>ssg: [0, 1, 64], python: 3.10.6</oval:product_version>
-        <oval:schema_version>5.11</oval:schema_version>
-        <oval:timestamp>2022-08-11T18:55:39</oval:timestamp>
-      </oval-def:generator>
-      <oval-def:definitions>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_alinux2:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Alibaba Cloud Linux 2</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:Alibaba Cloud Linux:2" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Alibaba Cloud Linux 2</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="Alibaba Cloud Linux 2 is installed" test_ref="oval:ssg-test_alinux2:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_alinux3:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Alibaba Cloud Linux 3</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:Alibaba Cloud Linux:3" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Alibaba Cloud Linux 3</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="Alibaba Cloud Linux 3 is installed" test_ref="oval:ssg-test_alinux3:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_centos7:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>CentOS 7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:centos:centos:7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      CentOS 7</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="CentOS7 is installed" test_ref="oval:ssg-test_centos7:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_centos8:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>CentOS 8</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:centos:centos:8" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      CentOS 8</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="OS is CentOS" test_ref="oval:ssg-test_centos8_name:tst:1"/>
-            <oval-def:criterion comment="OS version is 8" test_ref="oval:ssg-test_centos8_version:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_centos9:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>CentOS Stream 9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:centos:centos:9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      CentOS Stream 9</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="OS is CentOS Stream" test_ref="oval:ssg-test_centos9_name:tst:1"/>
-            <oval-def:criterion comment="OS version is 9" test_ref="oval:ssg-test_centos9_version:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_debian:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Debian</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The operating system installed is a Debian System</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="System is Debian" operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="Debian is installed" test_ref="oval:ssg-test_debian:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_debian10:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Debian Linux 10</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:debian:debian_linux:10" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Debian 10</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Debian Linux is version 10" operator="AND">
-            <oval-def:extend_definition comment="Debian is installed" definition_ref="oval:ssg-installed_OS_is_debian:def:1"/>
-            <oval-def:criterion comment="Debian10 is installed" test_ref="oval:ssg-test_debian_10:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_debian11:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Debian Linux 11</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:debian:debian_linux:11" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Debian 11</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Debian Linux is version 11" operator="AND">
-            <oval-def:extend_definition comment="Debian is installed" definition_ref="oval:ssg-installed_OS_is_debian:def:1"/>
-            <oval-def:criterion comment="Debian11 is installed" test_ref="oval:ssg-test_debian_11:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_debian9:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Debian 9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:debian:debian_linux:9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Debian 9</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="current Debian version is Debian Stretch" operator="AND">
-            <oval-def:extend_definition comment="Debian is installed" definition_ref="oval:ssg-installed_OS_is_debian:def:1"/>
-            <oval-def:criterion comment="Debian9 is installed" test_ref="oval:ssg-test_debian_9:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_fedora:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Installed operating system is Fedora</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:fedoraproject:fedora:33" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:fedoraproject:fedora:34" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:fedoraproject:fedora:35" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:fedoraproject:fedora:36" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Fedora</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="fedora-release RPM packages are installed" test_ref="oval:ssg-test_fedora_release_rpm:tst:1"/>
-            <oval-def:criterion comment="CPE vendor is 'fedoraproject' and product is 'fedora'" test_ref="oval:ssg-test_fedora_vendor_product:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ol7_family:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Oracle Linux 7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:oracle:linux:7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Oracle Linux 7</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Oracle Linux 7 System is installed" test_ref="oval:ssg-test_ol7_system:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ol8_family:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Oracle Linux 8</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:oracle:linux:8" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Oracle Linux 8</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Oracle Linux 8 System is installed" test_ref="oval:ssg-test_ol8_system:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ol9_family:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Oracle Linux 9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:oracle:linux:9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Oracle Linux 9</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Oracle Linux 9 System is installed" test_ref="oval:ssg-test_ol9_system:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_opensuse:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>openSUSE</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The operating system installed on the system is openSUSE.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="openSUSE is installed" test_ref="oval:ssg-test_opensuse_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_opensuse_leap15:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>openSUSE Leap 15</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:opensuse:leap:15.0" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is openSUSE Leap 15.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="openSUSE is installed" definition_ref="oval:ssg-installed_OS_is_opensuse:def:1"/>
-            <oval-def:criterion comment="openSUSE Leap 15 is installed" test_ref="oval:ssg-test_opensuse_leap15_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_opensuse_leap42:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>openSUSE Leap 42</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:opensuse:leap:42.1" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:opensuse:leap:42.2" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:opensuse:leap:42.3" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is openSUSE Leap 42.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="openSUSE is installed" definition_ref="oval:ssg-installed_OS_is_opensuse:def:1"/>
-            <oval-def:criterion comment="openSUSE Leap 42 is installed" test_ref="oval:ssg-test_opensuse_leap42_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_part_of_Unix_family:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Installed operating system is part of the Unix family</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The operating system installed on the system is part of the Unix OS family</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_unix_family:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhcos4:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux CoreOS</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux_coreos:4" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Enterprise Linux CoreOS release 4</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="RHCOS is installed" test_ref="oval:ssg-test_rhcos:tst:1"/>
-              <oval-def:criterion comment="RHCOS version 4 is installed" test_ref="oval:ssg-test_rhcos4:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel7:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Enterprise Linux 7</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_rhel7_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="RHEL 7 Client is installed" test_ref="oval:ssg-test_rhel7_client:tst:1"/>
-              <oval-def:criterion comment="RHEL 7 Workstation is installed" test_ref="oval:ssg-test_rhel7_workstation:tst:1"/>
-              <oval-def:criterion comment="RHEL 7 Server is installed" test_ref="oval:ssg-test_rhel7_server:tst:1"/>
-              <oval-def:criterion comment="RHEL 7 Compute Node is installed" test_ref="oval:ssg-test_rhel7_computenode:tst:1"/>
-              <oval-def:criteria operator="AND" comment="Red Hat Enterprise Virtualization Host is installed">
-                <oval-def:criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="oval:ssg-test_rhvh4_version:tst:1"/>
-                <oval-def:criterion comment="Red Hat Enterprise Virtualization Host is based on RHEL 7" test_ref="oval:ssg-test_rhevh_rhel7_version:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Enterprise Linux 8</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_rhel8_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="RHEL 8 is installed" test_ref="oval:ssg-test_rhel8:tst:1"/>
-              <oval-def:criteria operator="AND" comment="Red Hat Enterprise Virtualization Host is installed">
-                <oval-def:criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="oval:ssg-test_rhvh4_version:tst:1"/>
-                <oval-def:criterion comment="Red Hat Enterprise Virtualization Host is based on RHEL 8" test_ref="oval:ssg-test_rhevh_rhel8_version:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_0:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.0</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.0" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.0</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.0 is installed" test_ref="oval:ssg-test_rhel8_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_1:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.1</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.1" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.1</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.1 is installed" test_ref="oval:ssg-test_rhel8_1:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_2:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.2</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.2" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.2</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.2 is installed" test_ref="oval:ssg-test_rhel8_2:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_3:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.3</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.3" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.3</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.3 is installed" test_ref="oval:ssg-test_rhel8_3:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_4:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.4</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.4" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.4</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.4 is installed" test_ref="oval:ssg-test_rhel8_4:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_5:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.5</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.5" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.5</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.5 is installed" test_ref="oval:ssg-test_rhel8_5:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_6:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.6</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.6" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.6</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.6 is installed" test_ref="oval:ssg-test_rhel8_6:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_7:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.7</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.7 is installed" test_ref="oval:ssg-test_rhel8_7:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_8:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.8</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.8" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.8</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.8 is installed" test_ref="oval:ssg-test_rhel8_8:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_9:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.9</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.9 is installed" test_ref="oval:ssg-test_rhel8_9:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_10:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.10</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.10" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.10</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.10 is installed" test_ref="oval:ssg-test_rhel8_10:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel9:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Enterprise Linux 9</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_rhel9_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="RHEL 9 is installed" test_ref="oval:ssg-test_rhel9:tst:1"/>
-              <oval-def:criteria operator="AND" comment="Red Hat Enterprise Virtualization Host is installed">
-                <oval-def:criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="oval:ssg-test_rhvh4_version:tst:1"/>
-                <oval-def:criterion comment="Red Hat Enterprise Virtualization Host is based on RHEL 9" test_ref="oval:ssg-test_rhevh_rhel9_version:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhv4:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Virtualization 4</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:virtualization:4" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Virtualization Host 4.4+ or Red Hat Enterprise Host.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="RHEL8 OS installed" definition_ref="oval:ssg-installed_OS_is_rhel8:def:1"/>
-            <oval-def:criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="oval:ssg-test_rhvh4_version:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_sl7:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Scientific Linux 7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:scientificlinux:scientificlinux:7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Scientific Linux 7</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="Scientific Linux 7 is installed" test_ref="oval:ssg-test_sl7:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_sle12:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>SUSE Linux Enterprise 12</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:suse:linux_enterprise_server:12" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:suse:linux_enterprise_desktop:12" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      SUSE Linux Enterprise 12.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_sle12_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="SLE 12 Desktop is installed" test_ref="oval:ssg-test_sle12_desktop:tst:1"/>
-              <oval-def:criterion comment="SLE 12 Server is installed" test_ref="oval:ssg-test_sle12_server:tst:1"/>
-              <oval-def:criterion comment="SLES 12 for SAP Applications is installed" test_ref="oval:ssg-test_sles_12_for_sap:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_sle15:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>SUSE Linux Enterprise 15</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:suse:linux_enterprise_server:15" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:suse:linux_enterprise_desktop:15" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      SUSE Linux Enterprise 15.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_sle15_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="SLE 15 Desktop is installed" test_ref="oval:ssg-test_sle15_desktop:tst:1"/>
-              <oval-def:criterion comment="SLE 15 Server is installed" test_ref="oval:ssg-test_sle15_server:tst:1"/>
-              <oval-def:criterion comment="SLES 15 for SAP Applications is installed" test_ref="oval:ssg-test_sles_15_for_sap:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ubuntu:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ubuntu</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The operating system installed is an Ubuntu System</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="System is Ubuntu" operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="lsb-based distrib" test_ref="oval:ssg-test_lsb:tst:1"/>
-            <oval-def:criterion comment="Ubuntu is installed" test_ref="oval:ssg-test_ubuntu:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ubuntu1604:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ubuntu 1604</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:canonical:ubuntu_linux:16.04" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Ubuntu 1604</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="current Ubuntu version is Xenial" operator="AND">
-            <oval-def:extend_definition comment="Ubuntu is installed" definition_ref="oval:ssg-installed_OS_is_ubuntu:def:1"/>
-            <oval-def:criterion comment="Xenial is installed" test_ref="oval:ssg-test_ubuntu_xenial:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ubuntu1804:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ubuntu 1804</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:canonical:ubuntu_linux:18.04" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Ubuntu 1804</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="current Ubuntu version is Bionic" operator="AND">
-            <oval-def:extend_definition comment="Ubuntu is installed" definition_ref="oval:ssg-installed_OS_is_ubuntu:def:1"/>
-            <oval-def:criterion comment="Bionic is installed" test_ref="oval:ssg-test_ubuntu_bionic:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ubuntu2004:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ubuntu 2004</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:canonical:ubuntu_linux:20.04" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Ubuntu 2004</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="current Ubuntu version is Focal" operator="AND">
-            <oval-def:extend_definition comment="Ubuntu is installed" definition_ref="oval:ssg-installed_OS_is_ubuntu:def:1"/>
-            <oval-def:criterion comment="Focal is installed" test_ref="oval:ssg-test_ubuntu_focal:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_uos20:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>UnionTech OS Server 20</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:UnionTech OS Server:20" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is UnionTech OS Server 20</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="UnionTech OS Server 20 is installed" test_ref="oval:ssg-test_uos20:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_app_is_eks:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Amazon Elastic Kubernetes Service</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/a:amazon:elastic_kubernetes_service:1" source="CPE"/>
-            <oval-def:description>The application installed installed on the system is EKS.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="cluster is EKS" test_ref="oval:ssg-test_eks:tst:1"/>
-            <oval-def:criterion comment="Make sure kubernetes version is present" test_ref="oval:ssg-test_file_for_eks:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_app_is_eks_1_21:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Amazon Elastic Kubernetes Service 1.21</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/a:amazon:elastic_kubernetes_service:1.21" source="CPE"/>
-            <oval-def:description>The application installed installed on the system is Amazon Elastic Kubernetes Service 1.21.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="cluster is EKS 1.21" test_ref="oval:ssg-test_eks_1_21:tst:1"/>
-            <oval-def:criterion comment="Make sure kubernetes version is present" test_ref="oval:ssg-test_file_for_eks:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_app_is_eks_node:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Amazon Elastic Kubernetes Service Node</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:amazon:elastic_kubernetes_service_node:1" source="CPE"/>
-            <oval-def:description>The application installed installed on the system is EKS 4.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Kubelet is installed" test_ref="oval:ssg-test_kubelet_kubeconfig_exists:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_app_is_rhv4:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Virtualization 4</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/a:redhat:virtualization:4" source="CPE"/>
-            <oval-def:description>The application installed installed on the system is
-      Red Hat Virtualization 4.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="RHEL7 OS installed" definition_ref="oval:ssg-installed_OS_is_rhel7:def:1"/>
-            <oval-def:criterion comment="Red Hat Virtualization Manager (RHVM)" test_ref="oval:ssg-test_rhevm4_version:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_audit_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package audit is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package audit is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:audit" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package audit is installed" test_ref="oval:ssg-test_env_has_audit_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_chrony_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package chrony is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package chrony is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:chrony" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package chrony is installed" test_ref="oval:ssg-test_env_has_chrony_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_gdm_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package gdm is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package gdm is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:gdm" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package gdm is installed" test_ref="oval:ssg-test_env_has_gdm_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_grub2_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package grub2 is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package grub2-common is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:grub2" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Package grub2-common is installed" test_ref="oval:ssg-test_env_has_grub2_installed:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Test for ppcle64 architecture" test_ref="oval:ssg-test_system_info_architecture_ppcle_64:tst:1" negate="true"/>
-              <oval-def:criterion comment="Test if OPAL is not used" test_ref="oval:ssg-test_system_using_opal:tst:1" negate="true"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_libuser_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package libuser is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package libuser is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:libuser" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package libuser is installed" test_ref="oval:ssg-test_env_has_libuser_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_login_defs:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package providing /etc/login.defs is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package providing /etc/login.defs and is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:login_defs" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package providing /etc/login.defs is installed" test_ref="oval:ssg-test_env_has_login_defs_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_net-snmp_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package net-snmp is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package net-snmp is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:net-snmp" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package net-snmp is installed" test_ref="oval:ssg-test_env_has_net-snmp_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_no_ovirt:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Check if the system doesn't act as an oVirt host or manager</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if the system has neither ovirt-host nor ovirt-engine installed.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Package ovirt-host is not installed" definition_ref="oval:ssg-installed_env_has_ovirt:def:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_nss-pam-ldapd_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package nss-pam-ldapd is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package nss-pam-ldapd is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:nss-pam-ldapd" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package nss-pam-ldapd is installed" test_ref="oval:ssg-test_env_has_nss-pam-ldapd_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_ntp_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package ntp is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package ntp is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:ntp" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package ntp is installed" test_ref="oval:ssg-test_env_has_ntp_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_ovirt:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Check if the system acts as an oVirt host or manager</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if the system has ovirt-host or ovirt-engine installed</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:ovirt-host" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="Package ovirt-host is installed" test_ref="oval:ssg-test_env_has_ovirt-host_installed:tst:1"/>
-            <oval-def:criterion comment="Package ovirt-engine is installed" test_ref="oval:ssg-test_env_has_ovirt-engine_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_pam_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package pam is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package pam is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:pam" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package pam is installed" test_ref="oval:ssg-test_env_has_pam_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_polkit_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package polkit is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package polkit is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:polkit" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package polkit is installed" test_ref="oval:ssg-test_env_has_polkit_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_postfix_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package postfix is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package postfix is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:postfix" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package postfix is installed" test_ref="oval:ssg-test_env_has_postfix_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_sssd-common_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package sssd-common is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package sssd-common is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:sssd" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package sssd-common is installed" test_ref="oval:ssg-test_env_has_sssd-common_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_sudo_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package sudo is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package sudo is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:sudo" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package sudo is installed" test_ref="oval:ssg-test_env_has_sudo_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_systemd_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package systemd is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package systemd is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:systemd" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package systemd is installed" test_ref="oval:ssg-test_env_has_systemd_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_tftp_server_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package tftp-server is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package tftp-server is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:tftp-server" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package tftp-server is installed" test_ref="oval:ssg-test_env_has_tftp_server_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_tmux_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package tmux is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package tmux is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:tmux" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package tmux is installed" test_ref="oval:ssg-test_env_has_tmux_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_usbguard_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package usbguard is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package usbguard is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:usbguard" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package usbguard is installed" test_ref="oval:ssg-test_env_has_usbguard_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_wifi_interface:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>WiFi interface is present</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if any wifi interface is present.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:wifi-iface" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="WiFi interface is present" test_ref="oval:ssg-test_proc_net_wireless_exists:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_yum_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package yum is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package yum is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:yum" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package yum is installed" test_ref="oval:ssg-test_env_has_yum_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_zipl_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>System uses zIPL</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if system uses zIPL bootloader.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:zipl" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package s390utils-base is installed" test_ref="oval:ssg-test_env_has_zipl_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_is_a_container:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Check if the scan target is a container</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check for presence of files characterizing container filesystems.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:container" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="Check if /.dockerenv exists" test_ref="oval:ssg-test_installed_env_is_a_docker_container:tst:1"/>
-            <oval-def:criterion comment="Check if /run/.containerenv exists" test_ref="oval:ssg-test_installed_env_is_a_podman_container:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_is_a_machine:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Check if the scan target is a machine</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check for absence of files characterizing container filesystems.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:machine" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="If environment is not a container, it is machine" definition_ref="oval:ssg-installed_env_is_a_container:def:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-krb5_server_older_than_1_17_18:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Kerberos server is older than 1.17-18</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/a:krb5_server_older_than_1_17-18" source="CPE"/>
-            <oval-def:description>Check if version of Kerberos server is lesser than 1.17-18
-            </oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Kerberos server version is lesser than 1.17-18" operator="OR">
-            <oval-def:criterion comment="Check if version of Kerberos server is lesser than 1.17-18" test_ref="oval:ssg-test_krb5_server_version_1_17_18:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-krb5_workstation_older_than_1_17_18:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Kerberos workstation is older than 1.17-18</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/a:krb5_workstation_older_than_1_17-18" source="CPE"/>
-            <oval-def:description>Check if version of Kerberos workstation is lesser than 1.17-18
-            </oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Kerberos workstation version is lesser than 1.17-18" operator="OR">
-            <oval-def:criterion comment="Check if version of Kerberos workstation is lesser than 1.17-18" test_ref="oval:ssg-test_krb5_workstation_version_1_17_18:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test that the architecture is aarch64</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is aarch64</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Architecture is aarch64" test_ref="oval:ssg-test_proc_sys_kernel_osrelease_arch_aarch64:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_not_aarch64:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for different architecture than aarch64</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is not aarch64</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Architecture is not aarch64" definition_ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for different architecture than s390x</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Architecture is not s390x" definition_ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test that the architecture is ppc64le</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is ppc64le</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Architecture is ppc64le" test_ref="oval:ssg-test_proc_sys_kernel_osrelease_arch_ppc64le:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test that the architecture is s390x</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is s390x</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Architecture is s390x" test_ref="oval:ssg-test_proc_sys_kernel_osrelease_arch_s390x:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-sssd_conf_uses_ldap:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>SSSD is configured to use LDAP</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Identification provider is not set to ad within /etc/sssd/sssd.conf</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:sssd-ldap" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Identification provider is not set to ad within /etc/sssd/sssd.conf" test_ref="oval:ssg-test_id_provider_is_set_to_ad:tst:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-system_boot_mode_is_non_uefi:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Non-UEFI system boot mode check</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if System boot mode is non-UEFI.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:non-uefi" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition definition_ref="oval:ssg-system_boot_mode_is_uefi:def:1" negate="true" comment="Pass if System boot mode is non-UEFI"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-system_boot_mode_is_uefi:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>UEFI system boot mode check</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Amazon Elastic Kubernetes Service</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if system boot mode is UEFI.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:uefi" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_efi_dir_existence:tst:1" comment="check if /sys/firmware/efi folder exists"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-      </oval-def:definitions>
-      <oval-def:tests>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="alinux-release is version 2" id="oval:ssg-test_alinux2:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_alinux2:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_alinux2:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="alinux-release is version 3" id="oval:ssg-test_alinux3:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_alinux3:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_alinux3:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="centos-release is version 7" id="oval:ssg-test_centos7:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_centos7:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_centos7:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check os-release ID" id="oval:ssg-test_centos8_name:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_name_centos8:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_name_centos8:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="Check os-release VERSION_ID" id="oval:ssg-test_centos8_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_version_centos8:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_version_centos8:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check os-release ID" id="oval:ssg-test_centos9_name:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_name_centos9:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_name_centos9:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="Check os-release VERSION_ID" id="oval:ssg-test_centos9_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_version_centos9:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_version_centos9:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="/etc/debian_version exists" id="oval:ssg-test_debian:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-obj_debian:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Debian version" id="oval:ssg-test_debian_10:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_debian_10:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Debian version" id="oval:ssg-test_debian_11:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_debian_11:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Debian version" id="oval:ssg-test_debian_9:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_debian_9:obj:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="fedora-release RPM packages are installed" id="oval:ssg-test_fedora_release_rpm:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_fedora_release_rpm:obj:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" comment="CPE vendor is 'fedoraproject' and 'product' is fedora" id="oval:ssg-test_fedora_vendor_product:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_fedora_vendor_product:obj:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="oraclelinux-release is version 7" id="oval:ssg-test_ol7_system:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_ol7_system:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_ol7_system:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="oraclelinux-release is version 8" id="oval:ssg-test_ol8_system:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_ol8_system:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_ol8_system:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="oraclelinux-release is version 9" id="oval:ssg-test_ol9_system:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_ol9_system:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_ol9_system:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="openSUSE is installed" id="oval:ssg-test_opensuse_installed:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_opensuse_installed:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_opensuse_installed:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="openSUSE Leap 15 is installed" id="oval:ssg-test_opensuse_leap15_installed:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_opensuse_leap15_installed:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_opensuse_leap15_installed:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="openSUSE Leap 42 is installed" id="oval:ssg-test_opensuse_leap42_installed:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_opensuse_leap42_installed:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_opensuse_leap42_installed:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:family_test id="oval:ssg-test_unix_family:tst:1" check="all" check_existence="at_least_one_exists" comment="Test installed OS is part of the unix family" version="1">
-          <ind:object object_ref="oval:ssg-object_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_unix_family:ste:1"/>
-        </ind:family_test>
-        <ind:textfilecontent54_test check="all" comment="os-release is rhcos" id="oval:ssg-test_rhcos:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhcos:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhcos:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="rhcoreos is version 4" id="oval:ssg-test_rhcos4:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhcos4:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhcos4:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_rhel7_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhel7_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhel7_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-client is version 7" id="oval:ssg-test_rhel7_client:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel7_client:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel7_client:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 7" id="oval:ssg-test_rhel7_workstation:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel7_workstation:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel7_workstation:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 7" id="oval:ssg-test_rhel7_server:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel7_server:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel7_server:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-computenode is version 7" id="oval:ssg-test_rhel7_computenode:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel7_computenode:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel7_computenode:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" comment="RHEVH base RHEL is version 7" id="oval:ssg-test_rhevh_rhel7_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhevh_rhel7_version:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhevh_rhel7_version:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_rhel8_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhel8_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhel8_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8" id="oval:ssg-test_rhel8:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.0" id="oval:ssg-test_rhel8_0:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_0:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_0:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.1" id="oval:ssg-test_rhel8_1:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_1:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_1:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.2" id="oval:ssg-test_rhel8_2:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_2:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_2:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.3" id="oval:ssg-test_rhel8_3:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_3:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_3:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.4" id="oval:ssg-test_rhel8_4:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_4:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_4:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.5" id="oval:ssg-test_rhel8_5:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_5:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_5:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.6" id="oval:ssg-test_rhel8_6:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_6:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_6:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.7" id="oval:ssg-test_rhel8_7:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_7:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_7:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.8" id="oval:ssg-test_rhel8_8:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_8:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_8:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.9" id="oval:ssg-test_rhel8_9:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_9:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_9:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.10" id="oval:ssg-test_rhel8_10:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_10:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_10:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" comment="RHEVH base RHEL is version 8" id="oval:ssg-test_rhevh_rhel8_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhevh_rhel8_version:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhevh_rhel8_version:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_rhel9_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhel9_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhel9_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 9" id="oval:ssg-test_rhel9:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel9:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel9:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" comment="RHEVH base RHEL is version 9" id="oval:ssg-test_rhevh_rhel9_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhevh_rhel9_version:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhevh_rhel9_version:ste:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="only_one_exists" comment="redhat-release-virtualization-host RPM package is installed" id="oval:ssg-test_rhvh4_version:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhvh4_version:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhvh4_version:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sl-release is version 7" id="oval:ssg-test_sl7:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sl7:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sl7:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_sle12_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sle12_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sle12_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sled-release is version 6" id="oval:ssg-test_sle12_desktop:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sle12_desktop:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sle12_desktop:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sles-release is version 6" id="oval:ssg-test_sle12_server:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sle12_server:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sle12_server:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="SLES_SAP-release is version 12" id="oval:ssg-test_sles_12_for_sap:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sles_12_for_sap:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sles_12_for_sap:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_sle15_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sle15_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sle15_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sled-release is version 15" id="oval:ssg-test_sle15_desktop:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sle15_desktop:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sle15_desktop:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sles-release is version 15" id="oval:ssg-test_sle15_server:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sle15_server:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sle15_server:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="SLES_SAP-release is version 15" id="oval:ssg-test_sles_15_for_sap:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sles_15_for_sap:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sles_15_for_sap:ste:1"/>
-        </linux:rpminfo_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="/etc/lsb-release exists" id="oval:ssg-test_lsb:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-obj_lsb:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu" id="oval:ssg-test_ubuntu:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ubuntu:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu version" id="oval:ssg-test_ubuntu_xenial:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ubuntu_xenial:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu version" id="oval:ssg-test_ubuntu_bionic:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ubuntu_bionic:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu version" id="oval:ssg-test_ubuntu_focal:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ubuntu_focal:obj:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="uos-release is version 20" id="oval:ssg-test_uos20:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_uos20:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_uos20:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_eks:tst:1" check="at least one" comment="Find one match" version="1">
-          <ind:object object_ref="oval:ssg-object_eks:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_eks:ste:1"/>
-        </ind:yamlfilecontent_test>
-        <unix:file_test id="oval:ssg-test_file_for_eks:tst:1" check="only one" comment="Find the actual file to be scanned." version="1">
-          <unix:object object_ref="oval:ssg-object_file_for_eks:obj:1"/>
-        </unix:file_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_eks_1_21:tst:1" check="at least one" comment="Find one match" version="1">
-          <ind:object object_ref="oval:ssg-object_eks:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_eks_1_21:ste:1"/>
-        </ind:yamlfilecontent_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Testing if /var/lib/kubelet/kubeconfig exists" id="oval:ssg-test_kubelet_kubeconfig_exists:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_kubelet_kubeconfig_exists:obj:1"/>
-        </unix:file_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="rhevm4-appliance is installed" id="oval:ssg-test_rhevm4_version:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhevm4_version:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhevm4_version:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_audit_installed:tst:1" version="1" comment="system has package audit installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_audit_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_env_has_chrony_installed:tst:1" version="1" comment="package chrony is installed">
-          <linux:object object_ref="oval:ssg-obj_test_env_has_chrony_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_gdm_installed:tst:1" version="1" comment="system has package gdm installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_gdm_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_grub2_installed:tst:1" version="1" comment="system has package grub2-common installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_grub2_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Check if /sys/firmware/opal exists" id="oval:ssg-test_system_using_opal:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_system_using_opal:obj:1"/>
-        </unix:file_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_libuser_installed:tst:1" version="1" comment="system has package libuser installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_libuser_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_login_defs_installed:tst:1" version="1" comment="system has package shadow-utils installed, which provides the /etc/login.defs file.">
-          <linux:object object_ref="oval:ssg-obj_env_has_login_defs_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_net-snmp_installed:tst:1" version="1" comment="system has package net-snmp installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_net-snmp_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_nss-pam-ldapd_installed:tst:1" version="1" comment="system has package nss-pam-ldapd installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_nss-pam-ldapd_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_env_has_ntp_installed:tst:1" version="1" comment="package ntp is installed">
-          <linux:object object_ref="oval:ssg-obj_test_env_has_ntp_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_ovirt-host_installed:tst:1" version="1" comment="system has package ovirt-host installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_ovirt-host_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_ovirt-engine_installed:tst:1" version="1" comment="system has package ovirt-engine installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_ovirt-engine_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_pam_installed:tst:1" version="1" comment="system has package pam installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_pam_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_env_has_polkit_installed:tst:1" version="1" comment="package polkit is installed">
-          <linux:object object_ref="oval:ssg-obj_test_env_has_polkit_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_env_has_postfix_installed:tst:1" version="1" comment="package postfix is installed">
-          <linux:object object_ref="oval:ssg-obj_test_env_has_postfix_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_sssd-common_installed:tst:1" version="1" comment="system has package sssd-common installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_sssd-common_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_sudo_installed:tst:1" version="1" comment="system has package sudo installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_sudo_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_systemd_installed:tst:1" version="1" comment="system has package systemd installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_systemd_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_tftp_server_installed:tst:1" version="1" comment="system has package tftp-server installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_tftp_server_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_tmux_installed:tst:1" version="1" comment="system has package tmux installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_tmux_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_usbguard_installed:tst:1" version="1" comment="system has package usbguard installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_usbguard_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Test if /proc/net/wireless exists" id="oval:ssg-test_proc_net_wireless_exists:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_proc_net_wireless_exists:obj:1"/>
-        </unix:file_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_yum_installed:tst:1" version="1" comment="system has package yum installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_yum_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_zipl_installed:tst:1" version="1" comment="system has package zipl installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_zipl_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Check if /.dockerenv exists" id="oval:ssg-test_installed_env_is_a_docker_container:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_installed_env_is_a_docker_container:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Check if /run/.containerenv exists" id="oval:ssg-test_installed_env_is_a_podman_container:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_installed_env_is_a_podman_container:obj:1"/>
-        </unix:file_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="Kerberos server version is lesser than 1.17-18" id="oval:ssg-test_krb5_server_version_1_17_18:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_krb5_server_version_1_17_18:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_krb5_server_version_1_17_18:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="Kerberos workstaton version is lesser than 1.17-18" id="oval:ssg-test_krb5_workstation_version_1_17_18:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_krb5_workstation_version_1_17_18:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_krb5_workstation_version_1_17_18:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="proc_sys_kernel is for aarch64 architecture" id="oval:ssg-test_proc_sys_kernel_osrelease_arch_aarch64:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_proc_sys_kernel_osrelease_arch_aarch64:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_proc_sys_kernel_osrelease_arch_aarch64:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="proc_sys_kernel is for ppc64le architecture" id="oval:ssg-test_proc_sys_kernel_osrelease_arch_ppc64le:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_proc_sys_kernel_osrelease_arch_ppc64le:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_proc_sys_kernel_osrelease_arch_ppc64le:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="proc_sys_kernel is for s390x architecture" id="oval:ssg-test_proc_sys_kernel_osrelease_arch_s390x:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_proc_sys_kernel_osrelease_arch_s390x:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_proc_sys_kernel_osrelease_arch_s390x:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="SSSD Configuration is set to use Active Directory" id="oval:ssg-test_id_provider_is_set_to_ad:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_id_provider_is_set_to_ad:obj:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="at_least_one_exists" comment="Verify if /sys/firmware/efi folder exists" id="oval:ssg-test_efi_dir_existence:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_sys_firmware_efi:obj:1"/>
-        </unix:file_test>
-        <unix:uname_test check="all" comment="64 bit architecture" id="oval:ssg-test_system_info_architecture_ppcle_64:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_system_info_architecture_ppcle_64:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_system_info_architecture_ppcle_64:ste:1"/>
-        </unix:uname_test>
-      </oval-def:tests>
-      <oval-def:objects>
-        <linux:rpminfo_object id="oval:ssg-obj_alinux2:obj:1" version="1">
-          <linux:name>alinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_alinux3:obj:1" version="1">
-          <linux:name>alinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_centos7:obj:1" version="1">
-          <linux:name>centos-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_name_centos8:obj:1" version="1" comment="Check os-release ID">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^ID="(\w+)"$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_version_centos8:obj:1" version="1" comment="Check os-release VERSION_ID">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^VERSION_ID="(\d)"$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_name_centos9:obj:1" version="1" comment="Check os-release ID">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^ID="(\w+)"$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_version_centos9:obj:1" version="1" comment="Check os-release VERSION_ID">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^VERSION_ID="(\d)"$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object comment="check /etc/debian_version file" id="oval:ssg-obj_debian:obj:1" version="1">
-          <unix:filepath>/etc/debian_version</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_debian_10:obj:1" version="1" comment="Check Debian version">
-          <ind:filepath>/etc/debian_version</ind:filepath>
-          <ind:pattern operation="pattern match">^10.[0-9]+$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_debian_11:obj:1" version="1" comment="Check Debian version">
-          <ind:filepath>/etc/debian_version</ind:filepath>
-          <ind:pattern operation="pattern match">^11.[0-9]+$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_debian_9:obj:1" version="1" comment="Check Debian version">
-          <ind:filepath>/etc/debian_version</ind:filepath>
-          <ind:pattern operation="pattern match">^9.[0-9]+$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-object_fedora_release_rpm:obj:1" version="1">
-          <linux:name operation="pattern match">fedora-release.*</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_fedora_vendor_product:obj:1" version="1">
-          <ind:filepath>/etc/system-release-cpe</ind:filepath>
-          <ind:pattern operation="pattern match">^cpe:\/o:fedoraproject:fedora:[\d]+$</ind:pattern>
-          <ind:instance datatype="int" operation="equals">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-obj_ol7_system:obj:1" version="1">
-          <linux:name>oraclelinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_ol8_system:obj:1" version="1">
-          <linux:name>oraclelinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_ol9_system:obj:1" version="1">
-          <linux:name>oraclelinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_opensuse_installed:obj:1" version="1">
-          <linux:name>openSUSE-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_opensuse_leap15_installed:obj:1" version="1">
-          <linux:name>openSUSE-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_opensuse_leap42_installed:obj:1" version="1">
-          <linux:name>openSUSE-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:family_object id="oval:ssg-object_unix_family:obj:1" version="1"/>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhcos:obj:1" version="1">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^ID="(\w+)"$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhcos4:obj:1" version="1">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^VERSION_ID="(\d)\.\d+"$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:family_object id="oval:ssg-obj_rhel7_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel7_client:obj:1" version="1">
-          <linux:name>redhat-release-client</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel7_workstation:obj:1" version="1">
-          <linux:name>redhat-release-workstation</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel7_server:obj:1" version="1">
-          <linux:name>redhat-release-server</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel7_computenode:obj:1" version="1">
-          <linux:name>redhat-release-computenode</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhevh_rhel7_version:obj:1" version="1">
-          <ind:filepath>/etc/redhat-release</ind:filepath>
-          <ind:pattern operation="pattern match">^Red Hat Enterprise Linux release (\d)\.\d+$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:family_object id="oval:ssg-obj_rhel8_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_0:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_1:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_2:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_3:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_4:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_5:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_6:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_7:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_8:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_9:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_10:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhevh_rhel8_version:obj:1" version="1">
-          <ind:filepath>/etc/redhat-release</ind:filepath>
-          <ind:pattern operation="pattern match">^Red Hat Enterprise Linux release (\d)\.\d+$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:family_object id="oval:ssg-obj_rhel9_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel9:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhevh_rhel9_version:obj:1" version="1">
-          <ind:filepath>/etc/redhat-release</ind:filepath>
-          <ind:pattern operation="pattern match">^Red Hat Enterprise Linux release (\d)\.\d+$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhvh4_version:obj:1" version="1">
-          <linux:name>redhat-release-virtualization-host</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sl7:obj:1" version="1">
-          <linux:name>sl-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:family_object id="oval:ssg-obj_sle12_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_sle12_desktop:obj:1" version="1">
-          <linux:name>sled-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sle12_server:obj:1" version="1">
-          <linux:name>sles-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sles_12_for_sap:obj:1" version="1">
-          <linux:name>SLES_SAP-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:family_object id="oval:ssg-obj_sle15_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_sle15_desktop:obj:1" version="1">
-          <linux:name>sled-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sle15_server:obj:1" version="1">
-          <linux:name>sles-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sles_15_for_sap:obj:1" version="1">
-          <linux:name>SLES_SAP-release</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object comment="check /etc/lsb-release file" id="oval:ssg-obj_lsb:obj:1" version="1">
-          <unix:filepath>/etc/lsb-release</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ubuntu:obj:1" version="1" comment="Check Ubuntu">
-          <ind:filepath>/etc/lsb-release</ind:filepath>
-          <ind:pattern operation="pattern match">^DISTRIB_ID=Ubuntu$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ubuntu_xenial:obj:1" version="1" comment="Check Ubuntu version">
-          <ind:filepath>/etc/lsb-release</ind:filepath>
-          <ind:pattern operation="pattern match">^DISTRIB_CODENAME=xenial$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ubuntu_bionic:obj:1" version="1" comment="Check Ubuntu version">
-          <ind:filepath>/etc/lsb-release</ind:filepath>
-          <ind:pattern operation="pattern match">^DISTRIB_CODENAME=bionic$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ubuntu_focal:obj:1" version="1" comment="Check Ubuntu version">
-          <ind:filepath>/etc/lsb-release</ind:filepath>
-          <ind:pattern operation="pattern match">^DISTRIB_CODENAME=focal$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-obj_uos20:obj:1" version="1">
-          <linux:name>uos-release</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object id="oval:ssg-object_file_for_eks:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-eks_dump_location:var:1"/>
-        </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_eks:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-eks_dump_location:var:1"/>
-          <ind:yamlpath>.gitVersion</ind:yamlpath>
-        </ind:yamlfilecontent_object>
-        <unix:file_object comment="/var/lib/kubelet/kubeconfig" id="oval:ssg-object_kubelet_kubeconfig_exists:obj:1" version="1">
-          <unix:filepath>/var/lib/kubelet/kubeconfig</unix:filepath>
-        </unix:file_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhevm4_version:obj:1" version="1">
-          <linux:name>rhvm-appliance</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_audit_installed:obj:1" version="1">
-          <linux:name>audit</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_env_has_chrony_installed:obj:1" version="1">
-          <linux:name>chrony</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_gdm_installed:obj:1" version="1">
-          <linux:name>gdm</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_grub2_installed:obj:1" version="1">
-          <linux:name>grub2-common</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object id="oval:ssg-object_system_using_opal:obj:1" version="1">
-          <unix:filepath>/sys/firmware/opal</unix:filepath>
-        </unix:file_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_libuser_installed:obj:1" version="1">
-          <linux:name>libuser</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_login_defs_installed:obj:1" version="1">
-          <linux:name>shadow-utils</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_net-snmp_installed:obj:1" version="1">
-          <linux:name>net-snmp</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_nss-pam-ldapd_installed:obj:1" version="1">
-          <linux:name>nss-pam-ldapd</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_env_has_ntp_installed:obj:1" version="1">
-          <linux:name>ntp</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_ovirt-host_installed:obj:1" version="1">
-          <linux:name>ovirt-host</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_ovirt-engine_installed:obj:1" version="1">
-          <linux:name>ovirt-engine</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_pam_installed:obj:1" version="1">
-          <linux:name>pam</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_env_has_polkit_installed:obj:1" version="1">
-          <linux:name>polkit</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_env_has_postfix_installed:obj:1" version="1">
-          <linux:name>postfix</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_sssd-common_installed:obj:1" version="1">
-          <linux:name>sssd-common</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_sudo_installed:obj:1" version="1">
-          <linux:name>sudo</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_systemd_installed:obj:1" version="1">
-          <linux:name>systemd</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_tftp_server_installed:obj:1" version="1">
-          <linux:name>tftp-server</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_tmux_installed:obj:1" version="1">
-          <linux:name>tmux</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_usbguard_installed:obj:1" version="1">
-          <linux:name>usbguard</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object comment="/proc/net/wireless file" id="oval:ssg-object_proc_net_wireless_exists:obj:1" version="1">
-          <unix:filepath>/proc/net/wireless</unix:filepath>
-        </unix:file_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_yum_installed:obj:1" version="1">
-          <linux:name>yum</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_zipl_installed:obj:1" version="1">
-          <linux:name>s390utils-base</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object comment="Check file /.dockerenv" id="oval:ssg-object_installed_env_is_a_docker_container:obj:1" version="1">
-          <unix:filepath datatype="string">/.dockerenv</unix:filepath>
-        </unix:file_object>
-        <unix:file_object comment="Check file /run/.containerenv" id="oval:ssg-object_installed_env_is_a_podman_container:obj:1" version="1">
-          <unix:filepath datatype="string">/run/.containerenv</unix:filepath>
-        </unix:file_object>
-        <linux:rpminfo_object id="oval:ssg-obj_krb5_server_version_1_17_18:obj:1" version="1">
-          <linux:name>krb5-server</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_krb5_workstation_version_1_17_18:obj:1" version="1">
-          <linux:name>krb5-workstation</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_proc_sys_kernel_osrelease_arch_aarch64:obj:1" version="1">
-          <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-          <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_proc_sys_kernel_osrelease_arch_ppc64le:obj:1" version="1">
-          <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-          <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_proc_sys_kernel_osrelease_arch_s390x:obj:1" version="1">
-          <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-          <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_id_provider_is_set_to_ad:obj:1" version="1">
-          <ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*id_provider[ \t]*=[ \t]*((?i)ad)[ \t]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object comment="/sys/firmware/efi" id="oval:ssg-object_file_sys_firmware_efi:obj:1" version="1">
-          <unix:path>/sys/firmware/efi</unix:path>
-          <unix:filename xsi:nil="true"/>
-        </unix:file_object>
-        <unix:uname_object comment="64 bit architecture" id="oval:ssg-object_system_info_architecture_ppcle_64:obj:1" version="1"/>
-      </oval-def:objects>
-      <oval-def:states>
-        <linux:rpminfo_state id="oval:ssg-state_alinux2:ste:1" version="1">
-          <linux:version operation="pattern match">^2.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_alinux3:ste:1" version="1">
-          <linux:version operation="pattern match">^3.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_centos7:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_name_centos8:ste:1" version="1">
-          <ind:subexpression>centos</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_version_centos8:ste:1" version="1">
-          <ind:subexpression>8</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_name_centos9:ste:1" version="1">
-          <ind:subexpression>centos</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_version_centos9:ste:1" version="1">
-          <ind:subexpression>9</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <linux:rpminfo_state id="oval:ssg-state_ol7_system:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_ol8_system:ste:1" version="1">
-          <linux:version operation="pattern match">^8.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_ol9_system:ste:1" version="1">
-          <linux:version operation="pattern match">^9.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_opensuse_installed:ste:1" version="1">
-          <linux:name operation="pattern match">openSUSE-release</linux:name>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_opensuse_leap15_installed:ste:1" version="1">
-          <linux:version operation="pattern match">^15.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_opensuse_leap42_installed:ste:1" version="1">
-          <linux:version operation="pattern match">^42.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:family_state id="oval:ssg-state_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhcos:ste:1" version="1">
-          <ind:subexpression operation="pattern match">rhcos</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhcos4:ste:1" version="1">
-          <ind:subexpression operation="pattern match">4</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:family_state id="oval:ssg-state_rhel7_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel7_client:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel7_workstation:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel7_server:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel7_computenode:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhevh_rhel7_version:ste:1" version="1">
-          <ind:subexpression operation="pattern match">7</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:family_state id="oval:ssg-state_rhel8_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8:ste:1" version="1">
-          <linux:version operation="pattern match">^8.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_0:ste:1" version="1">
-          <linux:version operation="pattern match">^8.0*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_1:ste:1" version="1">
-          <linux:version operation="pattern match">^8.1*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_2:ste:1" version="1">
-          <linux:version operation="pattern match">^8.2*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_3:ste:1" version="1">
-          <linux:version operation="pattern match">^8.3*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_4:ste:1" version="1">
-          <linux:version operation="pattern match">^8.4*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_5:ste:1" version="1">
-          <linux:version operation="pattern match">^8.5*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_6:ste:1" version="1">
-          <linux:version operation="pattern match">^8.6*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_7:ste:1" version="1">
-          <linux:version operation="pattern match">^8.7*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_8:ste:1" version="1">
-          <linux:version operation="pattern match">^8.8*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_9:ste:1" version="1">
-          <linux:version operation="pattern match">^8.9*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_10:ste:1" version="1">
-          <linux:version operation="pattern match">^8.10*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhevh_rhel8_version:ste:1" version="1">
-          <ind:subexpression operation="pattern match">8</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:family_state id="oval:ssg-state_rhel9_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel9:ste:1" version="1">
-          <linux:version operation="pattern match">^9.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhevh_rhel9_version:ste:1" version="1">
-          <ind:subexpression operation="pattern match">9</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhvh4_version:ste:1" version="1">
-          <linux:evr datatype="evr_string" operation="greater than or equal">0:4.4</linux:evr>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sl7:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:family_state id="oval:ssg-state_sle12_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_sle12_desktop:ste:1" version="1">
-          <linux:version operation="pattern match">^12.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sle12_server:ste:1" version="1">
-          <linux:version operation="pattern match">^12.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sles_12_for_sap:ste:1" version="1">
-          <linux:version operation="pattern match">^12.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:family_state id="oval:ssg-state_sle15_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_sle15_desktop:ste:1" version="1">
-          <linux:version operation="pattern match">^15.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sle15_server:ste:1" version="1">
-          <linux:version operation="pattern match">^15.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sles_15_for_sap:ste:1" version="1">
-          <linux:version operation="pattern match">^15.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_uos20:ste:1" version="1">
-          <linux:version operation="pattern match">^20.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_eks:ste:1" version="1">
-          <ind:value datatype="record">
-            <oval-def:field name="#" datatype="string" operation="pattern match">^.*-eks-.*$</oval-def:field>
-          </ind:value>
-        </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_eks_1_21:ste:1" version="1">
-          <ind:value datatype="record">
-            <oval-def:field name="#" datatype="string" operation="pattern match">^v1\.21\..*</oval-def:field>
-          </ind:value>
-        </ind:yamlfilecontent_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhevm4_version:ste:1" version="1">
-          <linux:version operation="pattern match">^4.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_krb5_server_version_1_17_18:ste:1" version="1">
-          <linux:evr datatype="evr_string" operation="less than">0:1.17-18</linux:evr>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_krb5_workstation_version_1_17_18:ste:1" version="1">
-          <linux:evr datatype="evr_string" operation="less than">0:1.17-18</linux:evr>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_proc_sys_kernel_osrelease_arch_aarch64:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^aarch64$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_proc_sys_kernel_osrelease_arch_ppc64le:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^ppc64le$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_proc_sys_kernel_osrelease_arch_s390x:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:uname_state comment="64 bit architecture" id="oval:ssg-state_system_info_architecture_ppcle_64:ste:1" version="1">
-          <unix:processor_type operation="equals">ppc64le</unix:processor_type>
-        </unix:uname_state>
-      </oval-def:states>
-      <oval-def:variables>
-        <oval-def:local_variable id="oval:ssg-eks_dump_location:var:1" datatype="string" comment="The actual filepath of the file to scan." version="1">
-          <oval-def:literal_component>/kubernetes-api-resources/version</oval-def:literal_component>
-        </oval-def:local_variable>
-      </oval-def:variables>
-    </oval-def:oval_definitions>
-  </ds:component>
-</ds:data-stream-collection>
diff --git a/images/testcontent/kubelet_default/ssg-ocp4-ds.xml b/images/testcontent/kubelet_default/ssg-ocp4-ds.xml
index a87158690..fecec43e9 100644
--- a/images/testcontent/kubelet_default/ssg-ocp4-ds.xml
+++ b/images/testcontent/kubelet_default/ssg-ocp4-ds.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0"?>
-<ds:data-stream-collection xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" xmlns:cpe-dict="http://cpe.mitre.org/dictionary/2.0" xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:ocil="http://scap.nist.gov/schema/ocil/2.0" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="scap_org.open-scap_collection_from_xccdf_ssg-ocp4-xccdf-1.2.xml" schematron-version="1.3">
-  <ds:data-stream id="scap_org.open-scap_datastream_from_xccdf_ssg-ocp4-xccdf-1.2.xml" scap-version="1.3" use-case="OTHER">
+<ds:data-stream-collection xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" xmlns:cpe-dict="http://cpe.mitre.org/dictionary/2.0" xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:ocil="http://scap.nist.gov/schema/ocil/2.0" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="scap_org.open-scap_collection_from_xccdf_ssg-ocp4-xccdf.xml" schematron-version="1.3">
+  <ds:data-stream id="scap_org.open-scap_datastream_from_xccdf_ssg-ocp4-xccdf.xml" scap-version="1.3" use-case="OTHER">
     <ds:dictionaries>
       <ds:component-ref id="scap_org.open-scap_cref_ssg-ocp4-cpe-dictionary.xml" xlink:href="#scap_org.open-scap_comp_ssg-ocp4-cpe-dictionary.xml">
         <cat:catalog>
@@ -9,7 +9,7 @@
       </ds:component-ref>
     </ds:dictionaries>
     <ds:checklists>
-      <ds:component-ref id="scap_org.open-scap_cref_ssg-ocp4-xccdf-1.2.xml" xlink:href="#scap_org.open-scap_comp_ssg-ocp4-xccdf-1.2.xml">
+      <ds:component-ref id="scap_org.open-scap_cref_ssg-ocp4-xccdf.xml" xlink:href="#scap_org.open-scap_comp_ssg-ocp4-xccdf.xml">
         <cat:catalog>
           <cat:uri name="ssg-ocp4-oval.xml" uri="#scap_org.open-scap_cref_ssg-ocp4-oval.xml"/>
           <cat:uri name="ssg-ocp4-ocil.xml" uri="#scap_org.open-scap_cref_ssg-ocp4-ocil.xml"/>
@@ -22,7 +22,7 @@
       <ds:component-ref id="scap_org.open-scap_cref_ssg-ocp4-cpe-oval.xml" xlink:href="#scap_org.open-scap_comp_ssg-ocp4-cpe-oval.xml"/>
     </ds:checks>
   </ds:data-stream>
-  <ds:component id="scap_org.open-scap_comp_ssg-ocp4-cpe-dictionary.xml" timestamp="2022-08-11T18:55:00">
+  <ds:component id="scap_org.open-scap_comp_ssg-ocp4-cpe-dictionary.xml" timestamp="2022-10-19T15:33:06">
     <cpe-dict:cpe-list xsi:schemaLocation="http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd">
       <cpe-dict:cpe-item name="cpe:/a:not_s390x_arch">
         <cpe-dict:title xml:lang="en-us">System architecture is not S390X</cpe-dict:title>
@@ -130,9 +130,9 @@
       </cpe-dict:cpe-item>
     </cpe-dict:cpe-list>
   </ds:component>
-  <ds:component id="scap_org.open-scap_comp_ssg-ocp4-xccdf-1.2.xml" timestamp="2022-08-11T18:55:00">
-    <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_OCP-4" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2022-08-11">draft</xccdf-1.2:status>
+  <ds:component id="scap_org.open-scap_comp_ssg-ocp4-xccdf.xml" timestamp="2022-10-19T15:33:05">
+    <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_OCP-4" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.2 xccdf-1.2.4.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
+      <xccdf-1.2:status date="2022-10-19">draft</xccdf-1.2:status>
       <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat OpenShift Container Platform 4</xccdf-1.2:title>
       <xccdf-1.2:description>This guide presents a catalog of security-relevant
 configuration settings for Red Hat OpenShift Container Platform 4. It is a rendering of
@@ -193,9 +193,10 @@ respective companies.</xccdf-1.2:rear-matter>
             <cpe-lang:fact-ref name="cpe:/a:redhat:openshift_container_platform:4.9"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="ocp4.11">
-          <cpe-lang:logical-test operator="AND" negate="false">
+        <cpe-lang:platform id="ocp4.11_or_ocp4.12">
+          <cpe-lang:logical-test operator="OR" negate="false">
             <cpe-lang:fact-ref name="cpe:/a:redhat:openshift_container_platform:4.11"/>
+            <cpe-lang:fact-ref name="cpe:/a:redhat:openshift_container_platform:4.12"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
         <cpe-lang:platform id="ocp4.10_or_ocp4.6_or_ocp4.7_or_ocp4.8_or_ocp4.9">
@@ -207,10 +208,11 @@ respective companies.</xccdf-1.2:rear-matter>
             <cpe-lang:fact-ref name="cpe:/a:redhat:openshift_container_platform:4.9"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
-        <cpe-lang:platform id="ocp4.10_or_ocp4.11_or_ocp4.9">
+        <cpe-lang:platform id="ocp4.10_or_ocp4.11_or_ocp4.12_or_ocp4.9">
           <cpe-lang:logical-test operator="OR" negate="false">
             <cpe-lang:fact-ref name="cpe:/a:redhat:openshift_container_platform:4.10"/>
             <cpe-lang:fact-ref name="cpe:/a:redhat:openshift_container_platform:4.11"/>
+            <cpe-lang:fact-ref name="cpe:/a:redhat:openshift_container_platform:4.12"/>
             <cpe-lang:fact-ref name="cpe:/a:redhat:openshift_container_platform:4.9"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
@@ -246,6 +248,11 @@ respective companies.</xccdf-1.2:rear-matter>
             <cpe-lang:fact-ref name="cpe:/a:redhat:openshift_container_platform_on_gcp:4"/>
           </cpe-lang:logical-test>
         </cpe-lang:platform>
+        <cpe-lang:platform id="ocp4">
+          <cpe-lang:logical-test operator="AND" negate="false">
+            <cpe-lang:fact-ref name="cpe:/a:redhat:openshift_container_platform:4.1"/>
+          </cpe-lang:logical-test>
+        </cpe-lang:platform>
         <cpe-lang:platform id="ocp4-node-on-sdn">
           <cpe-lang:logical-test operator="AND" negate="false">
             <cpe-lang:fact-ref name="cpe:/a:redhat:openshift_container_platform_node_on_sdn:4"/>
@@ -292,7 +299,7 @@ respective companies.</xccdf-1.2:rear-matter>
       <xccdf-1.2:platform idref="cpe:/a:redhat:openshift_container_platform_on_ovn:4"/>
       <xccdf-1.2:platform idref="cpe:/a:redhat:openshift_container_platform_on_sdn:4"/>
       <xccdf-1.2:platform idref="cpe:/a:redhat:openshift_container_platform_on_hypershift:4"/>
-      <xccdf-1.2:version update="https://github.com/ComplianceAsCode/content/releases/latest">0.1.64</xccdf-1.2:version>
+      <xccdf-1.2:version update="https://github.com/ComplianceAsCode/content/releases/latest">0.1.65</xccdf-1.2:version>
       <xccdf-1.2:metadata>
         <dc:publisher>SCAP Security Guide Project</dc:publisher>
         <dc:creator>SCAP Security Guide Project</dc:creator>
@@ -412,6 +419,7 @@ respective companies.</xccdf-1.2:rear-matter>
         <dc:contributor>Joseph Lenox &lt;joseph.lenox@collins.com&gt;</dc:contributor>
         <dc:contributor>Jan Lieskovsky &lt;jlieskov@redhat.com&gt;</dc:contributor>
         <dc:contributor>Markus Linnala &lt;Markus.Linnala@knowit.fi&gt;</dc:contributor>
+        <dc:contributor>Flos Lonicerae &lt;lonicerae@gmail.com&gt;</dc:contributor>
         <dc:contributor>&#x160;imon Luka&#x161;&#xED;k &lt;slukasik@redhat.com&gt;</dc:contributor>
         <dc:contributor>Milan Lysonek &lt;mlysonek@redhat.com&gt;</dc:contributor>
         <dc:contributor>Fredrik Lys&#xE9;n &lt;fredrik@pipemore.se&gt;</dc:contributor>
@@ -637,32 +645,30 @@ This profile is applicable to OpenShift versions 4.6 and greater.</xccdf-1.2:des
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_worker_service" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_perms_openshift_sdn_cniserver_config" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_defaults" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_api-server" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_authentication" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_controller" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_integrity" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_integrity" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_api-server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_authentication" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_controller" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_logging" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_networking" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openshift-api-server" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rbac" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_registry" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_risk-assessment" selected="false"/>
@@ -756,11 +762,31 @@ This profile is applicable to OpenShift versions 4.6 and greater.</xccdf-1.2:des
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_namespaces_in_use" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_idp_is_configured" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubeadmin_removed" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_authorization_mode" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert_pre_4_9" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key_pre_4_9" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_disable_readonly_port" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxbackup" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxsize" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_openshift_api_server_audit_log_path" selected="true"/>
@@ -781,21 +807,21 @@ This profile is applicable to OpenShift versions 4.6 and greater.</xccdf-1.2:des
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scheduler_no_bind_address" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_secrets_consider_external_storage" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_secrets_no_environment_variables" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_integrity" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_integrity" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_master" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_registry" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_risk-assessment" selected="false"/>
       </xccdf-1.2:Profile>
@@ -822,29 +848,29 @@ https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-work
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scc_limit_privilege_escalation" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scc_limit_privileged_containers" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scc_limit_root_containers" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_controller" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_etcd" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_integrity" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_integrity" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_controller" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_etcd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_kubelet" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_logging" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_master" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_networking" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openshift-api-server" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_risk-assessment" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_scheduler" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_secrets" selected="false"/>
@@ -970,34 +996,32 @@ consensus and release processes.</xccdf-1.2:description>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_worker_service" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_perms_openshift_sdn_cniserver_config" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_defaults" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_kube_apiserver" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_oauth_apiserver" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_openshift_apiserver" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_reject_unsigned_images_by_default" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_api-server" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_authentication" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_controller" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_api-server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_authentication" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_controller" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_networking" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openshift-api-server" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rbac" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_registry" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_risk-assessment" selected="false"/>
@@ -1113,7 +1137,7 @@ consensus and release processes.</xccdf-1.2:description>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_integrity_notification_enabled" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_proxy_kubeconfig" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_proxy_kubeconfig" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_fips_mode_enabled" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_fips_mode_enabled_on_all_nodes" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_apply_scc" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_configure_imagepolicywebhook" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_default_namespace_use" selected="true"/>
@@ -1123,11 +1147,31 @@ consensus and release processes.</xccdf-1.2:description>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_idp_is_configured" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ingress_controller_certificate" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubeadmin_removed" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_authorization_mode" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert_pre_4_9" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key_pre_4_9" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_disable_readonly_port" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_oauth_or_oauthclient_inactivity_timeout" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_oauth_or_oauthclient_token_maxage" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_allowed_registries" selected="true"/>
@@ -1162,180 +1206,24 @@ consensus and release processes.</xccdf-1.2:description>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scheduler_no_bind_address" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_secrets_consider_external_storage" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_secrets_no_environment_variables" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_master" selected="false"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_oauth_inactivity_timeout" selector="10m0s"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_openshift_audit_profile" selector="WriteRequestBodies"/>
-      </xccdf-1.2:Profile>
-      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_moderate-node">
-        <xccdf-1.2:title override="true">NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level</xccdf-1.2:title>
-        <xccdf-1.2:description override="true">This compliance profile reflects the core set of Moderate-Impact Baseline
-configuration settings for deployment of Red Hat OpenShift Container
-Platform into U.S. Defense, Intelligence, and Civilian agencies.
-Development partners and sponsors include the U.S. National Institute
-of Standards and Technology (NIST), U.S. Department of Defense,
-the National Security Agency, and Red Hat.
-
-This baseline implements configuration requirements from the following
-sources:
-
-- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)
-
-For any differing configuration requirements, e.g. password lengths, the stricter
-security setting was chosen. Security Requirement Traceability Guides (RTMs) and
-sample System Security Configuration Guides are provided via the
-scap-security-guide-docs package.
-
-This profile reflects U.S. Government consensus content and is developed through
-the ComplianceAsCode initiative, championed by the National
-Security Agency. Except for differences in formatting to accommodate
-publishing processes, this profile mirrors ComplianceAsCode
-content as minor divergences, such as bugfixes, work through the
-consensus and release processes.</xccdf-1.2:description>
-        <xccdf-1.2:platform idref="cpe:/o:redhat:openshift_container_platform_node:4"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_access_var_log_kube_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_access_var_log_oauth_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_access_var_log_ocp_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_kube_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_oauth_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_ocp_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_unique_ca" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_cni_conf" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_controller_manager_kubeconfig" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etcd_data_dir" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etcd_data_files" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etcd_member" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_etcd_pki_cert_files" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_ip_allocations" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_kube_apiserver" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_kube_controller_manager" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_kube_scheduler" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_master_admin_kubeconfigs" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_multus_conf" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_cert_files" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_key_files" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_openshift_sdn_cniserver_config" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db_lock" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_pid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_sys_id_conf" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_vswitchd_pid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_ovsdb_server_pid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_scheduler_kubeconfig" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_worker_ca" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_worker_service" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_cni_conf" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_controller_manager_kubeconfig" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_etcd_data_dir" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_etcd_data_files" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_etcd_member" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_etcd_pki_cert_files" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_ip_allocations" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_kube_apiserver" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_kube_controller_manager" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_kube_scheduler" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_kubelet" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_kubelet_conf" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_master_admin_kubeconfigs" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_multus_conf" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_openshift_pki_cert_files" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_openshift_pki_key_files" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_openshift_sdn_cniserver_config" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_ovs_conf_db" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_ovs_conf_db_lock" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_ovs_pid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_ovs_sys_id_conf" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_ovs_vswitchd_pid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_ovsdb_server_pid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_scheduler_kubeconfig" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_worker_ca" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_worker_service" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_ownership_var_log_kube_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_ownership_var_log_oauth_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_ownership_var_log_ocp_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_cni_conf" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_controller_manager_kubeconfig" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etcd_data_dir" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etcd_data_files" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etcd_member" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etcd_pki_cert_files" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_ip_allocations" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_kube_apiserver" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_kube_controller_manager" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_kubelet" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_kubelet_conf" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_master_admin_kubeconfigs" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_multus_conf" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_openshift_pki_cert_files" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_openshift_pki_key_files" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_ovs_conf_db" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_ovs_conf_db_lock" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_ovs_pid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_ovs_sys_id_conf" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_ovs_vswitchd_pid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_ovsdb_server_pid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_scheduler" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_scheduler_kubeconfig" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_var_log_kube_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_var_log_oauth_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_var_log_ocp_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_worker_ca" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_worker_service" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_perms_openshift_sdn_cniserver_config" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_defaults" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_kube_apiserver" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_oauth_apiserver" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_openshift_apiserver" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_reject_unsigned_images_by_default" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_api-server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_authentication" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_controller" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_networking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openshift-api-server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rbac" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_registry" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_risk-assessment" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_scc" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_scheduler" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_secrets" selected="false"/>
         <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_oauth_inactivity_timeout" selector="10m0s"/>
         <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_openshift_audit_profile" selector="WriteRequestBodies"/>
       </xccdf-1.2:Profile>
-      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_moderate">
-        <xccdf-1.2:title override="true">NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level</xccdf-1.2:title>
+      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_moderate-node">
+        <xccdf-1.2:title override="true">NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Node level</xccdf-1.2:title>
         <xccdf-1.2:description override="true">This compliance profile reflects the core set of Moderate-Impact Baseline
 configuration settings for deployment of Red Hat OpenShift Container
 Platform into U.S. Defense, Intelligence, and Civilian agencies.
@@ -1359,164 +1247,6 @@ Security Agency. Except for differences in formatting to accommodate
 publishing processes, this profile mirrors ComplianceAsCode
 content as minor divergences, such as bugfixes, work through the
 consensus and release processes.</xccdf-1.2:description>
-        <xccdf-1.2:reference>https://nvd.nist.gov/800-53/Rev4/impact/moderate</xccdf-1.2:reference>
-        <xccdf-1.2:platform idref="cpe:/a:redhat:openshift_container_platform:4.1"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_unique_service_account" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_AlwaysAdmit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_AlwaysPullImages" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_NamespaceLifecycle" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_NodeRestriction" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_Scc" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_SecurityContextDeny" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_admission_control_plugin_ServiceAccount" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_anonymous_auth" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_api_priority_flowschema_catch_all" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_api_priority_gate_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_audit_log_maxbackup" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_audit_log_maxsize" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_audit_log_path" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_auth_mode_no_aa" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_auth_mode_node" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_auth_mode_rbac" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_basic_auth" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_bind_address" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_client_ca" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_encryption_provider_cipher" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_encryption_provider_config" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_etcd_ca" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_etcd_cert" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_etcd_key" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_https_for_kubelet_conn" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_insecure_bind_address" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_insecure_port" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_kubelet_certificate_authority" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_kubelet_client_cert_pre_4_9" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_kubelet_client_key_pre_4_9" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_no_adm_ctrl_plugins_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_oauth_https_serving_cert" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_openshift_https_serving_cert" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_profiling_protected_by_rbac" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_request_timeout" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_service_account_lookup" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_service_account_public_key" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_tls_cert" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_tls_private_key" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_token_auth" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_error_alert_exists" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_log_forwarding_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_log_forwarding_uses_tls" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_profile_set" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_banner_or_login_template_set" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_cluster_version_operator_exists" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_cluster_version_operator_verify_integrity" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_cluster_wide_proxy_set" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_compliance_notification_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_compliancesuite_exists" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_network_policies" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_controller_insecure_port_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_controller_rotate_kubelet_server_certs" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_controller_secure_port" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_controller_service_account_ca" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_controller_service_account_private_key" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_controller_use_service_account" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_default_ingress_ca_replaced" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_auto_tls" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_cert_file" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_client_cert_auth" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_key_file" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_peer_auto_tls" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_peer_cert_file" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_peer_client_cert_auth" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_peer_key_file" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_proxy_kubeconfig" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_integrity_exists" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_integrity_notification_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_proxy_kubeconfig" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_proxy_kubeconfig" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_fips_mode_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_apply_scc" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_configure_imagepolicywebhook" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_default_namespace_use" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_default_seccomp_profile" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_namespaces_in_use" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_idp_is_configured" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ingress_controller_certificate" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubeadmin_removed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert_pre_4_9" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key_pre_4_9" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_disable_readonly_port" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_oauth_or_oauthclient_inactivity_timeout" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_oauth_or_oauthclient_token_maxage" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_allowed_registries" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_allowed_registries_for_import" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxbackup" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxsize" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_idp_no_htpasswd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_no_ldap_insecure" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_openshift_api_server_audit_log_path" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_openshift_motd_exists" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_debug_role_protects_pprof" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_limit_cluster_admin" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_limit_secrets_access" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_pod_creation_access" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_wildcard_use" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_resource_requests_limits_in_daemonset" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_resource_requests_limits_in_deployment" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_resource_requests_limits_in_statefulset" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_resource_requests_quota" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_route_ip_whitelist" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_routes_protected_by_tls" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_routes_rate_limit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scc_drop_container_capabilities" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scc_limit_net_raw_capability" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scc_limit_network_namespace" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scc_limit_privilege_escalation" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scc_limit_privileged_containers" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scc_limit_process_id_namespace" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scc_limit_root_containers" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scheduler_no_bind_address" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_secrets_consider_external_storage" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_secrets_no_environment_variables" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_master" selected="false"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_oauth_inactivity_timeout" selector="10m0s"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_openshift_audit_profile" selector="WriteRequestBodies"/>
-      </xccdf-1.2:Profile>
-      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_nerc-cip-node">
-        <xccdf-1.2:title override="true">North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the  Red Hat OpenShift Container Platform - Node level</xccdf-1.2:title>
-        <xccdf-1.2:description override="true">This compliance profile reflects a set of security recommendations for
-the usage of Red Hat OpenShift Container Platform in critical
-infrastructure in the energy sector. This follows the recommendations
-coming from the following CIP standards:
-
-- CIP-002-5
-- CIP-003-8
-- CIP-004-6
-- CIP-005-6
-- CIP-007-3
-- CIP-007-6
-- CIP-009-6</xccdf-1.2:description>
-        <xccdf-1.2:reference>https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx</xccdf-1.2:reference>
         <xccdf-1.2:platform idref="cpe:/o:redhat:openshift_container_platform_node:4"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_access_var_log_kube_audit" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_access_var_log_oauth_audit" selected="true"/>
@@ -1611,34 +1341,32 @@ coming from the following CIP standards:
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_worker_service" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_perms_openshift_sdn_cniserver_config" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_defaults" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_kube_apiserver" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_oauth_apiserver" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_openshift_apiserver" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_reject_unsigned_images_by_default" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_api-server" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_authentication" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_controller" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_api-server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_authentication" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_controller" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_networking" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openshift-api-server" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rbac" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_registry" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_risk-assessment" selected="false"/>
@@ -1648,21 +1376,32 @@ coming from the following CIP standards:
         <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_oauth_inactivity_timeout" selector="10m0s"/>
         <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_openshift_audit_profile" selector="WriteRequestBodies"/>
       </xccdf-1.2:Profile>
-      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_nerc-cip">
-        <xccdf-1.2:title override="true">North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the  Red Hat OpenShift Container Platform - Platform level</xccdf-1.2:title>
-        <xccdf-1.2:description override="true">This compliance profile reflects a set of security recommendations for
-the usage of Red Hat OpenShift Container Platform in critical
-infrastructure in the energy sector. This follows the recommendations
-coming from the following CIP standards:
+      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_moderate">
+        <xccdf-1.2:title override="true">NIST 800-53 Moderate-Impact Baseline for Red Hat OpenShift - Platform level</xccdf-1.2:title>
+        <xccdf-1.2:description override="true">This compliance profile reflects the core set of Moderate-Impact Baseline
+configuration settings for deployment of Red Hat OpenShift Container
+Platform into U.S. Defense, Intelligence, and Civilian agencies.
+Development partners and sponsors include the U.S. National Institute
+of Standards and Technology (NIST), U.S. Department of Defense,
+the National Security Agency, and Red Hat.
 
-- CIP-002-5
-- CIP-003-8
-- CIP-004-6
-- CIP-005-6
-- CIP-007-3
-- CIP-007-6
-- CIP-009-6</xccdf-1.2:description>
-        <xccdf-1.2:reference>https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx</xccdf-1.2:reference>
+This baseline implements configuration requirements from the following
+sources:
+
+- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)
+
+For any differing configuration requirements, e.g. password lengths, the stricter
+security setting was chosen. Security Requirement Traceability Guides (RTMs) and
+sample System Security Configuration Guides are provided via the
+scap-security-guide-docs package.
+
+This profile reflects U.S. Government consensus content and is developed through
+the ComplianceAsCode initiative, championed by the National
+Security Agency. Except for differences in formatting to accommodate
+publishing processes, this profile mirrors ComplianceAsCode
+content as minor divergences, such as bugfixes, work through the
+consensus and release processes.</xccdf-1.2:description>
+        <xccdf-1.2:reference>https://nvd.nist.gov/800-53/Rev4/impact/moderate</xccdf-1.2:reference>
         <xccdf-1.2:platform idref="cpe:/a:redhat:openshift_container_platform:4.1"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_unique_service_account" selected="true"/>
@@ -1741,7 +1480,7 @@ coming from the following CIP standards:
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_integrity_notification_enabled" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_proxy_kubeconfig" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_proxy_kubeconfig" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_fips_mode_enabled" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_fips_mode_enabled_on_all_nodes" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_apply_scc" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_configure_imagepolicywebhook" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_default_namespace_use" selected="true"/>
@@ -1750,11 +1489,31 @@ coming from the following CIP standards:
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_idp_is_configured" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ingress_controller_certificate" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubeadmin_removed" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_authorization_mode" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert_pre_4_9" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key_pre_4_9" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_disable_readonly_port" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_oauth_or_oauthclient_inactivity_timeout" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_oauth_or_oauthclient_token_maxage" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_allowed_registries" selected="true"/>
@@ -1789,27 +1548,41 @@ coming from the following CIP standards:
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scheduler_no_bind_address" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_secrets_consider_external_storage" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_secrets_no_environment_variables" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_master" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_oauth_inactivity_timeout" selector="10m0s"/>
         <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_openshift_audit_profile" selector="WriteRequestBodies"/>
       </xccdf-1.2:Profile>
-      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_pci-dss-node">
-        <xccdf-1.2:title override="true">PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4</xccdf-1.2:title>
-        <xccdf-1.2:description override="true">Ensures PCI-DSS v3.2.1 security configuration settings are applied.</xccdf-1.2:description>
-        <xccdf-1.2:reference>https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf</xccdf-1.2:reference>
+      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_nerc-cip-node">
+        <xccdf-1.2:title override="true">North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the  Red Hat OpenShift Container Platform - Node level</xccdf-1.2:title>
+        <xccdf-1.2:description override="true">This compliance profile reflects a set of security recommendations for
+the usage of Red Hat OpenShift Container Platform in critical
+infrastructure in the energy sector. This follows the recommendations
+coming from the following CIP standards:
+
+- CIP-002-5
+- CIP-003-8
+- CIP-004-6
+- CIP-005-6
+- CIP-007-3
+- CIP-007-6
+- CIP-009-6</xccdf-1.2:description>
+        <xccdf-1.2:reference>https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx</xccdf-1.2:reference>
         <xccdf-1.2:platform idref="cpe:/o:redhat:openshift_container_platform_node:4"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_access_var_log_kube_audit" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_access_var_log_oauth_audit" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_access_var_log_ocp_audit" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_kube_audit" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_oauth_audit" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_ocp_audit" selected="true"/>
@@ -1879,6 +1652,7 @@ coming from the following CIP standards:
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_ip_allocations" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_kube_apiserver" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_kube_controller_manager" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_kubelet" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_kubelet_conf" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_master_admin_kubeconfigs" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_multus_conf" selected="true"/>
@@ -1899,45 +1673,56 @@ coming from the following CIP standards:
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_worker_service" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_perms_openshift_sdn_cniserver_config" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_defaults" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_kube_apiserver" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_oauth_apiserver" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_openshift_apiserver" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_reject_unsigned_images_by_default" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_api-server" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_authentication" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_controller" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_integrity" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_api-server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_authentication" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_controller" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_networking" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openshift-api-server" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rbac" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_registry" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_risk-assessment" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_scc" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_scheduler" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_secrets" selected="false"/>
+        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_oauth_inactivity_timeout" selector="10m0s"/>
+        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_openshift_audit_profile" selector="WriteRequestBodies"/>
       </xccdf-1.2:Profile>
-      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_pci-dss">
-        <xccdf-1.2:title override="true">PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4</xccdf-1.2:title>
-        <xccdf-1.2:description override="true">Ensures PCI-DSS v3.2.1 security configuration settings are applied.</xccdf-1.2:description>
-        <xccdf-1.2:reference>https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf</xccdf-1.2:reference>
+      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_nerc-cip">
+        <xccdf-1.2:title override="true">North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for the  Red Hat OpenShift Container Platform - Platform level</xccdf-1.2:title>
+        <xccdf-1.2:description override="true">This compliance profile reflects a set of security recommendations for
+the usage of Red Hat OpenShift Container Platform in critical
+infrastructure in the energy sector. This follows the recommendations
+coming from the following CIP standards:
+
+- CIP-002-5
+- CIP-003-8
+- CIP-004-6
+- CIP-005-6
+- CIP-007-3
+- CIP-007-6
+- CIP-009-6</xccdf-1.2:description>
+        <xccdf-1.2:reference>https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx</xccdf-1.2:reference>
         <xccdf-1.2:platform idref="cpe:/a:redhat:openshift_container_platform:4.1"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_unique_service_account" selected="true"/>
@@ -1984,8 +1769,15 @@ coming from the following CIP standards:
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_tls_private_key" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_token_auth" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_error_alert_exists" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_log_forwarding_enabled" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_log_forwarding_uses_tls" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_profile_set" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_banner_or_login_template_set" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_cluster_version_operator_exists" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_cluster_version_operator_verify_integrity" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_cluster_wide_proxy_set" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_compliance_notification_enabled" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_compliancesuite_exists" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_network_policies" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces" selected="true"/>
@@ -1995,9 +1787,9 @@ coming from the following CIP standards:
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_controller_service_account_ca" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_controller_service_account_private_key" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_controller_use_service_account" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_default_ingress_ca_replaced" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_auto_tls" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_cert_file" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_check_cipher_suite" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_client_cert_auth" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_key_file" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_peer_auto_tls" selected="true"/>
@@ -2009,31 +1801,62 @@ coming from the following CIP standards:
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_integrity_notification_enabled" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_proxy_kubeconfig" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_proxy_kubeconfig" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_fips_mode_enabled_on_all_nodes" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_apply_scc" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_configure_imagepolicywebhook" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_default_namespace_use" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_default_seccomp_profile" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_namespaces_in_use" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_idp_is_configured" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ingress_controller_certificate" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubeadmin_removed" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_authorization_mode" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert_pre_4_9" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key_pre_4_9" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_disable_readonly_port" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_machine_volume_encrypted" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_oauth_or_oauthclient_inactivity_timeout" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_oauth_or_oauthclient_token_maxage" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_allowed_registries" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_allowed_registries_for_import" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxbackup" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxsize" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_idp_no_htpasswd" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_no_ldap_insecure" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_openshift_api_server_audit_log_path" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_cluster_roles_defined" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_openshift_motd_exists" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_debug_role_protects_pprof" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_limit_cluster_admin" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_limit_secrets_access" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_pod_creation_access" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_roles_defined" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_wildcard_use" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_resource_requests_limits_in_daemonset" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_resource_requests_limits_in_deployment" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_resource_requests_limits_in_statefulset" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_resource_requests_quota" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_route_ip_whitelist" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_routes_protected_by_tls" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_routes_rate_limit" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scc_drop_container_capabilities" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace" selected="true"/>
@@ -2046,34 +1869,27 @@ coming from the following CIP standards:
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scheduler_no_bind_address" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_secrets_consider_external_storage" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_secrets_no_environment_variables" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_storageclass_encryption_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_tls_version_check_apiserver" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_master" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_registry" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
+        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_oauth_inactivity_timeout" selector="10m0s"/>
+        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_openshift_audit_profile" selector="WriteRequestBodies"/>
       </xccdf-1.2:Profile>
-      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_stig-node">
-        <xccdf-1.2:title override="true">[DRAFT] DISA STIG for Red Hat OpenShift Container Platform 4 - Node level</xccdf-1.2:title>
-        <xccdf-1.2:description override="true">This is a draft profile for experimental purposes. It is not based on the 
-DISA STIG for OCP4, because one was not available at the time yet. This 
-profile contains configuration checks that align to the DISA STIG for 
-Red Hat OpenShift Container Platform 4.</xccdf-1.2:description>
-        <xccdf-1.2:reference>https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Container_Platform_V1R3_SRG.zip</xccdf-1.2:reference>
+      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_pci-dss-node">
+        <xccdf-1.2:title override="true">PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4</xccdf-1.2:title>
+        <xccdf-1.2:description override="true">Ensures PCI-DSS v3.2.1 security configuration settings are applied.</xccdf-1.2:description>
+        <xccdf-1.2:reference>https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf</xccdf-1.2:reference>
         <xccdf-1.2:platform idref="cpe:/o:redhat:openshift_container_platform_node:4"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_access_var_log_kube_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_access_var_log_oauth_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_access_var_log_ocp_audit" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_kube_audit" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_oauth_audit" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_ocp_audit" selected="true"/>
@@ -2131,6 +1947,9 @@ Red Hat OpenShift Container Platform 4.</xccdf-1.2:description>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_worker_ca" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_worker_service" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_ownership_var_log_kube_audit" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_ownership_var_log_oauth_audit" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_ownership_var_log_ocp_audit" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_cni_conf" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_controller_manager_kubeconfig" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etcd_data_dir" selected="true"/>
@@ -2140,7 +1959,6 @@ Red Hat OpenShift Container Platform 4.</xccdf-1.2:description>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_ip_allocations" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_kube_apiserver" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_kube_controller_manager" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_kubelet" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_kubelet_conf" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_master_admin_kubeconfigs" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_multus_conf" selected="true"/>
@@ -2154,60 +1972,50 @@ Red Hat OpenShift Container Platform 4.</xccdf-1.2:description>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_ovsdb_server_pid" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_scheduler" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_scheduler_kubeconfig" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_var_log_kube_audit" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_var_log_oauth_audit" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_var_log_ocp_audit" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_worker_ca" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_worker_service" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_perms_openshift_sdn_cniserver_config" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_defaults" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_file_exist" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_panic" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_kube_apiserver" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_oauth_apiserver" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_openshift_apiserver" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_reject_unsigned_images_by_default" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_api-server" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_authentication" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_controller" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_integrity" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_api-server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_authentication" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_controller" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_networking" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openshift-api-server" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rbac" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_registry" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_risk-assessment" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_scc" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_scheduler" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_secrets" selected="false"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_openshift_audit_profile" selector="WriteRequestBodies"/>
       </xccdf-1.2:Profile>
-      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_stig">
-        <xccdf-1.2:title override="true">[DRAFT] DISA STIG for Red Hat OpenShift Container Platform 4 - Platform level</xccdf-1.2:title>
-        <xccdf-1.2:description override="true">This is a draft profile for experimental purposes. It is not based on the 
-DISA STIG for OCP4, because one was not available at the time yet. This 
-profile contains configuration checks that align to the DISA STIG for 
-Red Hat OpenShift Container Platform 4.</xccdf-1.2:description>
-        <xccdf-1.2:reference>https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Container_Platform_V1R3_SRG.zip</xccdf-1.2:reference>
+      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_pci-dss">
+        <xccdf-1.2:title override="true">PCI-DSS v3.2.1 Control Baseline for Red Hat OpenShift Container Platform 4</xccdf-1.2:title>
+        <xccdf-1.2:description override="true">Ensures PCI-DSS v3.2.1 security configuration settings are applied.</xccdf-1.2:description>
+        <xccdf-1.2:reference>https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf</xccdf-1.2:reference>
         <xccdf-1.2:platform idref="cpe:/a:redhat:openshift_container_platform:4.1"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_restrict_service_account_tokens" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_unique_service_account" selected="true"/>
@@ -2254,12 +2062,8 @@ Red Hat OpenShift Container Platform 4.</xccdf-1.2:description>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_tls_cipher_suites" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_tls_private_key" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_api_server_token_auth" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_error_alert_exists" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_log_forwarding_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_log_forwarding_uses_tls" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_profile_set" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_banner_or_login_template_set" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_cluster_logging_operator_exist" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_compliancesuite_exists" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_network_policies" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces" selected="true"/>
@@ -2271,6 +2075,7 @@ Red Hat OpenShift Container Platform 4.</xccdf-1.2:description>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_controller_use_service_account" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_auto_tls" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_cert_file" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_check_cipher_suite" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_client_cert_auth" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_key_file" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_peer_auto_tls" selected="true"/>
@@ -2279,9 +2084,9 @@ Red Hat OpenShift Container Platform 4.</xccdf-1.2:description>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_etcd_peer_key_file" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_proxy_kubeconfig" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_integrity_exists" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_integrity_notification_enabled" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_proxy_kubeconfig" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_proxy_kubeconfig" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_fips_mode_enabled" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_apply_scc" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_configure_imagepolicywebhook" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_default_namespace_use" selected="true"/>
@@ -2289,27 +2094,44 @@ Red Hat OpenShift Container Platform 4.</xccdf-1.2:description>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_general_namespaces_in_use" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_idp_is_configured" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubeadmin_removed" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_authorization_mode" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cert_pre_4_9" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_key_pre_4_9" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_disable_readonly_port" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_allowed_registries" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_allowed_registries_for_import" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_machine_volume_encrypted" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxbackup" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_api_server_audit_log_maxsize" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_idp_no_htpasswd" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ocp_no_ldap_insecure" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_openshift_api_server_audit_log_path" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_openshift_motd_exists" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_cluster_roles_defined" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_debug_role_protects_pprof" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_limit_cluster_admin" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_limit_secrets_access" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_pod_creation_access" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_roles_defined" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rbac_wildcard_use" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_resource_requests_quota" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_routes_protected_by_tls" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_routes_rate_limit" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scc_drop_container_capabilities" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace" selected="true"/>
@@ -2322,20 +2144,22 @@ Red Hat OpenShift Container Platform 4.</xccdf-1.2:description>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_scheduler_no_bind_address" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_secrets_consider_external_storage" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_secrets_no_environment_variables" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_storageclass_encryption_enabled" selected="true"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_tls_version_check_apiserver" selected="true"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
         <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_master" selected="false"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_openshift_audit_profile" selector="WriteRequestBodies"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
+        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_registry" selected="false"/>
       </xccdf-1.2:Profile>
       <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_intro">
         <xccdf-1.2:title>Introduction</xccdf-1.2:title>
@@ -2666,19 +2490,27 @@ AWS resources will be able, through IAM policies, to use the KMS key to eventual
                 <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-ebs_encryption_enabled_on_machinesets_ocil:questionnaire:1"/>
               </xccdf-1.2:check>
             </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_fips_mode_enabled" severity="high">
-              <xccdf-1.2:title>Ensure that the cluster was installed with FIPS mode enabled</xccdf-1.2:title>
+            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_fips_mode_enabled_on_all_nodes" severity="high">
+              <xccdf-1.2:title>Ensure that FIPS mode is enabled on all cluster nodes</xccdf-1.2:title>
               <xccdf-1.2:description>OpenShift has an installation-time flag that can enable FIPS mode
 for the cluster. The flag <html:pre>fips: true</html:pre> must be enabled
 at install time in the <html:pre>install-config.yaml</html:pre> file.</xccdf-1.2:description>
               <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/machineconfiguration.openshift.io/v1/machineconfigs/99-master-fips</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/machineconfiguration.openshift.io/v1/machineconfigs/99-master-fips</html:code> file.</xccdf-1.2:warning>
+Therefore, you need to use a tool that can query the OCP API, retrieve the following:
+<html:ul><html:li><html:code class="ocp-api-endpoint" id="ab7e02a1c3f44ae48f843ce3dee7b948d624d2f702b9428760efbfd4653847ba">/apis/machineconfiguration.openshift.io/v1/machineconfigs</html:code>
+    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
+    <html:code class="ocp-api-filter" id="filter-ab7e02a1c3f44ae48f843ce3dee7b948d624d2f702b9428760efbfd4653847ba">[.items[] | select(.metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.fips == true)</html:code>
+    and persist it to the local
+    <html:code class="ocp-dump-location" id="dump-ab7e02a1c3f44ae48f843ce3dee7b948d624d2f702b9428760efbfd4653847ba"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/machineconfiguration.openshift.io/v1/machineconfigs#ab7e02a1c3f44ae48f843ce3dee7b948d624d2f702b9428760efbfd4653847ba</html:code>
+    file.
+  </html:li></html:ul></xccdf-1.2:warning>
               <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
               <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
               <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R7.1</xccdf-1.2:reference>
               <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</xccdf-1.2:reference>
               <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
               <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</xccdf-1.2:reference>
+              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-3.4.1</xccdf-1.2:reference>
               <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000014-CTR-000035</xccdf-1.2:reference>
               <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000014-CTR-000040</xccdf-1.2:reference>
               <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000416-CTR-001015</xccdf-1.2:reference>
@@ -2690,34 +2522,6 @@ Therefore, you need to use a tool that can query the OCP API, retrieve the <html
               <xccdf-1.2:rationale>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
 protect data. The system must implement cryptographic modules adhering to the higher
 standards approved by the federal government since this provides assurance they have been tested
-and validated.</xccdf-1.2:rationale>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84214-6</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-                <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-fips_mode_enabled:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-fips_mode_enabled_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_fips_mode_enabled_on_all_nodes" severity="high">
-              <xccdf-1.2:title>Ensure that FIPS mode is enabled on all cluster nodes</xccdf-1.2:title>
-              <xccdf-1.2:description>OpenShift has an installation-time flag that can enable FIPS mode
-for the cluster. The flag <html:pre>fips: true</html:pre> must be enabled
-at install time in the <html:pre>install-config.yaml</html:pre> file.</xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-<html:ul><html:li><html:code class="ocp-api-endpoint" id="191c7889a801949fcc07c8f067ca719c614388ea53f4b96b7148c57799e423b3">/apis/machineconfiguration.openshift.io/v1/machineconfigs</html:code>
-    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
-    <html:code class="ocp-api-filter" id="filter-191c7889a801949fcc07c8f067ca719c614388ea53f4b96b7148c57799e423b3">[.items[] | select(.metadata.name | test("^[0-9]{2}-worker$|^[0-9]{2}-master$"))]|map(.spec.fips == true)</html:code>
-    and persist it to the local
-    <html:code class="ocp-dump-location" id="dump-191c7889a801949fcc07c8f067ca719c614388ea53f4b96b7148c57799e423b3"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/machineconfiguration.openshift.io/v1/machineconfigs#191c7889a801949fcc07c8f067ca719c614388ea53f4b96b7148c57799e423b3</html:code>
-    file.
-  </html:li></html:ul></xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-3.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
-protect data. The system must implement cryptographic modules adhering to the higher
-standards approved by the federal government since this provides assurance they have been tested
 and validated.</xccdf-1.2:rationale>
               <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85860-5</xccdf-1.2:ident>
               <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
@@ -2765,11 +2569,11 @@ at installation. The object <html:pre>luks</html:pre> must be present at install
 prepared with the <html:pre>install-config.yaml</html:pre> file.</xccdf-1.2:description>
               <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
 Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-<html:ul><html:li><html:code class="ocp-api-endpoint" id="136fe907b51dc9ea5011707799731b533561dab4b043f086f36c0b5c9c288414">/apis/machineconfiguration.openshift.io/v1/machineconfigs</html:code>
+<html:ul><html:li><html:code class="ocp-api-endpoint" id="9fab597988075d76a1c081cdc533f05623251a854b9936a08ae52cca5fc5a311">/apis/machineconfiguration.openshift.io/v1/machineconfigs</html:code>
     API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
-    <html:code class="ocp-api-filter" id="filter-136fe907b51dc9ea5011707799731b533561dab4b043f086f36c0b5c9c288414">[.items[] | select(.metadata.name | test("^[0-9]{2}-worker$|^[0-9]{2}-master$"))]|map(.spec.config.storage.luks[0].clevis != null)</html:code>
+    <html:code class="ocp-api-filter" id="filter-9fab597988075d76a1c081cdc533f05623251a854b9936a08ae52cca5fc5a311">[.items[] | select(.metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.config.storage.luks[0].clevis != null)</html:code>
     and persist it to the local
-    <html:code class="ocp-dump-location" id="dump-136fe907b51dc9ea5011707799731b533561dab4b043f086f36c0b5c9c288414"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/machineconfiguration.openshift.io/v1/machineconfigs#136fe907b51dc9ea5011707799731b533561dab4b043f086f36c0b5c9c288414</html:code>
+    <html:code class="ocp-dump-location" id="dump-9fab597988075d76a1c081cdc533f05623251a854b9936a08ae52cca5fc5a311"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/machineconfiguration.openshift.io/v1/machineconfigs#9fab597988075d76a1c081cdc533f05623251a854b9936a08ae52cca5fc5a311</html:code>
     file.
   </html:li></html:ul></xccdf-1.2:warning>
               <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-3.4.1</xccdf-1.2:reference>
@@ -2797,17 +2601,17 @@ disk encryption can be used as well. [1][2]
 [2] https://docs.openshift.com/container-platform/latest/machine_management/creating_machinesets/creating-machineset-gcp.html#machineset-enabling-customer-managed-encryption_creating-machineset-gcp</xccdf-1.2:description>
               <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
 Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-<html:ul><html:li><html:code class="ocp-api-endpoint" id="191c7889a801949fcc07c8f067ca719c614388ea53f4b96b7148c57799e423b3">/apis/machineconfiguration.openshift.io/v1/machineconfigs</html:code>
+<html:ul><html:li><html:code class="ocp-api-endpoint" id="ab7e02a1c3f44ae48f843ce3dee7b948d624d2f702b9428760efbfd4653847ba">/apis/machineconfiguration.openshift.io/v1/machineconfigs</html:code>
     API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
-    <html:code class="ocp-api-filter" id="filter-191c7889a801949fcc07c8f067ca719c614388ea53f4b96b7148c57799e423b3">[.items[] | select(.metadata.name | test("^[0-9]{2}-worker$|^[0-9]{2}-master$"))]|map(.spec.fips == true)</html:code>
+    <html:code class="ocp-api-filter" id="filter-ab7e02a1c3f44ae48f843ce3dee7b948d624d2f702b9428760efbfd4653847ba">[.items[] | select(.metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.fips == true)</html:code>
     and persist it to the local
-    <html:code class="ocp-dump-location" id="dump-191c7889a801949fcc07c8f067ca719c614388ea53f4b96b7148c57799e423b3"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/machineconfiguration.openshift.io/v1/machineconfigs#191c7889a801949fcc07c8f067ca719c614388ea53f4b96b7148c57799e423b3</html:code>
+    <html:code class="ocp-dump-location" id="dump-ab7e02a1c3f44ae48f843ce3dee7b948d624d2f702b9428760efbfd4653847ba"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/machineconfiguration.openshift.io/v1/machineconfigs#ab7e02a1c3f44ae48f843ce3dee7b948d624d2f702b9428760efbfd4653847ba</html:code>
     file.
-  </html:li><html:li><html:code class="ocp-api-endpoint" id="136fe907b51dc9ea5011707799731b533561dab4b043f086f36c0b5c9c288414">/apis/machineconfiguration.openshift.io/v1/machineconfigs</html:code>
+  </html:li><html:li><html:code class="ocp-api-endpoint" id="9fab597988075d76a1c081cdc533f05623251a854b9936a08ae52cca5fc5a311">/apis/machineconfiguration.openshift.io/v1/machineconfigs</html:code>
         API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
-        <html:code class="ocp-api-filter" id="filter-136fe907b51dc9ea5011707799731b533561dab4b043f086f36c0b5c9c288414">[.items[] | select(.metadata.name | test("^[0-9]{2}-worker$|^[0-9]{2}-master$"))]|map(.spec.config.storage.luks[0].clevis != null)</html:code>
+        <html:code class="ocp-api-filter" id="filter-9fab597988075d76a1c081cdc533f05623251a854b9936a08ae52cca5fc5a311">[.items[] | select(.metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.config.storage.luks[0].clevis != null)</html:code>
         and persist it to the local
-        <html:code class="ocp-dump-location" id="dump-136fe907b51dc9ea5011707799731b533561dab4b043f086f36c0b5c9c288414"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/machineconfiguration.openshift.io/v1/machineconfigs#136fe907b51dc9ea5011707799731b533561dab4b043f086f36c0b5c9c288414</html:code>
+        <html:code class="ocp-dump-location" id="dump-9fab597988075d76a1c081cdc533f05623251a854b9936a08ae52cca5fc5a311"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/machineconfiguration.openshift.io/v1/machineconfigs#9fab597988075d76a1c081cdc533f05623251a854b9936a08ae52cca5fc5a311</html:code>
         file.
     </html:li><html:li><html:code class="ocp-api-endpoint" id="06ea2adfb5429a7351e7bd78b7ec378225e0d3256c4c9e4e3b2ce59900959267">/apis/machine.openshift.io/v1beta1/machinesets?limit=500</html:code>
         API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
@@ -3528,7 +3332,7 @@ In a large multi-tenant cluster, there might be a small percentage of
 misbehaving tenants which could have a significant impact on the
 performance of the cluster overall. It is recommended to limit the rate
 of events that the API Server will accept.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4.11"/>
+            <xccdf-1.2:platform idref="#ocp4.11_or_ocp4.12"/>
             <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-86390-2</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
               <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
@@ -3864,6 +3668,7 @@ the internal service.  The value is set by the bindAddress argument under the se
 parameter.</xccdf-1.2:rationale>
             <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83646-0</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_apiserver_bind_address:var:1" value-id="xccdf_org.ssgproject.content_value_var_apiserver_bind_address"/>
               <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
               <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-api_server_bind_address:def:1"/>
             </xccdf-1.2:check>
@@ -4091,8 +3896,8 @@ requires the API Server to identify itself to the etcd server using
 a SSL Certificate Authority file.</xccdf-1.2:rationale>
             <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84216-1</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
               <xccdf-1.2:check-export export-name="oval:ssg-var_apiserver_etcd_ca:var:1" value-id="xccdf_org.ssgproject.content_value_var_apiserver_etcd_ca"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
               <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-api_server_etcd_ca:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
@@ -4437,7 +4242,7 @@ Therefore, you need to use a tool that can query the OCP API, retrieve the follo
 HTTPS endpoints. Requests from the API Server are treated anonymously.
 Configuring certificate-based kubelet authentication ensures that the
 API Server authenticates itself to kubelets when submitting requests.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4.10_or_ocp4.11_or_ocp4.9"/>
+            <xccdf-1.2:platform idref="#ocp4.10_or_ocp4.11_or_ocp4.12_or_ocp4.9"/>
             <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84080-1</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
               <xccdf-1.2:check-export export-name="oval:ssg-var_apiserver_kubelet_client_cert:var:1" value-id="xccdf_org.ssgproject.content_value_var_apiserver_kubelet_client_cert"/>
@@ -4526,7 +4331,7 @@ Therefore, you need to use a tool that can query the OCP API, retrieve the follo
 HTTPS endpoints. Requests from the API Server are treated anonymously.
 Configuring certificate-based kubelet authentication ensures that the
 API Server authenticates itself to kubelets when submitting requests.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4.10_or_ocp4.11_or_ocp4.9"/>
+            <xccdf-1.2:platform idref="#ocp4.10_or_ocp4.11_or_ocp4.12_or_ocp4.9"/>
             <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83591-8</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
               <xccdf-1.2:check-export export-name="oval:ssg-var_apiserver_kubelet_client_key:var:1" value-id="xccdf_org.ssgproject.content_value_var_apiserver_kubelet_client_key"/>
@@ -5163,8 +4968,8 @@ old log files to keep as 10, there would be approximately 1 GB of log data
 available for use in analysis.</xccdf-1.2:rationale>
             <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83687-4</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
               <xccdf-1.2:check-export export-name="oval:ssg-var_apiserver_audit_log_maxsize:var:1" value-id="xccdf_org.ssgproject.content_value_var_apiserver_audit_log_maxsize"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
               <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-ocp_api_server_audit_log_maxsize:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
@@ -5179,6 +4984,12 @@ to multiple authentication services. Some of these authentication
 methods by not be secure or common methodologies, or they may not
 be secure by default. This section introduces mechanisms for
 configuring authentication systems Kubernetes.</xccdf-1.2:description>
+          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_access_token_inactivity_timeout_seconds" type="string">
+            <xccdf-1.2:title>OAuth Clients Token Inactivity Timeout</xccdf-1.2:title>
+            <xccdf-1.2:description>Enter OAuth Clients Token Inactivity Timeout in Seconds</xccdf-1.2:description>
+            <xccdf-1.2:value selector="600s">600</xccdf-1.2:value>
+            <xccdf-1.2:value>600</xccdf-1.2:value>
+          </xccdf-1.2:Value>
           <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_oauth_inactivity_timeout" type="string">
             <xccdf-1.2:title>OAuth Token Inactivity Timeout</xccdf-1.2:title>
             <xccdf-1.2:description>Enter OAuth Token Inactivity Timeout</xccdf-1.2:description>
@@ -5420,6 +5231,7 @@ spec:
 </xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
               <xccdf-1.2:check-export export-name="oval:ssg-var_oauth_inactivity_timeout:var:1" value-id="xccdf_org.ssgproject.content_value_var_oauth_inactivity_timeout"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_access_token_inactivity_timeout_seconds:var:1" value-id="xccdf_org.ssgproject.content_value_var_access_token_inactivity_timeout_seconds"/>
               <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
               <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-oauth_or_oauthclient_inactivity_timeout:def:1"/>
             </xccdf-1.2:check>
@@ -5587,7 +5399,7 @@ of opportunity for unauthorized personnel to take control of a session
 that has been left unattended.</xccdf-1.2:rationale>
             <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84178-3</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-var_oauth_inactivity_timeout:var:1" value-id="xccdf_org.ssgproject.content_value_var_oauth_inactivity_timeout"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_access_token_inactivity_timeout_seconds:var:1" value-id="xccdf_org.ssgproject.content_value_var_access_token_inactivity_timeout_seconds"/>
               <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
               <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-oauthclient_inactivity_timeout:def:1"/>
             </xccdf-1.2:check>
@@ -7388,7 +7200,7 @@ The kubelet takes a set of PodSpecs that are provided through various
 mechanisms and ensures that the containers described in those PodSpecs are
 running and healthy. The kubelet doesn&#x2019;t manage containers which were not
 created by Kubernetes.</xccdf-1.2:description>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_event_record_qps" type="number">
+          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_event_record_qps" type="string">
             <xccdf-1.2:title>Configure Kubelet Event Limit</xccdf-1.2:title>
             <xccdf-1.2:description>Maximum event creations per second.</xccdf-1.2:description>
             <xccdf-1.2:value>5</xccdf-1.2:value>
@@ -7493,18 +7305,22 @@ created by Kubernetes.</xccdf-1.2:description>
           <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kubelet_tls_cipher_suites" type="string">
             <xccdf-1.2:title>Configure Kubelet use of the Strong Cryptographic Ciphers</xccdf-1.2:title>
             <xccdf-1.2:description>Cryptographic Ciphers Available for Kubelet, seperated by comma</xccdf-1.2:description>
-            <xccdf-1.2:value>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</xccdf-1.2:value>
+            <xccdf-1.2:value>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</xccdf-1.2:value>
           </xccdf-1.2:Value>
           <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kubelet_tls_cipher_suites_regex" type="string">
             <xccdf-1.2:title>Configure Kubelet use of the Strong Cryptographic Ciphers</xccdf-1.2:title>
             <xccdf-1.2:description>Cryptographic Ciphers Available for Kubelet</xccdf-1.2:description>
-            <xccdf-1.2:value>^(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)$</xccdf-1.2:value>
+            <xccdf-1.2:value>^(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256)$</xccdf-1.2:value>
+          </xccdf-1.2:Value>
+          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_role_master" type="string">
+            <xccdf-1.2:title>Configure which node to scan based on role</xccdf-1.2:title>
+            <xccdf-1.2:description>Configure which node to scan based on role</xccdf-1.2:description>
+            <xccdf-1.2:value>master</xccdf-1.2:value>
           </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_role" type="string">
+          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_role_worker" type="string">
             <xccdf-1.2:title>Configure which node to scan based on role</xccdf-1.2:title>
             <xccdf-1.2:description>Configure which node to scan based on role</xccdf-1.2:description>
             <xccdf-1.2:value>worker</xccdf-1.2:value>
-            <xccdf-1.2:value selector="master">master</xccdf-1.2:value>
           </xccdf-1.2:Value>
           <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_streaming_connection_timeouts" type="string" interactive="true">
             <xccdf-1.2:title>Streaming Connection Timeout Options</xccdf-1.2:title>
@@ -7514,13 +7330,13 @@ and (h) for hours.</xccdf-1.2:description>
             <xccdf-1.2:value selector="5min">5m0s</xccdf-1.2:value>
             <xccdf-1.2:value selector="10min">10m0s</xccdf-1.2:value>
             <xccdf-1.2:value selector="30min">30m0s</xccdf-1.2:value>
-            <xccdf-1.2:value selector="1hour">1h</xccdf-1.2:value>
-            <xccdf-1.2:value selector="2hours">2h</xccdf-1.2:value>
-            <xccdf-1.2:value selector="4hours">4h</xccdf-1.2:value>
-            <xccdf-1.2:value selector="6hours">6h</xccdf-1.2:value>
-            <xccdf-1.2:value selector="8hours">8h</xccdf-1.2:value>
+            <xccdf-1.2:value selector="1hour">1h0m0s</xccdf-1.2:value>
+            <xccdf-1.2:value selector="2hours">2h0m0s</xccdf-1.2:value>
+            <xccdf-1.2:value selector="4hours">4h0m0s</xccdf-1.2:value>
+            <xccdf-1.2:value selector="6hours">6h0m0s</xccdf-1.2:value>
+            <xccdf-1.2:value selector="8hours">8h0m0s</xccdf-1.2:value>
           </xccdf-1.2:Value>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth_worker" severity="medium">
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth" severity="medium">
             <xccdf-1.2:title>Disable Anonymous Authentication to the Kubelet</xccdf-1.2:title>
             <xccdf-1.2:description>By default, anonymous access to the Kubelet server is enabled. This
 configuration check ensures that anonymous requests to the Kubelet
@@ -7534,6 +7350,8 @@ authentication:
     enabled: false
   ...
 </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -7548,16 +7366,131 @@ authentication methods are treated as anonymous requests. These
 requests are then served by the Kubelet server. OpenShift Operators should
 rely on authentication to authorize access and disallow anonymous
 requests.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:platform idref="#ocp4"/>
             <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83815-1</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_anonymous_auth:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_anonymous_auth_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth_deprecated" severity="medium">
+            <xccdf-1.2:title>Disable Anonymous Authentication to the Kubelet</xccdf-1.2:title>
+            <xccdf-1.2:description>By default, anonymous access to the Kubelet server is enabled. This
+configuration check ensures that anonymous requests to the Kubelet
+server are disabled. Edit the Kubelet server configuration file
+<html:code>/etc/kubernetes/kubelet.conf</html:code> on the kubelet node(s)
+and set the below parameter:
+<html:pre>
+authentication:
+  ...
+  anonymous:
+    enabled: false
+  ...
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>When enabled, requests that are not rejected by other configured
+authentication methods are treated as anonymous requests. These
+requests are then served by the Kubelet server. OpenShift Operators should
+rely on authentication to authorize access and disallow anonymous
+requests.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_anonymous_auth_deprecated:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_anonymous_auth_deprecated_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth_master" severity="medium">
+            <xccdf-1.2:title>Disable Anonymous Authentication to the Kubelet</xccdf-1.2:title>
+            <xccdf-1.2:description>By default, anonymous access to the Kubelet server is enabled. This
+configuration check ensures that anonymous requests to the Kubelet
+server are disabled. Edit the Kubelet server configuration file
+<html:code>/etc/kubernetes/kubelet.conf</html:code> on the kubelet node(s)
+and set the below parameter:
+<html:pre>
+authentication:
+  ...
+  anonymous:
+    enabled: false
+  ...
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>When enabled, requests that are not rejected by other configured
+authentication methods are treated as anonymous requests. These
+requests are then served by the Kubelet server. OpenShift Operators should
+rely on authentication to authorize access and disallow anonymous
+requests.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_anonymous_auth_master:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_anonymous_auth_master_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_anonymous_auth_worker" severity="medium">
+            <xccdf-1.2:title>Disable Anonymous Authentication to the Kubelet</xccdf-1.2:title>
+            <xccdf-1.2:description>By default, anonymous access to the Kubelet server is enabled. This
+configuration check ensures that anonymous requests to the Kubelet
+server are disabled. Edit the Kubelet server configuration file
+<html:code>/etc/kubernetes/kubelet.conf</html:code> on the kubelet node(s)
+and set the below parameter:
+<html:pre>
+authentication:
+  ...
+  anonymous:
+    enabled: false
+  ...
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>When enabled, requests that are not rejected by other configured
+authentication methods are treated as anonymous requests. These
+requests are then served by the Kubelet server. OpenShift Operators should
+rely on authentication to authorize access and disallow anonymous
+requests.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
               <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_anonymous_auth_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
               <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_anonymous_auth_worker_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_authorization_mode_worker" severity="medium">
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_authorization_mode" severity="medium">
             <xccdf-1.2:title>Ensure authorization is set to Webhook</xccdf-1.2:title>
             <xccdf-1.2:description>Unauthenticated/unauthorized users should have no access to OpenShift nodes.
 The Kubelet should be set to only allow Webhook authorization.
@@ -7569,6 +7502,8 @@ authorization:
   mode: Webhook
   ...
 </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -7580,15 +7515,231 @@ authorization:
             <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.2</xccdf-1.2:reference>
             <xccdf-1.2:rationale>Ensuring that the authorization is configured correctly helps enforce that
 unauthenticated/unauthorized users have no access to OpenShift nodes.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:platform idref="#ocp4"/>
             <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83593-4</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_authorization_mode:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_authorization_mode_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_authorization_mode_deprecated" severity="medium">
+            <xccdf-1.2:title>Ensure authorization is set to Webhook</xccdf-1.2:title>
+            <xccdf-1.2:description>Unauthenticated/unauthorized users should have no access to OpenShift nodes.
+The Kubelet should be set to only allow Webhook authorization.
+To ensure that the Kubelet requires authorization,
+validate that <html:code>authorization</html:code> is configured to <html:code>Webhook</html:code>
+in <html:code>/etc/kubernetes/kubelet.conf</html:code>:
+<html:pre>
+authorization:
+  mode: Webhook
+  ...
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Ensuring that the authorization is configured correctly helps enforce that
+unauthenticated/unauthorized users have no access to OpenShift nodes.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_authorization_mode_deprecated:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_authorization_mode_deprecated_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_authorization_mode_master" severity="medium">
+            <xccdf-1.2:title>Ensure authorization is set to Webhook</xccdf-1.2:title>
+            <xccdf-1.2:description>Unauthenticated/unauthorized users should have no access to OpenShift nodes.
+The Kubelet should be set to only allow Webhook authorization.
+To ensure that the Kubelet requires authorization,
+validate that <html:code>authorization</html:code> is configured to <html:code>Webhook</html:code>
+in <html:code>/etc/kubernetes/kubelet.conf</html:code>:
+<html:pre>
+authorization:
+  mode: Webhook
+  ...
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Ensuring that the authorization is configured correctly helps enforce that
+unauthenticated/unauthorized users have no access to OpenShift nodes.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_authorization_mode_master:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_authorization_mode_master_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_authorization_mode_worker" severity="medium">
+            <xccdf-1.2:title>Ensure authorization is set to Webhook</xccdf-1.2:title>
+            <xccdf-1.2:description>Unauthenticated/unauthorized users should have no access to OpenShift nodes.
+The Kubelet should be set to only allow Webhook authorization.
+To ensure that the Kubelet requires authorization,
+validate that <html:code>authorization</html:code> is configured to <html:code>Webhook</html:code>
+in <html:code>/etc/kubernetes/kubelet.conf</html:code>:
+<html:pre>
+authorization:
+  mode: Webhook
+  ...
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Ensuring that the authorization is configured correctly helps enforce that
+unauthenticated/unauthorized users have no access to OpenShift nodes.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
               <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_authorization_mode_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
               <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_authorization_mode_worker_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca" severity="medium">
+            <xccdf-1.2:title>kubelet - Configure the Client CA Certificate</xccdf-1.2:title>
+            <xccdf-1.2:description>By default, the kubelet is not configured with a CA certificate which
+can subject the kubelet to man-in-the-middle attacks.
+
+To configure a client CA certificate, edit the kubelet configuration
+file <html:code>/etc/kubernetes/kubelet.conf</html:code>
+on the kubelet node(s) and set the below parameter:
+<html:pre>
+authentication:
+...
+  x509:
+    clientCAFile: /etc/kubernetes/kubelet-ca.crt
+...
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Not having a CA certificate for the kubelet will subject the kubelet to possible
+man-in-the-middle attacks especially on unsafe or untrusted networks.
+Certificate validation for the kubelet allows the API server to validate
+the kubelet's identity.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83724-5</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_configure_client_ca:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_configure_client_ca_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca_deprecated" severity="medium">
+            <xccdf-1.2:title>kubelet - Configure the Client CA Certificate</xccdf-1.2:title>
+            <xccdf-1.2:description>By default, the kubelet is not configured with a CA certificate which
+can subject the kubelet to man-in-the-middle attacks.
+
+To configure a client CA certificate, edit the kubelet configuration
+file <html:code>/etc/kubernetes/kubelet.conf</html:code>
+on the kubelet node(s) and set the below parameter:
+<html:pre>
+authentication:
+...
+  x509:
+    clientCAFile: /etc/kubernetes/kubelet-ca.crt
+...
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Not having a CA certificate for the kubelet will subject the kubelet to possible
+man-in-the-middle attacks especially on unsafe or untrusted networks.
+Certificate validation for the kubelet allows the API server to validate
+the kubelet's identity.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_configure_client_ca_deprecated:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_configure_client_ca_deprecated_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca_master" severity="medium">
+            <xccdf-1.2:title>kubelet - Configure the Client CA Certificate</xccdf-1.2:title>
+            <xccdf-1.2:description>By default, the kubelet is not configured with a CA certificate which
+can subject the kubelet to man-in-the-middle attacks.
+
+To configure a client CA certificate, edit the kubelet configuration
+file <html:code>/etc/kubernetes/kubelet.conf</html:code>
+on the kubelet node(s) and set the below parameter:
+<html:pre>
+authentication:
+...
+  x509:
+    clientCAFile: /etc/kubernetes/kubelet-ca.crt
+...
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Not having a CA certificate for the kubelet will subject the kubelet to possible
+man-in-the-middle attacks especially on unsafe or untrusted networks.
+Certificate validation for the kubelet allows the API server to validate
+the kubelet's identity.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_configure_client_ca_master:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_configure_client_ca_master_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
           <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_configure_client_ca_worker" severity="medium">
             <xccdf-1.2:title>kubelet - Configure the Client CA Certificate</xccdf-1.2:title>
             <xccdf-1.2:description>By default, the kubelet is not configured with a CA certificate which
@@ -7617,16 +7768,84 @@ authentication:
 man-in-the-middle attacks especially on unsafe or untrusted networks.
 Certificate validation for the kubelet allows the API server to validate
 the kubelet's identity.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83724-5</xccdf-1.2:ident>
+            <xccdf-1.2:platform idref="#ocp4"/>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
               <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_configure_client_ca_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
               <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_configure_client_ca_worker_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation_worker" severity="medium">
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation" severity="medium">
+            <xccdf-1.2:title>Kubelet - Ensure Event Creation Is Configured</xccdf-1.2:title>
+            <xccdf-1.2:description>Security relevant information should be captured. The eventRecordQPS
+Kubelet option can be used to limit the rate at which events are gathered.
+Setting this too low could result in relevant events not being logged,
+however the unlimited setting of 0 could result in a denial of service on
+the kubelet. Processing and storage systems should be scaled to handle the
+expected event load. To set the <html:code>eventRecordQPS</html:code> option for the kubelet,
+create a <html:code>KubeletConfig</html:code> option along these lines:
+<html:pre>
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+   name: kubelet-config-$pool
+spec:
+    machineConfigPoolSelector:
+        matchLabels:
+            pools.operator.machineconfiguration.openshift.io/$pool_name: ""
+    kubeletConfig:
+        eventRecordQPS: <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_event_record_qps" use="legacy"/>
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>It is important to capture all events and not restrict event creation.
+Events are an important source of security information and analytics that
+ensure that your environment is consistently monitored using the event
+data.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83576-9</xccdf-1.2:ident>
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_configure_event_creation">---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    eventRecordQPS: {{.var_event_record_qps}}
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    eventRecordQPS: {{.var_event_record_qps}}
+</xccdf-1.2:fix>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_event_record_qps:var:1" value-id="xccdf_org.ssgproject.content_value_var_event_record_qps"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_configure_event_creation:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_configure_event_creation_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation_deprecated" severity="medium">
             <xccdf-1.2:title>Kubelet - Ensure Event Creation Is Configured</xccdf-1.2:title>
             <xccdf-1.2:description>Security relevant information should be captured. The eventRecordQPS
 Kubelet option can be used to limit the rate at which events are gathered.
@@ -7665,15 +7884,103 @@ Events are an important source of security information and analytics that
 ensure that your environment is consistently monitored using the event
 data.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83576-9</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_configure_event_creation_worker">---
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_configure_event_creation_deprecated:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_configure_event_creation_deprecated_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation_master" severity="medium">
+            <xccdf-1.2:title>Kubelet - Ensure Event Creation Is Configured</xccdf-1.2:title>
+            <xccdf-1.2:description>Security relevant information should be captured. The eventRecordQPS
+Kubelet option can be used to limit the rate at which events are gathered.
+Setting this too low could result in relevant events not being logged,
+however the unlimited setting of 0 could result in a denial of service on
+the kubelet. Processing and storage systems should be scaled to handle the
+expected event load. To set the <html:code>eventRecordQPS</html:code> option for the kubelet,
+create a <html:code>KubeletConfig</html:code> option along these lines:
+<html:pre>
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
+metadata:
+   name: kubelet-config-$pool
 spec:
-  kubeletConfig:
-    eventRecordQPS: {{.var_event_record_qps}}
-</xccdf-1.2:fix>
+    machineConfigPoolSelector:
+        matchLabels:
+            pools.operator.machineconfiguration.openshift.io/$pool_name: ""
+    kubeletConfig:
+        eventRecordQPS: <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_event_record_qps" use="legacy"/>
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="functionality">The MachineConfig Operator does not merge <html:code>KubeletConfig</html:code>
+objects, the last object is used instead. In case you need to
+set multiple options for kubelet, consider putting all the custom
+options into a single <html:code>KubeletConfig</html:code> object.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>It is important to capture all events and not restrict event creation.
+Events are an important source of security information and analytics that
+ensure that your environment is consistently monitored using the event
+data.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_event_record_qps:var:1" value-id="xccdf_org.ssgproject.content_value_var_event_record_qps"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_configure_event_creation_master:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_configure_event_creation_master_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_configure_event_creation_worker" severity="medium">
+            <xccdf-1.2:title>Kubelet - Ensure Event Creation Is Configured</xccdf-1.2:title>
+            <xccdf-1.2:description>Security relevant information should be captured. The eventRecordQPS
+Kubelet option can be used to limit the rate at which events are gathered.
+Setting this too low could result in relevant events not being logged,
+however the unlimited setting of 0 could result in a denial of service on
+the kubelet. Processing and storage systems should be scaled to handle the
+expected event load. To set the <html:code>eventRecordQPS</html:code> option for the kubelet,
+create a <html:code>KubeletConfig</html:code> option along these lines:
+<html:pre>
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+   name: kubelet-config-$pool
+spec:
+    machineConfigPoolSelector:
+        matchLabels:
+            pools.operator.machineconfiguration.openshift.io/$pool_name: ""
+    kubeletConfig:
+        eventRecordQPS: <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_event_record_qps" use="legacy"/>
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="functionality">The MachineConfig Operator does not merge <html:code>KubeletConfig</html:code>
+objects, the last object is used instead. In case you need to
+set multiple options for kubelet, consider putting all the custom
+options into a single <html:code>KubeletConfig</html:code> object.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>It is important to capture all events and not restrict event creation.
+Events are an important source of security information and analytics that
+ensure that your environment is consistently monitored using the event
+data.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_event_record_qps:var:1" value-id="xccdf_org.ssgproject.content_value_var_event_record_qps"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
               <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_configure_event_creation_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
@@ -7708,7 +8015,7 @@ Therefore, you need to use a tool that can query the OCP API, retrieve the follo
             <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.10</xccdf-1.2:reference>
             <xccdf-1.2:rationale>Without cryptographic integrity protections, information can be
 altered by unauthorized users without detection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4.10_or_ocp4.11_or_ocp4.9"/>
+            <xccdf-1.2:platform idref="#ocp4.10_or_ocp4.11_or_ocp4.12_or_ocp4.9"/>
             <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83396-2</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
               <xccdf-1.2:check-export export-name="oval:ssg-var_apiserver_kubelet_client_cert:var:1" value-id="xccdf_org.ssgproject.content_value_var_apiserver_kubelet_client_cert"/>
@@ -7747,6 +8054,125 @@ altered by unauthorized users without detection.</xccdf-1.2:rationale>
               <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_configure_tls_cert_pre_4_9_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites" severity="medium">
+            <xccdf-1.2:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</xccdf-1.2:title>
+            <xccdf-1.2:description>Ensure that the Kubelet is configured to only use strong cryptographic ciphers.
+To set the cipher suites for the kubelet, create new or modify existing
+<html:code>KubeletConfig</html:code> object along these lines, one for every
+<html:code>MachineConfigPool</html:code>:
+  <html:pre>
+  apiVersion: machineconfiguration.openshift.io/v1
+  kind: KubeletConfig
+  metadata:
+     name: kubelet-config-$pool
+  spec:
+      machineConfigPoolSelector:
+          matchLabels:
+              pools.operator.machineconfiguration.openshift.io/$pool_name: ""
+      kubeletConfig:
+        tlsCipherSuites:
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+  </html:pre>
+In order to configure this rule to check for an alternative cipher, both var_kubelet_tls_cipher_suites_regex
+and var_kubelet_tls_cipher_suites have to be set</xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.13</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>TLS ciphers have had a number of known vulnerabilities and weaknesses,
+which can reduce the protection provided by them. By default Kubernetes
+supports a number of TLS ciphersuites including some that have security
+concerns, weakening the protection provided.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-86030-4</xccdf-1.2:ident>
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_configure_tls_cipher_suites">---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    tlsCipherSuites: [{{.var_kubelet_tls_cipher_suites}}]
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    tlsCipherSuites: [{{.var_kubelet_tls_cipher_suites}}]
+</xccdf-1.2:fix>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_tls_cipher_suites_regex:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_tls_cipher_suites_regex"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_configure_tls_cipher_suites:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_configure_tls_cipher_suites_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites_deprecated" severity="medium">
+            <xccdf-1.2:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</xccdf-1.2:title>
+            <xccdf-1.2:description>Ensure that the Kubelet is configured to only use strong cryptographic ciphers.
+To set the cipher suites for the kubelet, create new or modify existing
+<html:code>KubeletConfig</html:code> object along these lines, one for every
+<html:code>MachineConfigPool</html:code>:
+  <html:pre>
+  apiVersion: machineconfiguration.openshift.io/v1
+  kind: KubeletConfig
+  metadata:
+     name: kubelet-config-$pool
+  spec:
+      machineConfigPoolSelector:
+          matchLabels:
+              pools.operator.machineconfiguration.openshift.io/$pool_name: ""
+      kubeletConfig:
+        tlsCipherSuites:
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+  </html:pre>
+In order to configure this rule to check for an alternative cipher, both var_kubelet_tls_cipher_suites_regex
+and var_kubelet_tls_cipher_suites have to be set</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.13</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>TLS ciphers have had a number of known vulnerabilities and weaknesses,
+which can reduce the protection provided by them. By default Kubernetes
+supports a number of TLS ciphersuites including some that have security
+concerns, weakening the protection provided.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_tls_cipher_suites_regex:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_tls_cipher_suites_regex"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_configure_tls_cipher_suites_deprecated:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_configure_tls_cipher_suites_deprecated_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
           <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites_ingresscontroller" severity="medium">
             <xccdf-1.2:title>Ensure that the Ingress Controller only makes use of Strong Cryptographic Ciphers</xccdf-1.2:title>
             <xccdf-1.2:description>Ensure that the Ingress Controller is configured to only use strong cryptographic ciphers.</xccdf-1.2:description>
@@ -7817,6 +8243,56 @@ spec:
               <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_configure_tls_cipher_suites_kubeapiserver_operator_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites_master" severity="medium">
+            <xccdf-1.2:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</xccdf-1.2:title>
+            <xccdf-1.2:description>Ensure that the Kubelet is configured to only use strong cryptographic ciphers.
+To set the cipher suites for the kubelet, create new or modify existing
+<html:code>KubeletConfig</html:code> object along these lines, one for every
+<html:code>MachineConfigPool</html:code>:
+  <html:pre>
+  apiVersion: machineconfiguration.openshift.io/v1
+  kind: KubeletConfig
+  metadata:
+     name: kubelet-config-$pool
+  spec:
+      machineConfigPoolSelector:
+          matchLabels:
+              pools.operator.machineconfiguration.openshift.io/$pool_name: ""
+      kubeletConfig:
+        tlsCipherSuites:
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+  </html:pre>
+In order to configure this rule to check for an alternative cipher, both var_kubelet_tls_cipher_suites_regex
+and var_kubelet_tls_cipher_suites have to be set</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.13</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>TLS ciphers have had a number of known vulnerabilities and weaknesses,
+which can reduce the protection provided by them. By default Kubernetes
+supports a number of TLS ciphersuites including some that have security
+concerns, weakening the protection provided.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_tls_cipher_suites_regex:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_tls_cipher_suites_regex"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_configure_tls_cipher_suites_master:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_configure_tls_cipher_suites_master_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
           <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_configure_tls_cipher_suites_openshiftapiserver_operator" severity="medium">
             <xccdf-1.2:title>Ensure that the OpenShift API Server Operator only makes use of Strong Cryptographic Ciphers</xccdf-1.2:title>
             <xccdf-1.2:description>Ensure that the OpenShift API Server Operator is configured to only use strong cryptographic ciphers.</xccdf-1.2:description>
@@ -7873,6 +8349,8 @@ To set the cipher suites for the kubelet, create new or modify existing
         - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
         - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
         - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
   </html:pre>
 In order to configure this rule to check for an alternative cipher, both var_kubelet_tls_cipher_suites_regex
 and var_kubelet_tls_cipher_suites have to be set</xccdf-1.2:description>
@@ -7889,17 +8367,11 @@ and var_kubelet_tls_cipher_suites have to be set</xccdf-1.2:description>
 which can reduce the protection provided by them. By default Kubernetes
 supports a number of TLS ciphersuites including some that have security
 concerns, weakening the protection provided.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_configure_tls_cipher_suites_worker">---
-# {{.var_kubelet_tls_cipher_suites_regex}} we have to put variable array name here for mutilines remediation 
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    tlsCipherSuites: [{{.var_kubelet_tls_cipher_suites}}]
-</xccdf-1.2:fix>
+            <xccdf-1.2:platform idref="#ocp4"/>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
               <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_tls_cipher_suites_regex:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_tls_cipher_suites_regex"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
               <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_configure_tls_cipher_suites_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
@@ -7934,7 +8406,7 @@ Therefore, you need to use a tool that can query the OCP API, retrieve the follo
             <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.10</xccdf-1.2:reference>
             <xccdf-1.2:rationale>Without cryptographic integrity protections, information can be
 altered by unauthorized users without detection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4.10_or_ocp4.11_or_ocp4.9"/>
+            <xccdf-1.2:platform idref="#ocp4.10_or_ocp4.11_or_ocp4.12_or_ocp4.9"/>
             <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90614-9</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
               <xccdf-1.2:check-export export-name="oval:ssg-var_apiserver_kubelet_client_key:var:1" value-id="xccdf_org.ssgproject.content_value_var_apiserver_kubelet_client_key"/>
@@ -7993,9 +8465,78 @@ and validation.
 However, in some cases explicit overriding this parameter is
 necessary to ensure that the appropriate node name stays as it is in case of
 certain upgrade conditions. e.g. as is the case in AWS and OpenStack when migrating
+to external cloud providers.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_disable_hostname_override_deprecated" severity="low">
+            <xccdf-1.2:title>kubelet - Hostname Override handling</xccdf-1.2:title>
+            <xccdf-1.2:description>Normally, OpenShift lets the kubelet get the hostname from either the
+cloud provider itself, or from the node's hostname. This ensures that
+the PKI allocated by the deployment uses the appropriate values, is valid
+and keeps working throughout the lifecycle of the cluster. IP addresses
+are not used, and hence this makes it easier for security analysts to
+associate kubelet logs with the appropriate node.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-3 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-3 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.8</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Allowing hostnames to be overridden creates issues around resolving nodes
+in addition to TLS configuration, certificate validation, and log correlation
+and validation.
+However, in some cases explicit overriding this parameter is
+necessary to ensure that the appropriate node name stays as it is in case of
+certain upgrade conditions. e.g. as is the case in AWS and OpenStack when migrating
 to external cloud providers.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-node"/>
           </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_disable_hostname_override_master" severity="low">
+            <xccdf-1.2:title>kubelet - Hostname Override handling</xccdf-1.2:title>
+            <xccdf-1.2:description>Normally, OpenShift lets the kubelet get the hostname from either the
+cloud provider itself, or from the node's hostname. This ensures that
+the PKI allocated by the deployment uses the appropriate values, is valid
+and keeps working throughout the lifecycle of the cluster. IP addresses
+are not used, and hence this makes it easier for security analysts to
+associate kubelet logs with the appropriate node.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-3 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-3 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.8</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Allowing hostnames to be overridden creates issues around resolving nodes
+in addition to TLS configuration, certificate validation, and log correlation
+and validation.
+However, in some cases explicit overriding this parameter is
+necessary to ensure that the appropriate node name stays as it is in case of
+certain upgrade conditions. e.g. as is the case in AWS and OpenStack when migrating
+to external cloud providers.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_disable_hostname_override_worker" severity="low">
+            <xccdf-1.2:title>kubelet - Hostname Override handling</xccdf-1.2:title>
+            <xccdf-1.2:description>Normally, OpenShift lets the kubelet get the hostname from either the
+cloud provider itself, or from the node's hostname. This ensures that
+the PKI allocated by the deployment uses the appropriate values, is valid
+and keeps working throughout the lifecycle of the cluster. IP addresses
+are not used, and hence this makes it easier for security analysts to
+associate kubelet logs with the appropriate node.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-3 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-3 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.8</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Allowing hostnames to be overridden creates issues around resolving nodes
+in addition to TLS configuration, certificate validation, and log correlation
+and validation.
+However, in some cases explicit overriding this parameter is
+necessary to ensure that the appropriate node name stays as it is in case of
+certain upgrade conditions. e.g. as is the case in AWS and OpenStack when migrating
+to external cloud providers.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+          </xccdf-1.2:Rule>
           <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_disable_readonly_port" severity="medium">
             <xccdf-1.2:title>kubelet - Disable the Read-Only Port</xccdf-1.2:title>
             <xccdf-1.2:description>To disable the read-only port, edit the kubelet configuration
@@ -8041,7 +8582,7 @@ system.</xccdf-1.2:rationale>
               <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_disable_readonly_port_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation_worker" severity="medium">
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation" severity="medium">
             <xccdf-1.2:title>kubelet - Enable Certificate Rotation</xccdf-1.2:title>
             <xccdf-1.2:description>To enable the kubelet to rotate client certificates, edit the kubelet configuration
 file <html:code>/etc/kubernetes/kubelet.conf</html:code>
@@ -8051,6 +8592,8 @@ on the kubelet node(s) and set the below parameter:
 rotateCertificates: true
 ...
 </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -8062,9 +8605,103 @@ rotateCertificates: true
             <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.11</xccdf-1.2:reference>
             <xccdf-1.2:rationale>Allowing the kubelet to auto-update the certificates ensure that there is no downtime
 in certificate renewal as well as ensures confidentiality and integrity.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:platform idref="#ocp4"/>
             <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83838-3</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_cert_rotation:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_cert_rotation_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation_deprecated" severity="medium">
+            <xccdf-1.2:title>kubelet - Enable Certificate Rotation</xccdf-1.2:title>
+            <xccdf-1.2:description>To enable the kubelet to rotate client certificates, edit the kubelet configuration
+file <html:code>/etc/kubernetes/kubelet.conf</html:code>
+on the kubelet node(s) and set the below parameter:
+<html:pre>
+...
+rotateCertificates: true
+...
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.11</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Allowing the kubelet to auto-update the certificates ensure that there is no downtime
+in certificate renewal as well as ensures confidentiality and integrity.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_cert_rotation_deprecated:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_cert_rotation_deprecated_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation_master" severity="medium">
+            <xccdf-1.2:title>kubelet - Enable Certificate Rotation</xccdf-1.2:title>
+            <xccdf-1.2:description>To enable the kubelet to rotate client certificates, edit the kubelet configuration
+file <html:code>/etc/kubernetes/kubelet.conf</html:code>
+on the kubelet node(s) and set the below parameter:
+<html:pre>
+...
+rotateCertificates: true
+...
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.11</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Allowing the kubelet to auto-update the certificates ensure that there is no downtime
+in certificate renewal as well as ensures confidentiality and integrity.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_cert_rotation_master:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_cert_rotation_master_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_cert_rotation_worker" severity="medium">
+            <xccdf-1.2:title>kubelet - Enable Certificate Rotation</xccdf-1.2:title>
+            <xccdf-1.2:description>To enable the kubelet to rotate client certificates, edit the kubelet configuration
+file <html:code>/etc/kubernetes/kubelet.conf</html:code>
+on the kubelet node(s) and set the below parameter:
+<html:pre>
+...
+rotateCertificates: true
+...
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.11</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Allowing the kubelet to auto-update the certificates ensure that there is no downtime
+in certificate renewal as well as ensures confidentiality and integrity.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
               <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_cert_rotation_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
@@ -8082,6 +8719,8 @@ featureGates:
   RotateKubeletClientCertificate: true
 ...
 </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -8093,15 +8732,81 @@ featureGates:
             <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.11</xccdf-1.2:reference>
             <xccdf-1.2:rationale>Allowing the kubelet to auto-update the certificates ensure that there is no downtime
 in certificate renewal as well as ensures confidentiality and integrity.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:platform idref="#ocp4"/>
             <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83352-5</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
               <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_client_cert_rotation:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
               <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_client_cert_rotation_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation_master" severity="medium">
+            <xccdf-1.2:title>kubelet - Enable Client Certificate Rotation</xccdf-1.2:title>
+            <xccdf-1.2:description>To enable the kubelet to rotate client certificates, edit the kubelet configuration
+file <html:code>/etc/kubernetes/kubelet.conf</html:code>
+on the kubelet node(s) and set the below parameter:
+<html:pre>
+featureGates:
+...
+  RotateKubeletClientCertificate: true
+...
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.11</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Allowing the kubelet to auto-update the certificates ensure that there is no downtime
+in certificate renewal as well as ensures confidentiality and integrity.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_client_cert_rotation_master:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_client_cert_rotation_master_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_client_cert_rotation_worker" severity="medium">
+            <xccdf-1.2:title>kubelet - Enable Client Certificate Rotation</xccdf-1.2:title>
+            <xccdf-1.2:description>To enable the kubelet to rotate client certificates, edit the kubelet configuration
+file <html:code>/etc/kubernetes/kubelet.conf</html:code>
+on the kubelet node(s) and set the below parameter:
+<html:pre>
+featureGates:
+...
+  RotateKubeletClientCertificate: true
+...
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.11</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Allowing the kubelet to auto-update the certificates ensure that there is no downtime
+in certificate renewal as well as ensures confidentiality and integrity.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_client_cert_rotation_worker:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_client_cert_rotation_worker_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
           <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains" severity="medium">
             <xccdf-1.2:title>kubelet - Allow Automatic Firewall Configuration</xccdf-1.2:title>
             <xccdf-1.2:description>The kubelet has the ability to automatically configure the firewall to allow
@@ -8111,6 +8816,8 @@ To allow the kubelet to modify the firewall, edit the kubelet configuration
 file <html:code>/etc/kubernetes/kubelet.conf</html:code>
 on the kubelet node(s) and set the below parameter:
 <html:pre>makeIPTablesUtilChains: true</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -8124,21 +8831,152 @@ on the kubelet node(s) and set the below parameter:
 networking traffic through. This ensures that when a pod or container is running that
 the correct ports are configured as well as removing the ports when a pod or
 container is no longer in existence.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:platform idref="#ocp4"/>
             <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83775-7</xccdf-1.2:ident>
             <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_enable_iptables_util_chains">---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     makeIPTablesUtilChains: true
-</xccdf-1.2:fix>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_iptables_util_chains:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_iptables_util_chains_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    makeIPTablesUtilChains: true
+</xccdf-1.2:fix>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_iptables_util_chains:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_iptables_util_chains_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains_deprecated" severity="medium">
+            <xccdf-1.2:title>kubelet - Allow Automatic Firewall Configuration</xccdf-1.2:title>
+            <xccdf-1.2:description>The kubelet has the ability to automatically configure the firewall to allow
+the containers required ports and connections to networking resources and destinations
+parameters potentially creating a security incident.
+To allow the kubelet to modify the firewall, edit the kubelet configuration
+file <html:code>/etc/kubernetes/kubelet.conf</html:code>
+on the kubelet node(s) and set the below parameter:
+<html:pre>makeIPTablesUtilChains: true</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.7</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The kubelet should automatically configure the firewall settings to allow access and
+networking traffic through. This ensures that when a pod or container is running that
+the correct ports are configured as well as removing the ports when a pod or
+container is no longer in existence.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_iptables_util_chains_deprecated:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_iptables_util_chains_deprecated_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains_master" severity="medium">
+            <xccdf-1.2:title>kubelet - Allow Automatic Firewall Configuration</xccdf-1.2:title>
+            <xccdf-1.2:description>The kubelet has the ability to automatically configure the firewall to allow
+the containers required ports and connections to networking resources and destinations
+parameters potentially creating a security incident.
+To allow the kubelet to modify the firewall, edit the kubelet configuration
+To set the <html:code>makeIPTablesUtilChains</html:code> option for the kubelet,
+create a <html:code>KubeletConfig</html:code> option along these lines:
+<html:pre>
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+   name: kubelet-config-$pool
+spec:
+    machineConfigPoolSelector:
+        matchLabels:
+            pools.operator.machineconfiguration.openshift.io/$pool_name: ""
+    kubeletConfig:
+        makeIPTablesUtilChains: true
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.7</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The kubelet should automatically configure the firewall settings to allow access and
+networking traffic through. This ensures that when a pod or container is running that
+the correct ports are configured as well as removing the ports when a pod or
+container is no longer in existence.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_iptables_util_chains_master:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_iptables_util_chains_master_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_iptables_util_chains_worker" severity="medium">
+            <xccdf-1.2:title>kubelet - Allow Automatic Firewall Configuration</xccdf-1.2:title>
+            <xccdf-1.2:description>The kubelet has the ability to automatically configure the firewall to allow
+the containers required ports and connections to networking resources and destinations
+parameters potentially creating a security incident.
+To allow the kubelet to modify the firewall, edit the kubelet configuration
+To set the <html:code>makeIPTablesUtilChains</html:code> option for the kubelet,
+create a <html:code>KubeletConfig</html:code> option along these lines:
+<html:pre>
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+   name: kubelet-config-$pool
+spec:
+    machineConfigPoolSelector:
+        matchLabels:
+            pools.operator.machineconfiguration.openshift.io/$pool_name: ""
+    kubeletConfig:
+        makeIPTablesUtilChains: true
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.7</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The kubelet should automatically configure the firewall settings to allow access and
+networking traffic through. This ensures that when a pod or container is running that
+the correct ports are configured as well as removing the ports when a pod or
+container is no longer in existence.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_iptables_util_chains_worker:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_iptables_util_chains_worker_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
           </xccdf-1.2:Rule>
           <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_protect_kernel_defaults" severity="medium">
             <xccdf-1.2:title>kubelet - Enable Protect Kernel Defaults</xccdf-1.2:title>
@@ -8854,7 +9692,7 @@ kernel behavior.</xccdf-1.2:rationale>
               <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation_worker" severity="medium">
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation" severity="medium">
             <xccdf-1.2:title>kubelet - Enable Server Certificate Rotation</xccdf-1.2:title>
             <xccdf-1.2:description>To enable the kubelet to rotate server certificates, edit the kubelet configuration
 file <html:code>/etc/kubernetes/kubelet.conf</html:code>
@@ -8865,6 +9703,8 @@ featureGates:
   RotateKubeletServerCertificate: true
 ...
 </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -8876,16 +9716,178 @@ featureGates:
             <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.12</xccdf-1.2:reference>
             <xccdf-1.2:rationale>Allowing the kubelet to auto-update the certificates ensure that there is no downtime
 in certificate renewal as well as ensures confidentiality and integrity.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:platform idref="#ocp4"/>
             <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83356-6</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_server_cert_rotation:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_server_cert_rotation_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation_deprecated" severity="medium">
+            <xccdf-1.2:title>kubelet - Enable Server Certificate Rotation</xccdf-1.2:title>
+            <xccdf-1.2:description>To enable the kubelet to rotate server certificates, edit the kubelet configuration
+file <html:code>/etc/kubernetes/kubelet.conf</html:code>
+on the kubelet node(s) and set the below parameter:
+<html:pre>
+featureGates:
+...
+  RotateKubeletServerCertificate: true
+...
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.12</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Allowing the kubelet to auto-update the certificates ensure that there is no downtime
+in certificate renewal as well as ensures confidentiality and integrity.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_server_cert_rotation_deprecated:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_server_cert_rotation_deprecated_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation_master" severity="medium">
+            <xccdf-1.2:title>kubelet - Enable Server Certificate Rotation</xccdf-1.2:title>
+            <xccdf-1.2:description>To enable the kubelet to rotate server certificates, edit the kubelet configuration
+file <html:code>/etc/kubernetes/kubelet.conf</html:code>
+on the kubelet node(s) and set the below parameter:
+<html:pre>
+featureGates:
+...
+  RotateKubeletServerCertificate: true
+...
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.12</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Allowing the kubelet to auto-update the certificates ensure that there is no downtime
+in certificate renewal as well as ensures confidentiality and integrity.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_server_cert_rotation_master:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_server_cert_rotation_master_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_server_cert_rotation_worker" severity="medium">
+            <xccdf-1.2:title>kubelet - Enable Server Certificate Rotation</xccdf-1.2:title>
+            <xccdf-1.2:description>To enable the kubelet to rotate server certificates, edit the kubelet configuration
+file <html:code>/etc/kubernetes/kubelet.conf</html:code>
+on the kubelet node(s) and set the below parameter:
+<html:pre>
+featureGates:
+...
+  RotateKubeletServerCertificate: true
+...
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.12</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Allowing the kubelet to auto-update the certificates ensure that there is no downtime
+in certificate renewal as well as ensures confidentiality and integrity.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
               <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_server_cert_rotation_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
               <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_server_cert_rotation_worker_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections_worker" severity="medium">
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections" severity="medium">
+            <xccdf-1.2:title>kubelet - Do Not Disable Streaming Timeouts</xccdf-1.2:title>
+            <xccdf-1.2:description>Timouts for streaming connections should not be disabled as they help to prevent
+denial-of-service attacks.
+To configure streaming connection timeouts
+To set the <html:code>streamingConnectionIdleTimeout</html:code> option for the kubelet,
+create a <html:code>KubeletConfig</html:code> option along these lines:
+<html:pre>
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+   name: kubelet-config-$pool
+spec:
+    machineConfigPoolSelector:
+        matchLabels:
+            pools.operator.machineconfiguration.openshift.io/$pool_name: ""
+    kubeletConfig:
+        streamingConnectionIdleTimeout: <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_streaming_connection_timeouts" use="legacy"/>
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.5</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Ensuring connections have timeouts helps to protect against denial-of-service attacks as
+well as disconnect inactive connections. In addition, setting connections timeouts helps
+to prevent from running out of ephemeral ports.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84097-5</xccdf-1.2:ident>
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_enable_streaming_connections">---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    streamingConnectionIdleTimeout: {{.var_streaming_connection_timeouts}}
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    streamingConnectionIdleTimeout: {{.var_streaming_connection_timeouts}}
+</xccdf-1.2:fix>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_streaming_connection_timeouts:var:1" value-id="xccdf_org.ssgproject.content_value_var_streaming_connection_timeouts"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_streaming_connections:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_streaming_connections_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections_deprecated" severity="medium">
             <xccdf-1.2:title>kubelet - Do Not Disable Streaming Timeouts</xccdf-1.2:title>
             <xccdf-1.2:description>Timouts for streaming connections should not be disabled as they help to prevent
 denial-of-service attacks.
@@ -8906,23 +9908,99 @@ on the kubelet node(s) and set the below parameter:
 well as disconnect inactive connections. In addition, setting connections timeouts helps
 to prevent from running out of ephemeral ports.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84097-5</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_enable_streaming_connections_worker">---
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_streaming_connection_timeouts:var:1" value-id="xccdf_org.ssgproject.content_value_var_streaming_connection_timeouts"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_streaming_connections_deprecated:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_streaming_connections_deprecated_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections_master" severity="medium">
+            <xccdf-1.2:title>kubelet - Do Not Disable Streaming Timeouts</xccdf-1.2:title>
+            <xccdf-1.2:description>Timouts for streaming connections should not be disabled as they help to prevent
+denial-of-service attacks.
+To configure streaming connection timeouts
+To set the <html:code>streamingConnectionIdleTimeout</html:code> option for the kubelet,
+create a <html:code>KubeletConfig</html:code> option along these lines:
+<html:pre>
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
+metadata:
+   name: kubelet-config-$pool
 spec:
-  kubeletConfig:
-    streamingConnectionIdleTimeout: {{.var_streaming_connection_timeouts}}
-</xccdf-1.2:fix>
+    machineConfigPoolSelector:
+        matchLabels:
+            pools.operator.machineconfiguration.openshift.io/$pool_name: ""
+    kubeletConfig:
+        streamingConnectionIdleTimeout: <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_streaming_connection_timeouts" use="legacy"/>
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.5</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Ensuring connections have timeouts helps to protect against denial-of-service attacks as
+well as disconnect inactive connections. In addition, setting connections timeouts helps
+to prevent from running out of ephemeral ports.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_streaming_connection_timeouts:var:1" value-id="xccdf_org.ssgproject.content_value_var_streaming_connection_timeouts"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_streaming_connections_master:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_streaming_connections_master_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_enable_streaming_connections_worker" severity="medium">
+            <xccdf-1.2:title>kubelet - Do Not Disable Streaming Timeouts</xccdf-1.2:title>
+            <xccdf-1.2:description>Timouts for streaming connections should not be disabled as they help to prevent
+denial-of-service attacks.
+To configure streaming connection timeouts
+To set the <html:code>streamingConnectionIdleTimeout</html:code> option for the kubelet,
+create a <html:code>KubeletConfig</html:code> option along these lines:
+<html:pre>
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+   name: kubelet-config-$pool
+spec:
+    machineConfigPoolSelector:
+        matchLabels:
+            pools.operator.machineconfiguration.openshift.io/$pool_name: ""
+    kubeletConfig:
+        streamingConnectionIdleTimeout: <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_streaming_connection_timeouts" use="legacy"/>
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.5</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Ensuring connections have timeouts helps to protect against denial-of-service attacks as
+well as disconnect inactive connections. In addition, setting connections timeouts helps
+to prevent from running out of ephemeral ports.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
               <xccdf-1.2:check-export export-name="oval:ssg-var_streaming_connection_timeouts:var:1" value-id="xccdf_org.ssgproject.content_value_var_streaming_connection_timeouts"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
               <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_enable_streaming_connections_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
               <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_enable_streaming_connections_worker_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available_worker" severity="medium">
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available" severity="medium">
             <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available</xccdf-1.2:title>
             <xccdf-1.2:description>
               <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
@@ -8954,6 +10032,8 @@ This rule pertains to the <html:code>imagefs.available</html:code> setting of th
 section.
 </html:p>
             </xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -8968,11 +10048,13 @@ and avoiding degraded performance and availability. In the worst case, the
 system might crash or just be unusable for a long period of time.
 Based on your system resources and tests, choose an appropriate threshold
 value to activate garbage collection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
             <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84144-5</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_hard_imagefs_available_worker">---
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_hard_imagefs_available">---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionHard:
@@ -8980,19 +10062,45 @@ spec:
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionPressureTransitionPeriod: 0s
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionHard:
+      imagefs.available: {{.var_kubelet_evictionhard_imagefs_available}}
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
 spec:
   kubeletConfig:
     evictionPressureTransitionPeriod: 0s
 </xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_worker:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionhard_imagefs_available:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_imagefs_available"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_worker_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker" severity="medium">
-            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available</xccdf-1.2:title>
             <xccdf-1.2:description>
               <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
               <html:ul>
@@ -9019,7 +10127,7 @@ To configure, follow the directions in
 <html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
 </html:p>
               <html:p>
-This rule pertains to the <html:code>imagefs.inodesFree</html:code> setting of the <html:code>evictionHard</html:code>
+This rule pertains to the <html:code>imagefs.available</html:code> setting of the <html:code>evictionHard</html:code>
 section.
 </html:p>
             </xccdf-1.2:description>
@@ -9038,30 +10146,15 @@ system might crash or just be unusable for a long period of time.
 Based on your system resources and tests, choose an appropriate threshold
 value to activate garbage collection.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84147-8</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    evictionHard:
-      imagefs.inodesFree: {{.var_kubelet_evictionhard_imagefs_inodesfree}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    evictionPressureTransitionPeriod: 0s
-</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available_worker" severity="medium">
-            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: memory.available</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available_master" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available</xccdf-1.2:title>
             <xccdf-1.2:description>
               <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
               <html:ul>
@@ -9088,7 +10181,7 @@ To configure, follow the directions in
 <html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
 </html:p>
               <html:p>
-This rule pertains to the <html:code>memory.available</html:code> setting of the <html:code>evictionHard</html:code>
+This rule pertains to the <html:code>imagefs.available</html:code> setting of the <html:code>evictionHard</html:code>
 section.
 </html:p>
             </xccdf-1.2:description>
@@ -9106,31 +10199,18 @@ and avoiding degraded performance and availability. In the worst case, the
 system might crash or just be unusable for a long period of time.
 Based on your system resources and tests, choose an appropriate threshold
 value to activate garbage collection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84135-3</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_hard_memory_available_worker">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    evictionHard:
-      memory.available: {{.var_kubelet_evictionhard_memory_available}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    evictionPressureTransitionPeriod: 0s
-</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_worker:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionhard_imagefs_available:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_imagefs_available"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_master:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_worker_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_master_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available_worker" severity="medium">
-            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_available_worker" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available</xccdf-1.2:title>
             <xccdf-1.2:description>
               <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
               <html:ul>
@@ -9154,10 +10234,10 @@ Machine Config Pool using any combination of the following:
               </html:ul>
               <html:p>
 To configure, follow the directions in
-<html:a href="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
 </html:p>
               <html:p>
-This rule pertains to the <html:code>nodefs.available</html:code> setting of the <html:code>evictionHard</html:code>
+This rule pertains to the <html:code>imagefs.available</html:code> setting of the <html:code>evictionHard</html:code>
 section.
 </html:p>
             </xccdf-1.2:description>
@@ -9175,31 +10255,18 @@ and avoiding degraded performance and availability. In the worst case, the
 system might crash or just be unusable for a long period of time.
 Based on your system resources and tests, choose an appropriate threshold
 value to activate garbage collection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84138-7</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_hard_nodefs_available_worker">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    evictionHard:
-      nodefs.available: {{.var_kubelet_evictionhard_nodefs_available}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    evictionPressureTransitionPeriod: 0s
-</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_worker:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionhard_imagefs_available:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_imagefs_available"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_worker_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_worker_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker" severity="medium">
-            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree</xccdf-1.2:title>
             <xccdf-1.2:description>
               <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
               <html:ul>
@@ -9226,10 +10293,12 @@ To configure, follow the directions in
 <html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
 </html:p>
               <html:p>
-This rule pertains to the <html:code>nodefs.inodesFree</html:code> setting of the <html:code>evictionHard</html:code>
+This rule pertains to the <html:code>imagefs.inodesFree</html:code> setting of the <html:code>evictionHard</html:code>
 section.
 </html:p>
             </xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -9244,31 +10313,59 @@ and avoiding degraded performance and availability. In the worst case, the
 system might crash or just be unusable for a long period of time.
 Based on your system resources and tests, choose an appropriate threshold
 value to activate garbage collection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84141-1</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker">---
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84147-8</xccdf-1.2:ident>
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_hard_imagefs_inodesfree">---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
     evictionHard:
-      nodefs.inodesFree: {{.var_kubelet_evictionhard_nodefs_inodesfree}}
+      imagefs.inodesFree: {{.var_kubelet_evictionhard_imagefs_inodesfree}}
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionPressureTransitionPeriod: 0s
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionHard:
+      imagefs.inodesFree: {{.var_kubelet_evictionhard_imagefs_inodesfree}}
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
 spec:
   kubeletConfig:
     evictionPressureTransitionPeriod: 0s
 </xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionhard_imagefs_inodesfree:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_imagefs_inodesfree"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available_worker" severity="medium">
-            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree</xccdf-1.2:title>
             <xccdf-1.2:description>
               <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
               <html:ul>
@@ -9295,7 +10392,7 @@ To configure, follow the directions in
 <html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
 </html:p>
               <html:p>
-This rule pertains to the <html:code>imagefs.available</html:code> setting of the <html:code>evictionSoft</html:code>
+This rule pertains to the <html:code>imagefs.inodesFree</html:code> setting of the <html:code>evictionHard</html:code>
 section.
 </html:p>
             </xccdf-1.2:description>
@@ -9314,37 +10411,15 @@ system might crash or just be unusable for a long period of time.
 Based on your system resources and tests, choose an appropriate threshold
 value to activate garbage collection.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84127-0</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_soft_imagefs_available_worker">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    evictionSoft:
-      imagefs.available: {{.var_kubelet_evictionsoft_imagefs_available}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    evictionSoftGracePeriod:
-      imagefs.available: "1m30s"
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    evictionPressureTransitionPeriod: 0s
-</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_worker:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_worker_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker" severity="medium">
-            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree</xccdf-1.2:title>
             <xccdf-1.2:description>
               <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
               <html:ul>
@@ -9371,7 +10446,7 @@ To configure, follow the directions in
 <html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
 </html:p>
               <html:p>
-This rule pertains to the <html:code>imagefs.inodesFree</html:code> setting of the <html:code>evictionSoft</html:code>
+This rule pertains to the <html:code>imagefs.inodesFree</html:code> setting of the <html:code>evictionHard</html:code>
 section.
 </html:p>
             </xccdf-1.2:description>
@@ -9389,38 +10464,18 @@ and avoiding degraded performance and availability. In the worst case, the
 system might crash or just be unusable for a long period of time.
 Based on your system resources and tests, choose an appropriate threshold
 value to activate garbage collection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84132-0</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    evictionSoft:
-      imagefs.inodesFree: {{.var_kubelet_evictionsoft_imagefs_inodesfree}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    evictionSoftGracePeriod:
-      imagefs.inodesFree: "1m30s"
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    evictionPressureTransitionPeriod: 0s
-</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionhard_imagefs_inodesfree:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_imagefs_inodesfree"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available_worker" severity="medium">
-            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree</xccdf-1.2:title>
             <xccdf-1.2:description>
               <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
               <html:ul>
@@ -9447,7 +10502,7 @@ To configure, follow the directions in
 <html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
 </html:p>
               <html:p>
-This rule pertains to the <html:code>memory.available</html:code> setting of the <html:code>evictionSoft</html:code>
+This rule pertains to the <html:code>imagefs.inodesFree</html:code> setting of the <html:code>evictionHard</html:code>
 section.
 </html:p>
             </xccdf-1.2:description>
@@ -9465,38 +10520,18 @@ and avoiding degraded performance and availability. In the worst case, the
 system might crash or just be unusable for a long period of time.
 Based on your system resources and tests, choose an appropriate threshold
 value to activate garbage collection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84222-9</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_soft_memory_available_worker">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    evictionSoft:
-      memory.available: {{.var_kubelet_evictionsoft_memory_available}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    evictionSoftGracePeriod:
-      memory.available: "1m30s"
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    evictionPressureTransitionPeriod: 0s
-</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_worker:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionhard_imagefs_inodesfree:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_imagefs_inodesfree"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_worker_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available_worker" severity="medium">
-            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: memory.available</xccdf-1.2:title>
             <xccdf-1.2:description>
               <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
               <html:ul>
@@ -9520,13 +10555,15 @@ Machine Config Pool using any combination of the following:
               </html:ul>
               <html:p>
 To configure, follow the directions in
-<html:a href="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
 </html:p>
               <html:p>
-This rule pertains to the <html:code>nodefs.available</html:code> setting of the <html:code>evictionSoft</html:code>
+This rule pertains to the <html:code>memory.available</html:code> setting of the <html:code>evictionHard</html:code>
 section.
 </html:p>
             </xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -9541,38 +10578,59 @@ and avoiding degraded performance and availability. In the worst case, the
 system might crash or just be unusable for a long period of time.
 Based on your system resources and tests, choose an appropriate threshold
 value to activate garbage collection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84119-7</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_soft_nodefs_available_worker">---
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84135-3</xccdf-1.2:ident>
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_hard_memory_available">---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
-    evictionSoft:
-      nodefs.available: {{.var_kubelet_evictionsoft_nodefs_available}}
+    evictionHard:
+      memory.available: {{.var_kubelet_evictionhard_memory_available}}
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
   kubeletConfig:
-    evictionSoftGracePeriod:
-      nodefs.available: "1m30s"
+    evictionPressureTransitionPeriod: 0s
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionHard:
+      memory.available: {{.var_kubelet_evictionhard_memory_available}}
 ---
 apiVersion: machineconfiguration.openshift.io/v1
 kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
 spec:
   kubeletConfig:
     evictionPressureTransitionPeriod: 0s
 </xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_worker:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionhard_memory_available:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_memory_available"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_worker_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker" severity="medium">
-            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available_deprecated" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: memory.available</xccdf-1.2:title>
             <xccdf-1.2:description>
               <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
               <html:ul>
@@ -9599,7 +10657,7 @@ To configure, follow the directions in
 <html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
 </html:p>
               <html:p>
-This rule pertains to the <html:code>nodefs.inodesFree</html:code> setting of the <html:code>evictionSoft</html:code>
+This rule pertains to the <html:code>memory.available</html:code> setting of the <html:code>evictionHard</html:code>
 section.
 </html:p>
             </xccdf-1.2:description>
@@ -9618,1782 +10676,1259 @@ system might crash or just be unusable for a long period of time.
 Based on your system resources and tests, choose an appropriate threshold
 value to activate garbage collection.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84123-9</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    evictionSoft:
-      nodefs.inodesFree: {{.var_kubelet_evictionsoft_nodefs_inodesfree}}
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    evictionSoftGracePeriod:
-      nodefs.inodesFree: "1m30s"
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: KubeletConfig
-spec:
-  kubeletConfig:
-    evictionPressureTransitionPeriod: 0s
-</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_deprecated:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_deprecated_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_read_only_port_secured_worker" severity="medium">
-            <xccdf-1.2:title>kubelet - Ensure that the --read-only-port is secured</xccdf-1.2:title>
-            <xccdf-1.2:description>Disable the read-only port.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available_master" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>imagefs.inodesFree</html:code> setting of the <html:code>evictionHard</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The Kubelet process provides a read-only API in addition to the main Kubelet API.
-Unauthenticated access is provided to this read-only API which could possibly retrieve
-potentially sensitive information about the cluster.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_read_only_port_secured_worker:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_read_only_port_secured_worker_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_test" severity="medium">
-            <xccdf-1.2:title>KubeletTest</xccdf-1.2:title>
-            <xccdf-1.2:description>KubeletTest</xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8(2)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.10</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Test KubeletTest</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4.11"/>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-var_role:var:1" value-id="xccdf_org.ssgproject.content_value_var_role"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionhard_memory_available:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_memory_available"/>
               <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_test:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_master:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_test_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_master_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_test_cipher" severity="medium">
-            <xccdf-1.2:title>KubeletTest</xccdf-1.2:title>
-            <xccdf-1.2:description>KubeletTest</xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8(2)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.10</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Test KubeletTest</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4.11"/>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_memory_available_worker" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: memory.available</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>memory.available</html:code> setting of the <html:code>evictionHard</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-var_role:var:1" value-id="xccdf_org.ssgproject.content_value_var_role"/>
-              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_tls_cipher_suites_regex:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_tls_cipher_suites_regex"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionhard_memory_available:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_memory_available"/>
               <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_test_cipher:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_test_cipher_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_worker_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_logging">
-          <xccdf-1.2:title>OpenShift - Logging Settings</xccdf-1.2:title>
-          <xccdf-1.2:description>Contains evaluations for the cluster's logging configuration settings.</xccdf-1.2:description>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_openshift_audit_profile" type="string">
-            <xccdf-1.2:title>Configure the OpenShift Audit Profile</xccdf-1.2:title>
-            <xccdf-1.2:description>Audit log profiles define how to log requests that come to the OpenShift
-API server, the Kubernetes API server, and the OAuth API server.</xccdf-1.2:description>
-            <xccdf-1.2:value>Default</xccdf-1.2:value>
-            <xccdf-1.2:value selector="Default">Default</xccdf-1.2:value>
-            <xccdf-1.2:value selector="WriteRequestBodies">WriteRequestBodies</xccdf-1.2:value>
-            <xccdf-1.2:value selector="AllRequestBodies">AllRequestBodies</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_error_alert_exists" severity="high">
-            <xccdf-1.2:title>Ensure that Audit Log Errors Emit Alerts</xccdf-1.2:title>
-            <xccdf-1.2:description><html:p>
-OpenShift audit works at the API server level, logging all requests coming to the server.
-However, if API server instance is unable to write errors, an alert must be issued
-in order for the organization to take a relevant action. e.g. shutting down that instance.
-</html:p><html:p>
-Kubernetes by default has metrics that enable one to write such alerts:
-</html:p><html:ul><html:li><html:code>apiserver_audit_event_total</html:code></html:li><html:li><html:code>apiserver_audit_error_total</html:code></html:li></html:ul>
-
-Such an example is shipped in OCP 4.9+
-
-<html:pre>
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>nodefs.available</html:code> setting of the <html:code>evictionHard</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84138-7</xccdf-1.2:ident>
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_hard_nodefs_available">---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
 metadata:
-  name: audit-errors
-  namespace: openshift-kube-apiserver
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
-  groups:
-  - name: apiserver-audit
-    rules:
-    - alert: AuditLogError
-      annotations:
-        summary: |-
-          An API Server instance was unable to write audit logs. This could be
-          triggered by the node running out of space, or a malicious actor
-          tampering with the audit logs.
-        description: An API Server had an error writing to an audit log.
-      expr: |
-        sum by (apiserver,instance)(rate(apiserver_audit_error_total{apiserver=~".+-apiserver"}[5m])) / sum by (apiserver,instance) (rate(apiserver_audit_event_total{apiserver=~".+-apiserver"}[5m])) &gt; 0
-      for: 1m
-      labels:
-        severity: warning
-</html:pre>
-
-<html:p>
-For more information, consult the
-<html:a href="https://docs.openshift.com/container-platform/latest/logging/cluster-logging-external.html">official Kubernetes documentation</html:a>.
-</html:p></xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-<html:ul><html:li><html:code class="ocp-api-endpoint" id="72e9ad360bb6bdf4ad9e43217cd0ec9cb90e7c3b08d4fbe0edf087ad899e05a6">/apis/monitoring.coreos.com/v1/prometheusrules?limit=500</html:code>
-    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
-    <html:code class="ocp-api-filter" id="filter-72e9ad360bb6bdf4ad9e43217cd0ec9cb90e7c3b08d4fbe0edf087ad899e05a6">[.items[].spec.groups[].rules[].expr]</html:code>
-    and persist it to the local
-    <html:code class="ocp-dump-location" id="dump-72e9ad360bb6bdf4ad9e43217cd0ec9cb90e7c3b08d4fbe0edf087ad899e05a6"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#72e9ad360bb6bdf4ad9e43217cd0ec9cb90e7c3b08d4fbe0edf087ad899e05a6</html:code>
-    file.
-  </html:li></html:ul></xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000109-CTR-000215</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>When there are errors writing audit logs, security events will not be logged
-by that specific API Server instance. Security Incident Response teams use
-these audit logs, amongst other artifacts, to determine the impact of
-security breaches or events. Without these logs, it becomes very difficult
-to assess a situation and do appropriate root cause analysis in such incidents.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90744-4</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_error_alert_exists">---
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
+  kubeletConfig:
+    evictionHard:
+      nodefs.available: {{.var_kubelet_evictionhard_nodefs_available}}
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
 metadata:
-  name: audit-errors
-  namespace: openshift-kube-apiserver
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
 spec:
-  groups:
-  - name: apiserver-audit
-    rules:
-    - alert: AuditLogError
-      annotations:
-        summary: |-
-          An API Server instance was unable to write audit logs. This could be
-          triggered by the node running out of space, or a malicious actor
-          tampering with the audit logs.
-        description: An API Server had an error writing to an audit log.
-      expr: |
-        sum by (apiserver,instance)(rate(apiserver_audit_error_total{apiserver=~".+-apiserver"}[5m])) / sum by (apiserver,instance) (rate(apiserver_audit_event_total{apiserver=~".+-apiserver"}[5m])) &gt; 0
-      for: 1m
-      labels:
-        severity: warning
+  kubeletConfig:
+    evictionPressureTransitionPeriod: 0s
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionHard:
+      nodefs.available: {{.var_kubelet_evictionhard_nodefs_available}}
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionPressureTransitionPeriod: 0s
 </xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionhard_nodefs_available:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_nodefs_available"/>
               <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-audit_error_alert_exists:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-audit_error_alert_exists_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_log_forwarding_uses_tls" severity="medium">
-            <xccdf-1.2:title>Ensure that Audit Log Forwarding Uses TLS</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available</xccdf-1.2:title>
             <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
               <html:p>
-OpenShift audit works at the API server level, logging all requests coming to the server.
-Audit is on by default and the best practice is to ship audit logs off the cluster for retention
-using a secure protocol.
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
 </html:p>
               <html:p>
-The cluster-logging-operator is able to do this with the <html:pre>ClusterLogForwarders</html:pre> resource.
-The forementioned resource can be configured to logs to different third party systems.
-For more information on this, please reference the official documentation:
-
-      <html:a href="https://docs.openshift.com/container-platform/latest/logging/cluster-logging-external.html">https://docs.openshift.com/container-platform/latest/logging/cluster-logging-external.html</html:a>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>nodefs.available</html:code> setting of the <html:code>evictionHard</html:code>
+section.
 </html:p>
             </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the .
-This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-<html:ul><html:li><html:code class="ocp-api-endpoint" id="71786452ba18c51ba8ad51472a078619e2e8b52a86cd75087af5aab42400f6c0">/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance</html:code>
-    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
-    <html:code class="ocp-api-filter" id="filter-71786452ba18c51ba8ad51472a078619e2e8b52a86cd75087af5aab42400f6c0">try [.spec.outputs[].url] catch []</html:code>
-    and persist it to the local
-    <html:code class="ocp-dump-location" id="dump-71786452ba18c51ba8ad51472a078619e2e8b52a86cd75087af5aab42400f6c0"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance#71786452ba18c51ba8ad51472a078619e2e8b52a86cd75087af5aab42400f6c0</html:code>
-    file.
-  </html:li></html:ul></xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(2)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000118-CTR-000240</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000119-CTR-000245</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000120-CTR-000250</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000121-CTR-000255</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000122-CTR-000260</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000123-CTR-000265</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000126-CTR-000275</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000290-CTR-000670</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>It is necessary to ensure that any configured output uses the TLS protocol to receive
-logs in order to ensure the confidentiality, integrity and authenticity of the logs.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90688-3</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-audit_log_forwarding_uses_tls:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-audit_log_forwarding_uses_tls_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_profile_set" severity="medium">
-            <xccdf-1.2:title>Ensure that the cluster's audit profile is properly set</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available_master" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available</xccdf-1.2:title>
             <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
               <html:p>
-OpenShift can audit the details of requests made to the API server through
-the standard Kubernetes audit capabilities. 
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
 </html:p>
               <html:p>
-In OpenShift, auditing of the API Server is on by default. Audit provides a
-security-relevant chronological set of records documenting the sequence of
-activities that have affected system by individual users, administrators, or
-other components of the system. Audit works at the API server level, logging
-all requests coming to the server. Each audit log contains two entries:
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
 </html:p>
               <html:p>
-The request line containing:
+This rule pertains to the <html:code>nodefs.available</html:code> setting of the <html:code>evictionHard</html:code>
+section.
 </html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionhard_nodefs_available:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_nodefs_available"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_master:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_master_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_available_worker" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
               <html:ul>
-                <html:li>A Unique ID allowing to match the response line (see #2)</html:li>
-                <html:li>The source IP of the request</html:li>
-                <html:li>The HTTP method being invoked</html:li>
-                <html:li>The original user invoking the operation</html:li>
-                <html:li>The impersonated user for the operation (self meaning himself)</html:li>
-                <html:li>The impersonated group for the operation (lookup meaning user's group)</html:li>
-                <html:li>The namespace of the request or none</html:li>
-                <html:li>The URI as requested</html:li>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
               </html:ul>
               <html:p>
-The response line containing:
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
 </html:p>
               <html:ul>
-                <html:li>The aforementioned unique ID</html:li>
-                <html:li>The response code</html:li>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
               </html:ul>
               <html:p>
-For more information on how to configure the audit profile, please visit 
-<html:a href="https://docs.openshift.com/container-platform/4.6/security/audit-log-policy-config.html">the documentation</html:a>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>nodefs.available</html:code> setting of the <html:code>evictionHard</html:code>
+section.
 </html:p>
             </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/config.openshift.io/v1/apiservers/cluster</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/config.openshift.io/v1/apiservers/cluster</html:code> file.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(20)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(23)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-12.5.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000089-CTR-000150</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000090-CTR-000155</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000091-CTR-000160</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000095-CTR-000170</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000096-CTR-000175</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000097-CTR-000180</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000098-CTR-000185</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000099-CTR-000190</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000100-CTR-000195</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000100-CTR-000200</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000101-CTR-000205</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000116-CTR-000235</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000118-CTR-000240</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000119-CTR-000245</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000120-CTR-000250</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000121-CTR-000255</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000122-CTR-000260</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000123-CTR-000265</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000181-CTR-000485</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000266-CTR-000625</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000374-CTR-000865</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000375-CTR-000870</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000380-CTR-000900</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000381-CTR-000905</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000492-CTR-001220</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000493-CTR-001225</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000494-CTR-001230</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000495-CTR-001235</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000496-CTR-001240</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000497-CTR-001245</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000498-CTR-001250</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000499-CTR-001255</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000500-CTR-001260</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000501-CTR-001265</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000502-CTR-001270</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000503-CTR-001275</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000504-CTR-001280</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000505-CTR-001285</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000506-CTR-001290</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000507-CTR-001295</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000508-CTR-001300</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000509-CTR-001305</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000510-CTR-001310</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Logging is an important detective control for all systems, to detect potential
-unauthorised access.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83577-7</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_profile_set">---
-apiVersion: config.openshift.io/v1
-kind: APIServer
-metadata:
-  name: cluster
-spec:
-  audit:
-    profile: {{.var_openshift_audit_profile}}
-</xccdf-1.2:fix>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-var_openshift_audit_profile:var:1" value-id="xccdf_org.ssgproject.content_value_var_openshift_audit_profile"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionhard_nodefs_available:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_nodefs_available"/>
               <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-audit_profile_set:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-audit_profile_set_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_worker_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_cluster_logging_operator_exist" severity="medium">
-            <xccdf-1.2:title>Ensure that OpenShift Logging Operator is scanning the cluster</xccdf-1.2:title>
-            <xccdf-1.2:description>OpenShift Logging Operator provides ability to aggregate all the logs from the
-OpenShift Container Platform cluster, such as node system audit logs, application
-container logs, and infrastructure logs. OpenShift Logging aggregates these logs
-from throughout OpenShift cluster and stores them in a default log store. [1]
-
-[1]https://docs.openshift.com/container-platform/4.10/logging/cluster-logging.html</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance</html:code> file.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(2)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000092-CTR-000165</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000111-CTR-000220</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>OpenShift Logging Operator is able to collect, aggregate, and manage logs.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85918-1</xccdf-1.2:ident>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>nodefs.inodesFree</html:code> setting of the <html:code>evictionHard</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84141-1</xccdf-1.2:ident>
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_hard_nodefs_inodesfree">---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionHard:
+      nodefs.inodesFree: {{.var_kubelet_evictionhard_nodefs_inodesfree}}
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionPressureTransitionPeriod: 0s
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionHard:
+      nodefs.inodesFree: {{.var_kubelet_evictionhard_nodefs_inodesfree}}
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionPressureTransitionPeriod: 0s
+</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionhard_nodefs_inodesfree:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_nodefs_inodesfree"/>
               <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-cluster_logging_operator_exist:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-cluster_logging_operator_exist_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_directory_access_var_log_kube_audit" severity="medium">
-            <xccdf-1.2:title>Record Access Events to Kubernetes Audit Log Directory</xccdf-1.2:title>
-            <xccdf-1.2:description>The audit system should collect access events to read the Kubernetes audit log directory.
-The following audit rule will assure that access to audit log directory are
-collected.
-<html:pre>-a always,exit -F dir=/var/log/kube-apiserver/ -F perm=r -F auid&gt;=1000 -F auid!=unset -F key=access-audit-trail</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code>
-program to read audit rules during daemon startup (the default), add the
-rule to a file with suffix <html:code>.rules</html:code> in the directory
-<html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the rule to
-<html:code>/etc/audit/audit.rules</html:code> file.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000343-CTR-000780</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.'</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83640-3</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="directory_access_var_log_kube_audit" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-#
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20dir%3D/var/log/kube-apiserver/%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/30-access-var-log-kube-audit.rules
-        overwrite: true
-</xccdf-1.2:fix>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>nodefs.inodesFree</html:code> setting of the <html:code>evictionHard</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-directory_access_var_log_kube_audit:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-directory_access_var_log_kube_audit_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_directory_access_var_log_oauth_audit" severity="medium">
-            <xccdf-1.2:title>Record Access Events to OAuth Audit Log Directory</xccdf-1.2:title>
-            <xccdf-1.2:description>The audit system should collect access events to read the OAuth audit log directory.
-The following audit rule will assure that access to audit log directory are
-collected.
-<html:pre>-a always,exit -F dir=/var/log/oauth-apiserver/ -F perm=r -F auid&gt;=1000 -F auid!=unset -F key=access-audit-trail</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code>
-program to read audit rules during daemon startup (the default), add the
-rule to a file with suffix <html:code>.rules</html:code> in the directory
-<html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the rule to
-<html:code>/etc/audit/audit.rules</html:code> file.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000343-CTR-000780</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.'</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90631-3</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="directory_access_var_log_oauth_audit" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-#
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20dir%3D/var/log/oauth-apiserver/%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/30-access-var-log-oauth-audit.rules
-        overwrite: true
-</xccdf-1.2:fix>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>nodefs.inodesFree</html:code> setting of the <html:code>evictionHard</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-directory_access_var_log_oauth_audit:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionhard_nodefs_inodesfree:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_nodefs_inodesfree"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-directory_access_var_log_oauth_audit_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_directory_access_var_log_ocp_audit" severity="medium">
-            <xccdf-1.2:title>Record Access Events to OpenShift Audit Log Directory</xccdf-1.2:title>
-            <xccdf-1.2:description>The audit system should collect access events to read the OpenShift audit log directory.
-The following audit rule will assure that access to audit log directory are
-collected.
-<html:pre>-a always,exit -F dir=/var/log/openshift-apiserver/ -F perm=r -F auid&gt;=1000 -F auid!=unset -F key=access-audit-trail</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code>
-program to read audit rules during daemon startup (the default), add the
-rule to a file with suffix <html:code>.rules</html:code> in the directory
-<html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the rule to
-<html:code>/etc/audit/audit.rules</html:code> file.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000343-CTR-000780</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.'</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90632-1</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="directory_access_var_log_ocp_audit" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-#
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20dir%3D/var/log/openshift-apiserver/%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/30-access-var-log-ocp-audit.rules
-        overwrite: true
-</xccdf-1.2:fix>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>nodefs.inodesFree</html:code> setting of the <html:code>evictionHard</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-directory_access_var_log_ocp_audit:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionhard_nodefs_inodesfree:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionhard_nodefs_inodesfree"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-directory_access_var_log_ocp_audit_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_kube_audit" severity="medium">
-            <xccdf-1.2:title>The Kubernetes Audit Logs Directory Must Have Mode 0700</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/log/kube-apiserver/</html:code>, run the command:
-<html:pre>$ sudo chmod 0700 /var/log/kube-apiserver/</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000118-CTR-000240</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000119-CTR-000245</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000120-CTR-000250</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000121-CTR-000255</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000122-CTR-000260</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000123-CTR-000265</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If users can write to audit logs, audit trails can be modified or destroyed.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83645-2</xccdf-1.2:ident>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>imagefs.available</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84127-0</xccdf-1.2:ident>
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_soft_imagefs_available">---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionSoft:
+      imagefs.available: {{.var_kubelet_evictionsoft_imagefs_available}}
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionSoftGracePeriod:
+      imagefs.available: "1m30s"
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionPressureTransitionPeriod: 0s
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionSoft:
+      imagefs.available: {{.var_kubelet_evictionsoft_imagefs_available}}
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionSoftGracePeriod:
+      imagefs.available: "1m30s"
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionPressureTransitionPeriod: 0s
+</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-directory_permissions_var_log_kube_audit:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionsoft_imagefs_available:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_imagefs_available"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-directory_permissions_var_log_kube_audit_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_oauth_audit" severity="medium">
-            <xccdf-1.2:title>The OAuth Audit Logs Directory Must Have Mode 0700</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/log/oauth-apiserver/</html:code>, run the command:
-<html:pre>$ sudo chmod 0700 /var/log/oauth-apiserver/</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000118-CTR-000240</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000119-CTR-000245</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000120-CTR-000250</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000121-CTR-000255</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000122-CTR-000260</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000123-CTR-000265</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If users can write to audit logs, audit trails can be modified or destroyed.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90633-9</xccdf-1.2:ident>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>imagefs.available</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-directory_permissions_var_log_oauth_audit:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-directory_permissions_var_log_oauth_audit_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_ocp_audit" severity="medium">
-            <xccdf-1.2:title>The OpenShift Audit Logs Directory Must Have Mode 0700</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available_master" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/log/openshift-apiserver/</html:code>, run the command:
-<html:pre>$ sudo chmod 0700 /var/log/openshift-apiserver/</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000118-CTR-000240</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000119-CTR-000245</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000120-CTR-000250</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000121-CTR-000255</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000122-CTR-000260</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000123-CTR-000265</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If users can write to audit logs, audit trails can be modified or destroyed.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90634-7</xccdf-1.2:ident>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>imagefs.available</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-directory_permissions_var_log_ocp_audit:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionsoft_imagefs_available:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_imagefs_available"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_master:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-directory_permissions_var_log_ocp_audit_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_master_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_ownership_var_log_kube_audit" severity="medium">
-            <xccdf-1.2:title>Kubernetes Audit Logs Must Be Owned By Root</xccdf-1.2:title>
-            <xccdf-1.2:description>All audit logs must be owned by root user and group. By default, the path for the Kubernetes audit log is <html:pre>/var/log/kube-apiserver/</html:pre>.
-
-To properly set the owner of <html:code>/var/log/kube-apiserver</html:code>, run the command:
-<html:pre>$ sudo chown root /var/log/kube-apiserver </html:pre>
-
-To properly set the owner of <html:code>/var/log/kube-apiserver/*</html:code>, run the command:
-<html:pre>$ sudo chown root /var/log/kube-apiserver/* </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000162</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000163</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000164</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(4)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000057-GPOS-00027</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000058-GPOS-00028</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000059-GPOS-00029</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000206-GPOS-00084</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Unauthorized disclosure of audit records can reveal system and configuration data to
-attackers, thus compromising its confidentiality.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83650-2</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_ownership_var_log_kube_audit:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_ownership_var_log_kube_audit_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_ownership_var_log_oauth_audit" severity="medium">
-            <xccdf-1.2:title>OAuth Audit Logs Must Be Owned By Root</xccdf-1.2:title>
-            <xccdf-1.2:description>All audit logs must be owned by root user and group. By default, the path for the OAuth audit log is <html:pre>/var/log/oauth-apiserver/</html:pre>.
-
-To properly set the owner of <html:code>/var/log/oauth-apiserver</html:code>, run the command:
-<html:pre>$ sudo chown root /var/log/oauth-apiserver </html:pre>
-
-To properly set the owner of <html:code>/var/log/oauth-apiserver/*</html:code>, run the command:
-<html:pre>$ sudo chown root /var/log/oauth-apiserver/* </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000162</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000163</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000164</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(4)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000057-GPOS-00027</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000058-GPOS-00028</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000059-GPOS-00029</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000206-GPOS-00084</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Unauthorized disclosure of audit records can reveal system and configuration data to
-attackers, thus compromising its confidentiality.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90635-4</xccdf-1.2:ident>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_available_worker" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>imagefs.available</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_ownership_var_log_oauth_audit:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionsoft_imagefs_available:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_imagefs_available"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_ownership_var_log_oauth_audit_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_worker_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_ownership_var_log_ocp_audit" severity="medium">
-            <xccdf-1.2:title>OpenShift Audit Logs Must Be Owned By Root</xccdf-1.2:title>
-            <xccdf-1.2:description>All audit logs must be owned by root user and group. By default, the path for the OpenShift audit log is <html:pre>/var/log/openshift-apiserver/</html:pre>.
-
-To properly set the owner of <html:code>/var/log/openshift-apiserver</html:code>, run the command:
-<html:pre>$ sudo chown root /var/log/openshift-apiserver </html:pre>
-
-To properly set the owner of <html:code>/var/log/openshift-apiserver/*</html:code>, run the command:
-<html:pre>$ sudo chown root /var/log/openshift-apiserver/* </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000162</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000163</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000164</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(4)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000057-GPOS-00027</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000058-GPOS-00028</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000059-GPOS-00029</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000206-GPOS-00084</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Unauthorized disclosure of audit records can reveal system and configuration data to
-attackers, thus compromising its confidentiality.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90636-2</xccdf-1.2:ident>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>imagefs.inodesFree</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84132-0</xccdf-1.2:ident>
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_soft_imagefs_inodesfree">---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionSoft:
+      imagefs.inodesFree: {{.var_kubelet_evictionsoft_imagefs_inodesfree}}
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionSoftGracePeriod:
+      imagefs.inodesFree: "1m30s"
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionPressureTransitionPeriod: 0s
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionSoft:
+      imagefs.inodesFree: {{.var_kubelet_evictionsoft_imagefs_inodesfree}}
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionSoftGracePeriod:
+      imagefs.inodesFree: "1m30s"
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionPressureTransitionPeriod: 0s
+</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_ownership_var_log_ocp_audit:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionsoft_imagefs_inodesfree:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_imagefs_inodesfree"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_ownership_var_log_ocp_audit_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_var_log_kube_audit" severity="medium">
-            <xccdf-1.2:title>Kubernetes Audit Logs Must Have Mode 0600</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/log/kube-apiserver/.*</html:code>, run the command:
-<html:pre>$ sudo chmod 0600 /var/log/kube-apiserver/.*</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(4)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If users can write to audit logs, audit trails can be modified or destroyed.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83654-4</xccdf-1.2:ident>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>imagefs.inodesFree</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_var_log_kube_audit:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_var_log_kube_audit_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_var_log_oauth_audit" severity="medium">
-            <xccdf-1.2:title>OAuth Audit Logs Must Have Mode 0600</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/log/oauth-apiserver/.*</html:code>, run the command:
-<html:pre>$ sudo chmod 0600 /var/log/oauth-apiserver/.*</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(4)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If users can write to audit logs, audit trails can be modified or destroyed.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90637-0</xccdf-1.2:ident>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>imagefs.inodesFree</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_var_log_oauth_audit:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionsoft_imagefs_inodesfree:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_imagefs_inodesfree"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_var_log_oauth_audit_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_var_log_ocp_audit" severity="medium">
-            <xccdf-1.2:title>OpenShift Audit Logs Must Have Mode 0600</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/log/openshift-apiserver/.*</html:code>, run the command:
-<html:pre>$ sudo chmod 0600 /var/log/openshift-apiserver/.*</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(4)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If users can write to audit logs, audit trails can be modified or destroyed.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90638-8</xccdf-1.2:ident>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>imagefs.inodesFree</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_var_log_ocp_audit:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionsoft_imagefs_inodesfree:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_imagefs_inodesfree"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_var_log_ocp_audit_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_partition_for_var_log_kube_apiserver" severity="medium">
-            <xccdf-1.2:title>Ensure /var/log/kube-apiserver Located On Separate Partition</xccdf-1.2:title>
-            <xccdf-1.2:description>Kubernetes API server audit logs are stored in the
-<html:code>/var/log/kube-apiserver</html:code> directory.
-<html:p>
-Partitioning Red Hat CoreOS is a Day 1 operation and cannot
-be changed afterwards. For documentation on how to add a
-MachineConfig manifest that specifies a separate <html:code>/var/log/kube-apiserver</html:code>
-partition, follow:
-
-    <html:a href="https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic">https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic</html:a>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
 </html:p>
-<html:p>
-Note that the Red Hat OpenShift documentation often references a block
-device, such as <html:code>/dev/vda</html:code>. The name of the available block devices depends
-on the underlying infrastructure (bare metal vs cloud), and often the specific
-instance type. For example in AWS, some instance types have NVMe drives
-(<html:code>/dev/nvme*</html:code>), others use <html:code>/dev/xvda*</html:code>.
-
-You will need to look for relevant documentation for your infrastructure around this.
-In many cases, the simplest thing is to boot a single machine with an Ignition
-configuration that just gives you SSH access, and inspect the block devices via
-e.g. the <html:code>lsblk</html:code> command.
-
-For physical hardware, a good best practice is to reference devices via the
-<html:code>/dev/disk/by-id/</html:code> or <html:code>/dev/disk/by-path</html:code> links.
-</html:p></xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000357-CTR-000800</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Placing <html:code>/var/log/kube-apiserver</html:code> in its own partition
-enables better separation between Kubernetes API server audit
-files and other log files, and helps ensure that
-auditing cannot be halted due to the partition running out
-of space.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-86456-1</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-partition_for_var_log_kube_apiserver_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_partition_for_var_log_oauth_apiserver" severity="medium">
-            <xccdf-1.2:title>Ensure /var/log/oauth-apiserver Located On Separate Partition</xccdf-1.2:title>
-            <xccdf-1.2:description>OpenShift OAuth server audit logs are stored in the
-<html:code>/var/log/oauth-apiserver</html:code> directory.
-<html:p>
-Partitioning Red Hat CoreOS is a Day 1 operation and cannot
-be changed afterwards. For documentation on how to add a
-MachineConfig manifest that specifies a separate <html:code>/var/log/oauth-apiserver</html:code>
-partition, follow:
-
-    <html:a href="https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic">https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic</html:a>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
 </html:p>
-<html:p>
-Note that the Red Hat OpenShift documentation often references a block
-device, such as <html:code>/dev/vda</html:code>. The name of the available block devices depends
-on the underlying infrastructure (bare metal vs cloud), and often the specific
-instance type. For example in AWS, some instance types have NVMe drives
-(<html:code>/dev/nvme*</html:code>), others use <html:code>/dev/xvda*</html:code>.
-
-You will need to look for relevant documentation for your infrastructure around this.
-In many cases, the simplest thing is to boot a single machine with an Ignition
-configuration that just gives you SSH access, and inspect the block devices via
-e.g. the <html:code>lsblk</html:code> command.
-
-For physical hardware, a good best practice is to reference devices via the
-<html:code>/dev/disk/by-id/</html:code> or <html:code>/dev/disk/by-path</html:code> links.
-</html:p></xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000357-CTR-000800</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Placing <html:code>/var/log/oauth-apiserver</html:code> in its own partition
-enables better separation between OpenShift OAuth server audit
-files and other log files, and helps ensure that
-auditing cannot be halted due to the partition running out
-of space.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85954-6</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-partition_for_var_log_oauth_apiserver_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_partition_for_var_log_openshift_apiserver" severity="medium">
-            <xccdf-1.2:title>Ensure /var/log/openshift-apiserver Located On Separate Partition</xccdf-1.2:title>
-            <xccdf-1.2:description>Openshift API server audit logs are stored in the
-<html:code>/var/log/openshift-apiserver</html:code> directory.
-<html:p>
-Partitioning Red Hat CoreOS is a Day 1 operation and cannot
-be changed afterwards. For documentation on how to add a
-MachineConfig manifest that specifies a separate <html:code>/var/log/openshift-apiserver</html:code>
-partition, follow:
-
-    <html:a href="https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic">https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic</html:a>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
 </html:p>
-<html:p>
-Note that the Red Hat OpenShift documentation often references a block
-device, such as <html:code>/dev/vda</html:code>. The name of the available block devices depends
-on the underlying infrastructure (bare metal vs cloud), and often the specific
-instance type. For example in AWS, some instance types have NVMe drives
-(<html:code>/dev/nvme*</html:code>), others use <html:code>/dev/xvda*</html:code>.
-
-You will need to look for relevant documentation for your infrastructure around this.
-In many cases, the simplest thing is to boot a single machine with an Ignition
-configuration that just gives you SSH access, and inspect the block devices via
-e.g. the <html:code>lsblk</html:code> command.
-
-For physical hardware, a good best practice is to reference devices via the
-<html:code>/dev/disk/by-id/</html:code> or <html:code>/dev/disk/by-path</html:code> links.
-</html:p></xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000357-CTR-000800</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Placing <html:code>/var/log/openshift-apiserver</html:code> in its own partition
-enables better separation between Openshift API server audit
-files and other log files, and helps ensure that
-auditing cannot be halted due to the partition running out
-of space.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-86094-0</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-partition_for_var_log_openshift_apiserver_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_master">
-          <xccdf-1.2:title>OpenShift - Master Node Settings</xccdf-1.2:title>
-          <xccdf-1.2:description>Contains evaluations for the master node configuration settings.</xccdf-1.2:description>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_cni_conf" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The OpenShift Container Network Interface Files</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/cni/net.d/*</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/cni/net.d/*</html:pre></xccdf-1.2:description>
+              <html:p>
+This rule pertains to the <html:code>memory.available</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -11402,28 +11937,115 @@ of space.</xccdf-1.2:rationale>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.10</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84025-6</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84222-9</xccdf-1.2:ident>
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_soft_memory_available">---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionSoft:
+      memory.available: {{.var_kubelet_evictionsoft_memory_available}}
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionSoftGracePeriod:
+      memory.available: "1m30s"
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionPressureTransitionPeriod: 0s
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionSoft:
+      memory.available: {{.var_kubelet_evictionsoft_memory_available}}
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionSoftGracePeriod:
+      memory.available: "1m30s"
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionPressureTransitionPeriod: 0s
+</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_cni_conf:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionsoft_memory_available:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_memory_available"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_cni_conf_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_controller_manager_kubeconfig" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The OpenShift Controller Manager Kubeconfig File</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available_deprecated" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig</html:code>, run the command:
-<html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Controller
-Manager service. The aforementioned service is only running on
-the nodes labeled "master" by default.</xccdf-1.2:warning>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>memory.available</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -11432,27 +12054,52 @@ the nodes labeled "master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.18</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The Controller Manager's kubeconfig contains information about how the
-component will access the API server. You should set its file ownership to
-maintain the integrity of the file.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84095-9</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_controller_manager_kubeconfig:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_deprecated:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_controller_manager_kubeconfig_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_deprecated_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_etcd_data_dir" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Etcd Database Directory</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available_master" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the group owner of <html:code>/var/lib/etcd/member/</html:code>, run the command:
-<html:pre>$ sudo chgrp root /var/lib/etcd/member/</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>memory.available</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -11461,27 +12108,54 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.12</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>etcd is a highly-available key-value store used by Kubernetes deployments for
-persistent storage of all of its REST API objects. This data directory should
-be protected from any unauthorized reads or writes.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83354-1</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_etcd_data_dir:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionsoft_memory_available:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_memory_available"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_master:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_etcd_data_dir_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_master_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_etcd_data_files" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Etcd Write-Ahead-Log Files</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_memory_available_worker" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the group owner of <html:code>/var/lib/etcd/member/wal/*</html:code>, run the command:
-<html:pre>$ sudo chgrp root /var/lib/etcd/member/wal/*</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>memory.available</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -11490,25 +12164,56 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.12</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>etcd is a highly-available key-value store used by Kubernetes deployments for
-persistent storage of all of its REST API objects. This data directory should
-be protected from any unauthorized reads or writes.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83816-9</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_etcd_data_files:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionsoft_memory_available:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_memory_available"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_etcd_data_files_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_worker_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_etcd_member" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The etcd Member Pod Specification File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>nodefs.available</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -11517,30 +12222,115 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.8</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The etcd pod specification file controls various parameters that
-set the behavior of the etcd service in the master node. etcd is a
-highly-available key-value store which Kubernetes uses for persistent
-storage of all of its REST API object. You should restrict its file
-permissions to maintain the integrity of the file. The file should be
-writable by only the administrators on the system.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83664-3</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84119-7</xccdf-1.2:ident>
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_soft_nodefs_available">---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionSoft:
+      nodefs.available: {{.var_kubelet_evictionsoft_nodefs_available}}
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionSoftGracePeriod:
+      nodefs.available: "1m30s"
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionPressureTransitionPeriod: 0s
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionSoft:
+      nodefs.available: {{.var_kubelet_evictionsoft_nodefs_available}}
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionSoftGracePeriod:
+      nodefs.available: "1m30s"
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionPressureTransitionPeriod: 0s
+</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_etcd_member:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionsoft_nodefs_available:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_nodefs_available"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_etcd_member_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_etcd_pki_cert_files" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Etcd PKI Certificate Files</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/*/*/*/*.crt</html:code>, run the command:
-<html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/*.crt</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>nodefs.available</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -11549,23 +12339,52 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.19</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>OpenShift makes use of a number of certificates as part of its operation.
-You should verify the ownership of the directory containing the PKI
-information and all files in that directory to maintain their integrity.
-The directory and files should be owned by the system administrator.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83890-4</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_etcd_pki_cert_files:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_etcd_pki_cert_files_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ip_allocations" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the group owner of <html:code>/var/lib/cni/networks/openshift-sdn/.*</html:code>, run the command: <html:pre>$ sudo chgrp root /var/lib/cni/networks/openshift-sdn/.*</html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available_master" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>nodefs.available</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -11574,26 +12393,54 @@ The directory and files should be owned by the system administrator.</xccdf-1.2:
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.10</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node-on-sdn"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84211-2</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ip_allocations:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionsoft_nodefs_available:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_nodefs_available"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_master:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ip_allocations_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_master_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_kube_apiserver" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Kubernetes API Server Pod Specification File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes API Server service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_available_worker" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.6/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>nodefs.available</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -11602,25 +12449,56 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The Kubernetes specification file contains information about the configuration of the
-Kubernetes API Server that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83530-6</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_kube_apiserver:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionsoft_nodefs_available:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_nodefs_available"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_kube_apiserver_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_worker_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_kube_controller_manager" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Kubernetes Controller Manager Pod Specification File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>nodefs.inodesFree</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -11629,25 +12507,115 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The Kubernetes specification file contains information about the configuration of the
-Kubernetes Controller Manager Server that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83953-0</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84123-9</xccdf-1.2:ident>
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_eviction_thresholds_set_soft_nodefs_inodesfree">---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionSoft:
+      nodefs.inodesFree: {{.var_kubelet_evictionsoft_nodefs_inodesfree}}
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionSoftGracePeriod:
+      nodefs.inodesFree: "1m30s"
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    evictionPressureTransitionPeriod: 0s
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionSoft:
+      nodefs.inodesFree: {{.var_kubelet_evictionsoft_nodefs_inodesfree}}
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionSoftGracePeriod:
+      nodefs.inodesFree: "1m30s"
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    evictionPressureTransitionPeriod: 0s
+</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_kube_controller_manager:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionsoft_nodefs_inodesfree:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_nodefs_inodesfree"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_kube_controller_manager_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_kube_scheduler" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Kubernetes Scheduler Pod Specification File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Scheduler service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>nodefs.inodesFree</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -11656,38 +12624,52 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.6</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The Kubernetes Specification file contains information about the configuration of the
-Kubernetes scheduler that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83614-8</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_kube_scheduler:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_kube_scheduler_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated:def:1"/>
             </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_kubeconfig" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The OpenShift Admin Kubeconfig File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/kubernetes/kubeconfig</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/kubernetes/kubeconfig</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.14</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The <html:code>/etc/kubernetes/kubeconfig</html:code> file contains information about the administrative configuration of the
-OpenShift cluster that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_kubeconfig_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_master_admin_kubeconfigs" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The OpenShift Admin Kubeconfig Files</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig</html:code>, run the command:
-<html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes API server service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>nodefs.inodesFree</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -11696,26 +12678,54 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.14</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>There are various kubeconfig files that can be used by the administrator,
-defining various settings for the administration of the cluster. These files
-contain credentials that can be used to control the cluster and are needed
-for disaster recovery and each kubeconfig points to a different endpoint in
-the cluster. You should restrict its file permissions to maintain the
-integrity of the kubeconfig file as an attacker who gains access to these
-files can take over the cluster.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84204-7</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_master_admin_kubeconfigs:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionsoft_nodefs_inodesfree:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_nodefs_inodesfree"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_master_admin_kubeconfigs_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_multus_conf" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The OpenShift Multus Container Network Interface Plugin Files</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the group owner of <html:code>/var/run/multus/cni/net.d/*</html:code>, run the command: <html:pre>$ sudo chgrp root /var/run/multus/cni/net.d/*</html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker" severity="medium">
+            <xccdf-1.2:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>Two types of garbage collection are performed on an OpenShift Container Platform node:</html:p>
+              <html:ul>
+                <html:li>Container garbage collection: Removes terminated containers.</html:li>
+                <html:li>Image garbage collection: Removes images not referenced by any running pods.</html:li>
+              </html:ul>
+              <html:p>
+Container garbage collection can be performed using eviction thresholds.
+Image garbage collection relies on disk usage as reported by cAdvisor on the
+node to decide which images to remove from the node.
+</html:p>
+              <html:p>
+The OpenShift administrator can configure how OpenShift Container Platform
+performs garbage collection by creating a kubeletConfig object for each
+Machine Config Pool using any combination of the following:
+</html:p>
+              <html:ul>
+                <html:li>soft eviction for containers</html:li>
+                <html:li>hard eviction for containers</html:li>
+                <html:li>eviction for images</html:li>
+              </html:ul>
+              <html:p>
+To configure, follow the directions in
+<html:a href="https://docs.openshift.com/container-platform/4.5/nodes/nodes/nodes-nodes-garbage-collection.html#nodes-nodes-garbage-collection-configuring_nodes-nodes-configuring">the documentation</html:a>
+</html:p>
+              <html:p>
+This rule pertains to the <html:code>nodefs.inodesFree</html:code> setting of the <html:code>evictionSoft</html:code>
+section.
+</html:p>
+            </xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -11724,154 +12734,135 @@ files can take over the cluster.</xccdf-1.2:rationale>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.10</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83818-5</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Garbage collection is important to ensure sufficient resource availability
+and avoiding degraded performance and availability. In the worst case, the
+system might crash or just be unusable for a long period of time.
+Based on your system resources and tests, choose an appropriate threshold
+value to activate garbage collection.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_multus_conf:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_evictionsoft_nodefs_inodesfree:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_evictionsoft_nodefs_inodesfree"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_multus_conf_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_cert_files" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The OpenShift PKI Certificate Files</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/*/*/*/tls.crt</html:code>, run the command:
-<html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/tls.crt</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Control Plane.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_read_only_port_secured" severity="medium">
+            <xccdf-1.2:title>kubelet - Ensure that the --read-only-port is secured</xccdf-1.2:title>
+            <xccdf-1.2:description>Disable the read-only port.</xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.19</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>OpenShift makes use of a number of certificates as part of its operation.
-You should verify the ownership of the directory containing the PKI
-information and all files in that directory to maintain their integrity.
-The directory and files should be owned by the system administrator.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83922-5</xccdf-1.2:ident>
+            <xccdf-1.2:rationale>The Kubelet process provides a read-only API in addition to the main Kubelet API.
+Unauthenticated access is provided to this read-only API which could possibly retrieve
+potentially sensitive information about the cluster.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_openshift_pki_cert_files:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_read_only_port_secured:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_openshift_pki_cert_files_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_read_only_port_secured_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_key_files" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The OpenShift PKI Private Key Files</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/*/*/*/*.key</html:code>, run the command:
-<html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/*.key</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Control Plane.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_read_only_port_secured_deprecated" severity="medium">
+            <xccdf-1.2:title>kubelet - Ensure that the --read-only-port is secured</xccdf-1.2:title>
+            <xccdf-1.2:description>Disable the read-only port.</xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.19</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>OpenShift makes use of a number of certificates as part of its operation.
-You should verify the ownership of the directory containing the PKI
-information and all files in that directory to maintain their integrity.
-The directory and files should be owned by root:root.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84172-6</xccdf-1.2:ident>
+            <xccdf-1.2:rationale>The Kubelet process provides a read-only API in addition to the main Kubelet API.
+Unauthenticated access is provided to this read-only API which could possibly retrieve
+potentially sensitive information about the cluster.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_openshift_pki_key_files:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_read_only_port_secured_deprecated:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_openshift_pki_key_files_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_read_only_port_secured_deprecated_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_openshift_sdn_cniserver_config" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The OpenShift SDN CNI Server Config</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the group owner of <html:code>/var/run/openshift-sdn/cniserver/config.json</html:code>, run the command:
-<html:pre>$ sudo chgrp root /var/run/openshift-sdn/cniserver/config.json</html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_read_only_port_secured_master" severity="medium">
+            <xccdf-1.2:title>kubelet - Ensure that the --read-only-port is secured</xccdf-1.2:title>
+            <xccdf-1.2:description>Disable the read-only port.</xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node-on-sdn"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83605-6</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_openshift_sdn_cniserver_config:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_openshift_sdn_cniserver_config_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_openvswitch" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The OpenShift Open vSwitch Files</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/openvswitch/.*</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/openvswitch/.*</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.10</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:rationale>The Kubelet process provides a read-only API in addition to the main Kubelet API.
+Unauthenticated access is provided to this read-only API which could possibly retrieve
+potentially sensitive information about the cluster.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_openvswitch:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_read_only_port_secured_master:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_openvswitch_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_read_only_port_secured_master_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Configuration Database</xccdf-1.2:title>
-            <xccdf-1.2:description>Check if the group owner of <html:code>/etc/openvswitch/conf.db</html:code> is
-<html:code>hugetlbfs</html:code> on architectures other than s390x or <html:code>openvswitch</html:code>
-on s390x.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_read_only_port_secured_worker" severity="medium">
+            <xccdf-1.2:title>kubelet - Ensure that the --read-only-port is secured</xccdf-1.2:title>
+            <xccdf-1.2:description>Disable the read-only port.</xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-88281-1</xccdf-1.2:ident>
+            <xccdf-1.2:rationale>The Kubelet process provides a read-only API in addition to the main Kubelet API.
+Unauthenticated access is provided to this read-only API which could possibly retrieve
+potentially sensitive information about the cluster.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_conf_db:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_read_only_port_secured_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_conf_db_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_read_only_port_secured_worker_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db_lock" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Configuration Database Lock</xccdf-1.2:title>
-            <xccdf-1.2:description>Check if the group owner of <html:code>/etc/openvswitch/conf.db.~lock~</html:code> is
-<html:code>hugetlbfs</html:code> on architectures other than s390x or <html:code>openvswitch</html:code>
-on s390x.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_test_cipher" severity="medium">
+            <xccdf-1.2:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</xccdf-1.2:title>
+            <xccdf-1.2:description>Ensure that the Kubelet is configured to only use strong cryptographic ciphers.
+To set the cipher suites for the kubelet, create new or modify existing
+<html:code>KubeletConfig</html:code> object along these lines, one for every
+<html:code>MachineConfigPool</html:code>:
+  <html:pre>
+  apiVersion: machineconfiguration.openshift.io/v1
+  kind: KubeletConfig
+  metadata:
+     name: kubelet-config-$pool
+  spec:
+      machineConfigPoolSelector:
+          matchLabels:
+              pools.operator.machineconfiguration.openshift.io/$pool_name: ""
+      kubeletConfig:
+        tlsCipherSuites:
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+  </html:pre>
+In order to configure this rule to check for an alternative cipher, both var_kubelet_tls_cipher_suites_regex
+and var_kubelet_tls_cipher_suites have to be set</xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump. This will be a Platform rule, var_role_worker and var_role_master needed to be set if scan is not expected to run on master, and worker nodes.
+Therefore, you need to use a tool that can query the OCP API, retrieve KubeletConfig through <html:code class="ocp-api-endpoint-kubeletconfig">"/api/v1/nodes/NODE_NAME/proxy/configz"</html:code> API endpoint to the local <html:code class="ocp-dump-location-kubeletconfig"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>"/kubeletconfig/role/role"</html:code> file.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -11880,25 +12871,68 @@ on s390x.</xccdf-1.2:description>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90793-1</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.13</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>TLS ciphers have had a number of known vulnerabilities and weaknesses,
+which can reduce the protection provided by them. By default Kubernetes
+supports a number of TLS ciphersuites including some that have security
+concerns, weakening the protection provided.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kubelet_test_cipher">---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_worker}}"
+spec:
+  kubeletConfig:
+    tlsCipherSuites: [{{.var_kubelet_tls_cipher_suites}}]
+---
+apiVersion: machineconfiguration.openshift.io/v1
+kind: KubeletConfig
+metadata:
+  annotations:
+    complianceascode.io/node-role: "{{.var_role_master}}"
+spec:
+  kubeletConfig:
+    tlsCipherSuites: [{{.var_kubelet_tls_cipher_suites}}]
+</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_conf_db_lock:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_tls_cipher_suites_regex:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_tls_cipher_suites_regex"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_test_cipher:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_conf_db_lock_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_test_cipher_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db_lock_not_s390x" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Configuration Database Lock</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the group owner of <html:code>/etc/openvswitch/.conf.db.~lock~</html:code>, run the command:
-<html:pre>$ sudo chgrp hugetlbfs /etc/openvswitch/.conf.db.~lock~</html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_test_cipher_master" severity="medium">
+            <xccdf-1.2:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</xccdf-1.2:title>
+            <xccdf-1.2:description>Ensure that the Kubelet is configured to only use strong cryptographic ciphers.
+To set the cipher suites for the kubelet, create new or modify existing
+<html:code>KubeletConfig</html:code> object along these lines, one for every
+<html:code>MachineConfigPool</html:code>:
+  <html:pre>
+  apiVersion: machineconfiguration.openshift.io/v1
+  kind: KubeletConfig
+  metadata:
+     name: kubelet-config-$pool
+  spec:
+      machineConfigPoolSelector:
+          matchLabels:
+              pools.operator.machineconfiguration.openshift.io/$pool_name: ""
+      kubeletConfig:
+        tlsCipherSuites:
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+  </html:pre>
+In order to configure this rule to check for an alternative cipher, both var_kubelet_tls_cipher_suites_regex
+and var_kubelet_tls_cipher_suites have to be set</xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -11907,25 +12941,48 @@ To properly set the group owner of <html:code>/etc/openvswitch/.conf.db.~lock~</
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#not_s390x_arch_and_ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84219-5</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.13</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>TLS ciphers have had a number of known vulnerabilities and weaknesses,
+which can reduce the protection provided by them. By default Kubernetes
+supports a number of TLS ciphersuites including some that have security
+concerns, weakening the protection provided.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_conf_db_lock_not_s390x:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_master:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_master"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_tls_cipher_suites_regex:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_tls_cipher_suites_regex"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_test_cipher_master:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_conf_db_lock_not_s390x_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_test_cipher_master_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db_lock_s390x" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Configuration Database Lock</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the group owner of <html:code>/etc/openvswitch/.conf.db.~lock~</html:code>, run the command:
-<html:pre>$ sudo chgrp hugetlbfs /etc/openvswitch/.conf.db.~lock~</html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kubelet_test_cipher_worker" severity="medium">
+            <xccdf-1.2:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</xccdf-1.2:title>
+            <xccdf-1.2:description>Ensure that the Kubelet is configured to only use strong cryptographic ciphers.
+To set the cipher suites for the kubelet, create new or modify existing
+<html:code>KubeletConfig</html:code> object along these lines, one for every
+<html:code>MachineConfigPool</html:code>:
+  <html:pre>
+  apiVersion: machineconfiguration.openshift.io/v1
+  kind: KubeletConfig
+  metadata:
+     name: kubelet-config-$pool
+  spec:
+      machineConfigPoolSelector:
+          matchLabels:
+              pools.operator.machineconfiguration.openshift.io/$pool_name: ""
+      kubeletConfig:
+        tlsCipherSuites:
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+  </html:pre>
+In order to configure this rule to check for an alternative cipher, both var_kubelet_tls_cipher_suites_regex
+and var_kubelet_tls_cipher_suites have to be set</xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -11934,745 +12991,1713 @@ To properly set the group owner of <html:code>/etc/openvswitch/.conf.db.~lock~</
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node_and_s390x_arch"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85936-3</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.2.13</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>TLS ciphers have had a number of known vulnerabilities and weaknesses,
+which can reduce the protection provided by them. By default Kubernetes
+supports a number of TLS ciphersuites including some that have security
+concerns, weakening the protection provided.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4"/>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_conf_db_lock_s390x:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_role_worker:var:1" value-id="xccdf_org.ssgproject.content_value_var_role_worker"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_kubelet_tls_cipher_suites_regex:var:1" value-id="xccdf_org.ssgproject.content_value_var_kubelet_tls_cipher_suites_regex"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-kubelet_test_cipher_worker:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_conf_db_lock_s390x_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-kubelet_test_cipher_worker_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db_not_s390x" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Configuration Database</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the group owner of <html:code>/etc/openvswitch/conf.db</html:code>, run the command:
-<html:pre>$ sudo chgrp hugetlbfs /etc/openvswitch/conf.db</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#not_s390x_arch_and_ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84226-0</xccdf-1.2:ident>
+        </xccdf-1.2:Group>
+        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_logging">
+          <xccdf-1.2:title>OpenShift - Logging Settings</xccdf-1.2:title>
+          <xccdf-1.2:description>Contains evaluations for the cluster's logging configuration settings.</xccdf-1.2:description>
+          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_openshift_audit_profile" type="string">
+            <xccdf-1.2:title>Configure the OpenShift Audit Profile</xccdf-1.2:title>
+            <xccdf-1.2:description>Audit log profiles define how to log requests that come to the OpenShift
+API server, the Kubernetes API server, and the OAuth API server.</xccdf-1.2:description>
+            <xccdf-1.2:value>Default</xccdf-1.2:value>
+            <xccdf-1.2:value selector="Default">Default</xccdf-1.2:value>
+            <xccdf-1.2:value selector="WriteRequestBodies">WriteRequestBodies</xccdf-1.2:value>
+            <xccdf-1.2:value selector="AllRequestBodies">AllRequestBodies</xccdf-1.2:value>
+          </xccdf-1.2:Value>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_error_alert_exists" severity="high">
+            <xccdf-1.2:title>Ensure that Audit Log Errors Emit Alerts</xccdf-1.2:title>
+            <xccdf-1.2:description><html:p>
+OpenShift audit works at the API server level, logging all requests coming to the server.
+However, if API server instance is unable to write errors, an alert must be issued
+in order for the organization to take a relevant action. e.g. shutting down that instance.
+</html:p><html:p>
+Kubernetes by default has metrics that enable one to write such alerts:
+</html:p><html:ul><html:li><html:code>apiserver_audit_event_total</html:code></html:li><html:li><html:code>apiserver_audit_error_total</html:code></html:li></html:ul>
+
+Such an example is shipped in OCP 4.9+
+
+<html:pre>
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: audit-errors
+  namespace: openshift-kube-apiserver
+spec:
+  groups:
+  - name: apiserver-audit
+    rules:
+    - alert: AuditLogError
+      annotations:
+        summary: |-
+          An API Server instance was unable to write audit logs. This could be
+          triggered by the node running out of space, or a malicious actor
+          tampering with the audit logs.
+        description: An API Server had an error writing to an audit log.
+      expr: |
+        sum by (apiserver,instance)(rate(apiserver_audit_error_total{apiserver=~".+-apiserver"}[5m])) / sum by (apiserver,instance) (rate(apiserver_audit_event_total{apiserver=~".+-apiserver"}[5m])) &gt; 0
+      for: 1m
+      labels:
+        severity: warning
+</html:pre>
+
+<html:p>
+For more information, consult the
+<html:a href="https://docs.openshift.com/container-platform/latest/logging/cluster-logging-external.html">official Kubernetes documentation</html:a>.
+</html:p></xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the following:
+<html:ul><html:li><html:code class="ocp-api-endpoint" id="72e9ad360bb6bdf4ad9e43217cd0ec9cb90e7c3b08d4fbe0edf087ad899e05a6">/apis/monitoring.coreos.com/v1/prometheusrules?limit=500</html:code>
+    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
+    <html:code class="ocp-api-filter" id="filter-72e9ad360bb6bdf4ad9e43217cd0ec9cb90e7c3b08d4fbe0edf087ad899e05a6">[.items[].spec.groups[].rules[].expr]</html:code>
+    and persist it to the local
+    <html:code class="ocp-dump-location" id="dump-72e9ad360bb6bdf4ad9e43217cd0ec9cb90e7c3b08d4fbe0edf087ad899e05a6"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#72e9ad360bb6bdf4ad9e43217cd0ec9cb90e7c3b08d4fbe0edf087ad899e05a6</html:code>
+    file.
+  </html:li></html:ul></xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000109-CTR-000215</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>When there are errors writing audit logs, security events will not be logged
+by that specific API Server instance. Security Incident Response teams use
+these audit logs, amongst other artifacts, to determine the impact of
+security breaches or events. Without these logs, it becomes very difficult
+to assess a situation and do appropriate root cause analysis in such incidents.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90744-4</xccdf-1.2:ident>
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_error_alert_exists">---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: audit-errors
+  namespace: openshift-kube-apiserver
+spec:
+  groups:
+  - name: apiserver-audit
+    rules:
+    - alert: AuditLogError
+      annotations:
+        summary: |-
+          An API Server instance was unable to write audit logs. This could be
+          triggered by the node running out of space, or a malicious actor
+          tampering with the audit logs.
+        description: An API Server had an error writing to an audit log.
+      expr: |
+        sum by (apiserver,instance)(rate(apiserver_audit_error_total{apiserver=~".+-apiserver"}[5m])) / sum by (apiserver,instance) (rate(apiserver_audit_event_total{apiserver=~".+-apiserver"}[5m])) &gt; 0
+      for: 1m
+      labels:
+        severity: warning
+</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_conf_db_not_s390x:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-audit_error_alert_exists:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_conf_db_not_s390x_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-audit_error_alert_exists_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db_s390x" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Configuration Database</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_log_forwarding_uses_tls" severity="medium">
+            <xccdf-1.2:title>Ensure that Audit Log Forwarding Uses TLS</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the group owner of <html:code>/etc/openvswitch/conf.db</html:code>, run the command:
-<html:pre>$ sudo chgrp openvswitch /etc/openvswitch/conf.db</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node_and_s390x_arch"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85927-2</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_conf_db_s390x:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_conf_db_s390x_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_pid" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Process ID File</xccdf-1.2:title>
-            <xccdf-1.2:description>Ensure that the file <html:pre>/var/run/openvswitch/ovs-vswitchd.pid</html:pre>,
-is owned by the group <html:pre>openvswitch</html:pre> or <html:pre>hugetlbfs</html:pre>,
-depending on your settings and Open vSwitch version.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83630-4</xccdf-1.2:ident>
+              <html:p>
+OpenShift audit works at the API server level, logging all requests coming to the server.
+Audit is on by default and the best practice is to ship audit logs off the cluster for retention
+using a secure protocol.
+</html:p>
+              <html:p>
+The cluster-logging-operator is able to do this with the <html:pre>ClusterLogForwarders</html:pre> resource.
+The forementioned resource can be configured to logs to different third party systems.
+For more information on this, please reference the official documentation:
+
+      <html:a href="https://docs.openshift.com/container-platform/latest/logging/cluster-logging-external.html">https://docs.openshift.com/container-platform/latest/logging/cluster-logging-external.html</html:a>
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the .
+This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the following:
+<html:ul><html:li><html:code class="ocp-api-endpoint" id="71786452ba18c51ba8ad51472a078619e2e8b52a86cd75087af5aab42400f6c0">/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance</html:code>
+    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
+    <html:code class="ocp-api-filter" id="filter-71786452ba18c51ba8ad51472a078619e2e8b52a86cd75087af5aab42400f6c0">try [.spec.outputs[].url] catch []</html:code>
+    and persist it to the local
+    <html:code class="ocp-dump-location" id="dump-71786452ba18c51ba8ad51472a078619e2e8b52a86cd75087af5aab42400f6c0"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance#71786452ba18c51ba8ad51472a078619e2e8b52a86cd75087af5aab42400f6c0</html:code>
+    file.
+  </html:li></html:ul></xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(2)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000118-CTR-000240</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000119-CTR-000245</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000120-CTR-000250</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000121-CTR-000255</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000122-CTR-000260</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000123-CTR-000265</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000126-CTR-000275</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000290-CTR-000670</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>It is necessary to ensure that any configured output uses the TLS protocol to receive
+logs in order to ensure the confidentiality, integrity and authenticity of the logs.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90688-3</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_pid:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-audit_log_forwarding_uses_tls:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_pid_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-audit_log_forwarding_uses_tls_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_sys_id_conf" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Persistent System ID</xccdf-1.2:title>
-            <xccdf-1.2:description>Check if the group owner of <html:code>/etc/openvswitch/system-id.conf</html:code> is
-<html:code>hugetlbfs</html:code> on architectures other than s390x or <html:code>openvswitch</html:code>
-on x390x.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_profile_set" severity="medium">
+            <xccdf-1.2:title>Ensure that the cluster's audit profile is properly set</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>
+OpenShift can audit the details of requests made to the API server through
+the standard Kubernetes audit capabilities. 
+</html:p>
+              <html:p>
+In OpenShift, auditing of the API Server is on by default. Audit provides a
+security-relevant chronological set of records documenting the sequence of
+activities that have affected system by individual users, administrators, or
+other components of the system. Audit works at the API server level, logging
+all requests coming to the server. Each audit log contains two entries:
+</html:p>
+              <html:p>
+The request line containing:
+</html:p>
+              <html:ul>
+                <html:li>A Unique ID allowing to match the response line (see #2)</html:li>
+                <html:li>The source IP of the request</html:li>
+                <html:li>The HTTP method being invoked</html:li>
+                <html:li>The original user invoking the operation</html:li>
+                <html:li>The impersonated user for the operation (self meaning himself)</html:li>
+                <html:li>The impersonated group for the operation (lookup meaning user's group)</html:li>
+                <html:li>The namespace of the request or none</html:li>
+                <html:li>The URI as requested</html:li>
+              </html:ul>
+              <html:p>
+The response line containing:
+</html:p>
+              <html:ul>
+                <html:li>The aforementioned unique ID</html:li>
+                <html:li>The response code</html:li>
+              </html:ul>
+              <html:p>
+For more information on how to configure the audit profile, please visit 
+<html:a href="https://docs.openshift.com/container-platform/4.6/security/audit-log-policy-config.html">the documentation</html:a>
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/config.openshift.io/v1/apiservers/cluster</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/config.openshift.io/v1/apiservers/cluster</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85892-8</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(20)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(23)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-12.5.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000089-CTR-000150</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000090-CTR-000155</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000091-CTR-000160</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000095-CTR-000170</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000096-CTR-000175</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000097-CTR-000180</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000098-CTR-000185</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000099-CTR-000190</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000100-CTR-000195</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000100-CTR-000200</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000101-CTR-000205</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000116-CTR-000235</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000118-CTR-000240</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000119-CTR-000245</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000120-CTR-000250</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000121-CTR-000255</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000122-CTR-000260</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000123-CTR-000265</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000181-CTR-000485</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000266-CTR-000625</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000374-CTR-000865</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000375-CTR-000870</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000380-CTR-000900</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000381-CTR-000905</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000492-CTR-001220</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000493-CTR-001225</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000494-CTR-001230</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000495-CTR-001235</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000496-CTR-001240</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000497-CTR-001245</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000498-CTR-001250</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000499-CTR-001255</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000500-CTR-001260</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000501-CTR-001265</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000502-CTR-001270</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000503-CTR-001275</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000504-CTR-001280</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000505-CTR-001285</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000506-CTR-001290</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000507-CTR-001295</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000508-CTR-001300</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000509-CTR-001305</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000510-CTR-001310</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">3.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Logging is an important detective control for all systems, to detect potential
+unauthorised access.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83577-7</xccdf-1.2:ident>
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_profile_set">---
+apiVersion: config.openshift.io/v1
+kind: APIServer
+metadata:
+  name: cluster
+spec:
+  audit:
+    profile: {{.var_openshift_audit_profile}}
+</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_sys_id_conf:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-var_openshift_audit_profile:var:1" value-id="xccdf_org.ssgproject.content_value_var_openshift_audit_profile"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-audit_profile_set:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_sys_id_conf_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-audit_profile_set_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_sys_id_conf_not_s390x" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Persistent System ID</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the group owner of <html:code>/etc/openvswitch/system-id.conf</html:code>, run the command:
-<html:pre>$ sudo chgrp hugetlbfs /etc/openvswitch/system-id.conf</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#not_s390x_arch_and_ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83677-5</xccdf-1.2:ident>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_cluster_logging_operator_exist" severity="medium">
+            <xccdf-1.2:title>Ensure that OpenShift Logging Operator is scanning the cluster</xccdf-1.2:title>
+            <xccdf-1.2:description>OpenShift Logging Operator provides ability to aggregate all the logs from the
+OpenShift Container Platform cluster, such as node system audit logs, application
+container logs, and infrastructure logs. OpenShift Logging aggregates these logs
+from throughout OpenShift cluster and stores them in a default log store. [1]
+
+[1]https://docs.openshift.com/container-platform/4.10/logging/cluster-logging.html</xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3(2)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000092-CTR-000165</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000111-CTR-000220</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>OpenShift Logging Operator is able to collect, aggregate, and manage logs.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85918-1</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_sys_id_conf_not_s390x:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-cluster_logging_operator_exist:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_sys_id_conf_not_s390x_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-cluster_logging_operator_exist_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_sys_id_conf_s390x" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Persistent System ID</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the group owner of <html:code>/etc/openvswitch/system-id.conf</html:code>, run the command:
-<html:pre>$ sudo chgrp hugetlbfs /etc/openvswitch/system-id.conf</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node_and_s390x_arch"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85928-0</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_sys_id_conf_s390x:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_sys_id_conf_s390x_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_vswitchd_pid" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Daemon PID File</xccdf-1.2:title>
-            <xccdf-1.2:description>Ensure that the file <html:pre>/run/openvswitch/ovs-vswitchd.pid</html:pre>,
-is owned by the group <html:pre>openvswitch</html:pre> or <html:pre>hugetlbfs</html:pre>,
-depending on your settings and Open vSwitch version.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84129-6</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_vswitchd_pid:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_vswitchd_pid_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovsdb_server_pid" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Database Server PID</xccdf-1.2:title>
-            <xccdf-1.2:description>Ensure that the file <html:pre>/run/openvswitch/ovsdb-server.pid</html:pre>,
-is owned by the group <html:pre>openvswitch</html:pre> or <html:pre>hugetlbfs</html:pre>,
-depending on your settings and Open vSwitch version.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84166-8</xccdf-1.2:ident>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_directory_access_var_log_kube_audit" severity="medium">
+            <xccdf-1.2:title>Record Access Events to Kubernetes Audit Log Directory</xccdf-1.2:title>
+            <xccdf-1.2:description>The audit system should collect access events to read the Kubernetes audit log directory.
+The following audit rule will assure that access to audit log directory are
+collected.
+<html:pre>-a always,exit -F dir=/var/log/kube-apiserver/ -F perm=r -F auid&gt;=1000 -F auid!=unset -F key=access-audit-trail</html:pre>
+If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code>
+program to read audit rules during daemon startup (the default), add the
+rule to a file with suffix <html:code>.rules</html:code> in the directory
+<html:code>/etc/audit/rules.d</html:code>.
+If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
+utility to read audit rules during daemon startup, add the rule to
+<html:code>/etc/audit/audit.rules</html:code> file.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000343-CTR-000780</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
+Auditing these events could serve as evidence of potential system compromise.'</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83640-3</xccdf-1.2:ident>
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="directory_access_var_log_kube_audit" complexity="low" disruption="medium" reboot="true" strategy="disable">---
+#
+
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20dir%3D/var/log/kube-apiserver/%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/30-access-var-log-kube-audit.rules
+        overwrite: true
+</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovsdb_server_pid:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-directory_access_var_log_kube_audit:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovsdb_server_pid_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-directory_access_var_log_kube_audit_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_scheduler_kubeconfig" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Kubernetes Scheduler Kubeconfig File</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig</html:code>, run the command:
-<html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Scheduler service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.16</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The kubeconfig for the Scheduler contains paramters for the scheduler
-to access the Kube API.
-You should set its file ownership to maintain the integrity of the file.</xccdf-1.2:rationale>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_directory_access_var_log_oauth_audit" severity="medium">
+            <xccdf-1.2:title>Record Access Events to OAuth Audit Log Directory</xccdf-1.2:title>
+            <xccdf-1.2:description>The audit system should collect access events to read the OAuth audit log directory.
+The following audit rule will assure that access to audit log directory are
+collected.
+<html:pre>-a always,exit -F dir=/var/log/oauth-apiserver/ -F perm=r -F auid&gt;=1000 -F auid!=unset -F key=access-audit-trail</html:pre>
+If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code>
+program to read audit rules during daemon startup (the default), add the
+rule to a file with suffix <html:code>.rules</html:code> in the directory
+<html:code>/etc/audit/rules.d</html:code>.
+If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
+utility to read audit rules during daemon startup, add the rule to
+<html:code>/etc/audit/audit.rules</html:code> file.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000343-CTR-000780</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
+Auditing these events could serve as evidence of potential system compromise.'</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83471-3</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90631-3</xccdf-1.2:ident>
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="directory_access_var_log_oauth_audit" complexity="low" disruption="medium" reboot="true" strategy="disable">---
+#
+
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20dir%3D/var/log/oauth-apiserver/%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/30-access-var-log-oauth-audit.rules
+        overwrite: true
+</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_scheduler_kubeconfig:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-directory_access_var_log_oauth_audit:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_scheduler_kubeconfig_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-directory_access_var_log_oauth_audit_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_cni_conf" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The OpenShift Container Network Interface Files</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/cni/net.d/*</html:code>, run the command: <html:pre>$ sudo chown root /etc/cni/net.d/* </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.10</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83460-6</xccdf-1.2:ident>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_directory_access_var_log_ocp_audit" severity="medium">
+            <xccdf-1.2:title>Record Access Events to OpenShift Audit Log Directory</xccdf-1.2:title>
+            <xccdf-1.2:description>The audit system should collect access events to read the OpenShift audit log directory.
+The following audit rule will assure that access to audit log directory are
+collected.
+<html:pre>-a always,exit -F dir=/var/log/openshift-apiserver/ -F perm=r -F auid&gt;=1000 -F auid!=unset -F key=access-audit-trail</html:pre>
+If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code>
+program to read audit rules during daemon startup (the default), add the
+rule to a file with suffix <html:code>.rules</html:code> in the directory
+<html:code>/etc/audit/rules.d</html:code>.
+If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
+utility to read audit rules during daemon startup, add the rule to
+<html:code>/etc/audit/audit.rules</html:code> file.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000343-CTR-000780</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
+Auditing these events could serve as evidence of potential system compromise.'</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90632-1</xccdf-1.2:ident>
+            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="directory_access_var_log_ocp_audit" complexity="low" disruption="medium" reboot="true" strategy="disable">---
+#
+
+apiVersion: machineconfiguration.openshift.io/v1
+kind: MachineConfig
+spec:
+  config:
+    ignition:
+      version: 3.1.0
+    storage:
+      files:
+      - contents:
+          source: data:,{{ -a%20always%2Cexit%20-F%20dir%3D/var/log/openshift-apiserver/%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A }}
+        mode: 0600
+        path: /etc/audit/rules.d/30-access-var-log-ocp-audit.rules
+        overwrite: true
+</xccdf-1.2:fix>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_cni_conf:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-directory_access_var_log_ocp_audit:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_cni_conf_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-directory_access_var_log_ocp_audit_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_controller_manager_kubeconfig" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The OpenShift Controller Manager Kubeconfig File</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_kube_audit" severity="medium">
+            <xccdf-1.2:title>The Kubernetes Audit Logs Directory Must Have Mode 0700</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig</html:code>, run the command:
-<html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.18</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The Controller Manager's kubeconfig contains information about how the
-component will access the API server. You should set its file ownership to
-maintain the integrity of the file.</xccdf-1.2:rationale>
+To properly set the permissions of <html:code>/var/log/kube-apiserver/</html:code>, run the command:
+<html:pre>$ sudo chmod 0700 /var/log/kube-apiserver/</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000118-CTR-000240</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000119-CTR-000245</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000120-CTR-000250</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000121-CTR-000255</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000122-CTR-000260</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000123-CTR-000265</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>If users can write to audit logs, audit trails can be modified or destroyed.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83904-3</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83645-2</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_controller_manager_kubeconfig:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-directory_permissions_var_log_kube_audit:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_controller_manager_kubeconfig_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-directory_permissions_var_log_kube_audit_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_etcd_data_dir" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Etcd Database Directory</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_oauth_audit" severity="medium">
+            <xccdf-1.2:title>The OAuth Audit Logs Directory Must Have Mode 0700</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the owner of <html:code>/var/lib/etcd/member/</html:code>, run the command:
-<html:pre>$ sudo chown root /var/lib/etcd/member/ </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.12</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>etcd is a highly-available key-value store used by Kubernetes deployments for
-persistent storage of all of its REST API objects. This data directory should
-be protected from any unauthorized reads or writes.</xccdf-1.2:rationale>
+To properly set the permissions of <html:code>/var/log/oauth-apiserver/</html:code>, run the command:
+<html:pre>$ sudo chmod 0700 /var/log/oauth-apiserver/</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000118-CTR-000240</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000119-CTR-000245</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000120-CTR-000250</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000121-CTR-000255</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000122-CTR-000260</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000123-CTR-000265</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>If users can write to audit logs, audit trails can be modified or destroyed.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83905-0</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90633-9</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_etcd_data_dir:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-directory_permissions_var_log_oauth_audit:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_etcd_data_dir_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-directory_permissions_var_log_oauth_audit_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_etcd_data_files" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Etcd Write-Ahead-Log Files</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_ocp_audit" severity="medium">
+            <xccdf-1.2:title>The OpenShift Audit Logs Directory Must Have Mode 0700</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the owner of <html:code>/var/lib/etcd/member/wal/*</html:code>, run the command:
-<html:pre>$ sudo chown root /var/lib/etcd/member/wal/* </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.12</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>etcd is a highly-available key-value store used by Kubernetes deployments for
-persistent storage of all of its REST API objects. This data directory should
-be protected from any unauthorized reads or writes.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84010-8</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_etcd_data_files:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_etcd_data_files_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_etcd_member" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Etcd Member Pod Specification File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml</html:code>, run the command: <html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.8</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The etcd pod specification file controls various parameters that
-set the behavior of the etcd service in the master node. etcd is a
-highly-available key-value store which Kubernetes uses for persistent
-storage of all of its REST API object. You should restrict its file
-permissions to maintain the integrity of the file. The file should be
-writable by only the administrators on the system.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83988-6</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_etcd_member:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_etcd_member_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_etcd_pki_cert_files" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Etcd PKI Certificate Files</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/*/*/*/*.crt</html:code>, run the command:
-<html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/*.crt </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.19</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>OpenShift makes use of a number of certificates as part of its operation.
-You should verify the ownership of the directory containing the PKI
-information and all files in that directory to maintain their integrity.
-The directory and files should be owned by the system administrator.</xccdf-1.2:rationale>
+To properly set the permissions of <html:code>/var/log/openshift-apiserver/</html:code>, run the command:
+<html:pre>$ sudo chmod 0700 /var/log/openshift-apiserver/</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000118-CTR-000240</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000119-CTR-000245</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000120-CTR-000250</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000121-CTR-000255</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000122-CTR-000260</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000123-CTR-000265</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>If users can write to audit logs, audit trails can be modified or destroyed.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83898-7</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_etcd_pki_cert_files:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_etcd_pki_cert_files_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_ip_allocations" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the owner of <html:code>/var/lib/cni/networks/openshift-sdn/.*</html:code>, run the command: <html:pre>$ sudo chown root /var/lib/cni/networks/openshift-sdn/.* </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.10</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node-on-sdn"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84248-4</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90634-7</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_ip_allocations:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-directory_permissions_var_log_ocp_audit:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_ip_allocations_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-directory_permissions_var_log_ocp_audit_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_kube_apiserver" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Kubernetes API Server Pod Specification File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml</html:code>, run the command: <html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes API Server service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The Kubernetes specification file contains information about the configuration of the
-Kubernetes API Server that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_ownership_var_log_kube_audit" severity="medium">
+            <xccdf-1.2:title>Kubernetes Audit Logs Must Be Owned By Root</xccdf-1.2:title>
+            <xccdf-1.2:description>All audit logs must be owned by root user and group. By default, the path for the Kubernetes audit log is <html:pre>/var/log/kube-apiserver/</html:pre>.
+
+To properly set the owner of <html:code>/var/log/kube-apiserver</html:code>, run the command:
+<html:pre>$ sudo chown root /var/log/kube-apiserver </html:pre>
+
+To properly set the owner of <html:code>/var/log/kube-apiserver/*</html:code>, run the command:
+<html:pre>$ sudo chown root /var/log/kube-apiserver/* </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000162</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000163</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000164</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(4)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000057-GPOS-00027</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000058-GPOS-00028</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000059-GPOS-00029</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000206-GPOS-00084</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Unauthorized disclosure of audit records can reveal system and configuration data to
+attackers, thus compromising its confidentiality.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83372-3</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83650-2</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_kube_apiserver:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_ownership_var_log_kube_audit:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_kube_apiserver_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_ownership_var_log_kube_audit_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_kube_controller_manager" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Kubernetes Controller Manager Pod Specificiation File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml</html:code>, run the command: <html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The Kubernetes specification file contains information about the configuration of the
-Kubernetes Controller Manager Server that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_ownership_var_log_oauth_audit" severity="medium">
+            <xccdf-1.2:title>OAuth Audit Logs Must Be Owned By Root</xccdf-1.2:title>
+            <xccdf-1.2:description>All audit logs must be owned by root user and group. By default, the path for the OAuth audit log is <html:pre>/var/log/oauth-apiserver/</html:pre>.
+
+To properly set the owner of <html:code>/var/log/oauth-apiserver</html:code>, run the command:
+<html:pre>$ sudo chown root /var/log/oauth-apiserver </html:pre>
+
+To properly set the owner of <html:code>/var/log/oauth-apiserver/*</html:code>, run the command:
+<html:pre>$ sudo chown root /var/log/oauth-apiserver/* </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000162</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000163</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000164</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(4)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000057-GPOS-00027</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000058-GPOS-00028</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000059-GPOS-00029</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000206-GPOS-00084</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Unauthorized disclosure of audit records can reveal system and configuration data to
+attackers, thus compromising its confidentiality.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83795-5</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90635-4</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_kube_controller_manager:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_ownership_var_log_oauth_audit:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_kube_controller_manager_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_ownership_var_log_oauth_audit_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_kube_scheduler" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Kubernetes Scheduler Pod Specification File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml</html:code>, run the command: <html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Scheduler service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.6</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The Kubernetes specification file contains information about the configuration of the
-Kubernetes scheduler that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83393-9</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_kube_scheduler:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_kube_scheduler_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_kubeconfig" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The OpenShift Admin Kubeconfig File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/kubernetes/kubeconfig</html:code>, run the command: <html:pre>$ sudo chown root /etc/kubernetes/kubeconfig </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.14</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The <html:code>/etc/kubernetes/kubeconfig</html:code> file contains information about the administrative configuration of the
-OpenShift cluster that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_kubeconfig_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_master_admin_kubeconfigs" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The OpenShift Admin Kubeconfig Files</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig</html:code>, run the command:
-<html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Control Plane.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.14</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>There are various kubeconfig files that can be used by the administrator,
-defining various settings for the administration of the cluster. These files
-contain credentials that can be used to control the cluster and are needed
-for disaster recovery and each kubeconfig points to a different endpoint in
-the cluster. You should restrict its file permissions to maintain the
-integrity of the kubeconfig file as an attacker who gains access to these
-files can take over the cluster.</xccdf-1.2:rationale>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_ownership_var_log_ocp_audit" severity="medium">
+            <xccdf-1.2:title>OpenShift Audit Logs Must Be Owned By Root</xccdf-1.2:title>
+            <xccdf-1.2:description>All audit logs must be owned by root user and group. By default, the path for the OpenShift audit log is <html:pre>/var/log/openshift-apiserver/</html:pre>.
+
+To properly set the owner of <html:code>/var/log/openshift-apiserver</html:code>, run the command:
+<html:pre>$ sudo chown root /var/log/openshift-apiserver </html:pre>
+
+To properly set the owner of <html:code>/var/log/openshift-apiserver/*</html:code>, run the command:
+<html:pre>$ sudo chown root /var/log/openshift-apiserver/* </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000162</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000163</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000164</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(4)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000057-GPOS-00027</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000058-GPOS-00028</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000059-GPOS-00029</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000206-GPOS-00084</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Unauthorized disclosure of audit records can reveal system and configuration data to
+attackers, thus compromising its confidentiality.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83719-5</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_master_admin_kubeconfigs:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_master_admin_kubeconfigs_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_multus_conf" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The OpenShift Multus Container Network Interface Plugin Files</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the owner of <html:code>/var/run/multus/cni/net.d/*</html:code>, run the command: <html:pre>$ sudo chown root /var/run/multus/cni/net.d/* </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.10</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83603-1</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90636-2</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_multus_conf:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_ownership_var_log_ocp_audit:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_multus_conf_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_ownership_var_log_ocp_audit_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_openshift_pki_cert_files" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The OpenShift PKI Certificate Files</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_var_log_kube_audit" severity="medium">
+            <xccdf-1.2:title>Kubernetes Audit Logs Must Have Mode 0600</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/*/*/*/tls.crt</html:code>, run the command:
-<html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/tls.crt </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Control Plane.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.19</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>OpenShift makes use of a number of certificates as part of its operation.
-You should verify the ownership of the directory containing the PKI
-information and all files in that directory to maintain their integrity.</xccdf-1.2:rationale>
+To properly set the permissions of <html:code>/var/log/kube-apiserver/.*</html:code>, run the command:
+<html:pre>$ sudo chmod 0600 /var/log/kube-apiserver/.*</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(4)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>If users can write to audit logs, audit trails can be modified or destroyed.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83558-7</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83654-4</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_openshift_pki_cert_files:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_var_log_kube_audit:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_openshift_pki_cert_files_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_var_log_kube_audit_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_openshift_pki_key_files" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The OpenShift PKI Private Key Files</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_var_log_oauth_audit" severity="medium">
+            <xccdf-1.2:title>OAuth Audit Logs Must Have Mode 0600</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/*/*/*/*.key</html:code>, run the command:
-<html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/*.key </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Control Plane.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.19</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>OpenShift makes use of a number of certificates as part of its operation.
-You should verify the ownership of the directory containing the PKI
-information and all files in that directory to maintain their integrity.
-The directory and files should be owned by root:root.</xccdf-1.2:rationale>
+To properly set the permissions of <html:code>/var/log/oauth-apiserver/.*</html:code>, run the command:
+<html:pre>$ sudo chmod 0600 /var/log/oauth-apiserver/.*</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(4)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>If users can write to audit logs, audit trails can be modified or destroyed.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83435-8</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_openshift_pki_key_files:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_openshift_pki_key_files_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_openshift_sdn_cniserver_config" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The OpenShift SDN CNI Server Config</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the owner of <html:code>/var/run/openshift-sdn/cniserver/config.json</html:code>, run the command:
-<html:pre>$ sudo chown root /var/run/openshift-sdn/cniserver/config.json </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node-on-sdn"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83932-4</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_openshift_sdn_cniserver_config:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_openshift_sdn_cniserver_config_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_openvswitch" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The OpenShift Open vSwitch Files</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/openvswitch/.*</html:code>, run the command: <html:pre>$ sudo chown root /etc/openvswitch/.* </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.10</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90637-0</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_openvswitch:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_var_log_oauth_audit:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_openvswitch_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_var_log_oauth_audit_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_ovs_conf_db" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Open vSwitch Configuration Database</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_var_log_ocp_audit" severity="medium">
+            <xccdf-1.2:title>OpenShift Audit Logs Must Have Mode 0600</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the owner of <html:code>/etc/openvswitch/conf.db</html:code>, run the command:
-<html:pre>$ sudo chown openvswitch /etc/openvswitch/conf.db </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83489-5</xccdf-1.2:ident>
+To properly set the permissions of <html:code>/var/log/openshift-apiserver/.*</html:code>, run the command:
+<html:pre>$ sudo chmod 0600 /var/log/openshift-apiserver/.*</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(4)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>If users can write to audit logs, audit trails can be modified or destroyed.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90638-8</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_ovs_conf_db:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_var_log_ocp_audit:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_ovs_conf_db_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_var_log_ocp_audit_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_ovs_conf_db_lock" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Open vSwitch Configuration Database Lock</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the owner of <html:code>/etc/openvswitch/.conf.db.~lock~</html:code>, run the command:
-<html:pre>$ sudo chown openvswitch /etc/openvswitch/.conf.db.~lock~ </html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_partition_for_var_log_kube_apiserver" severity="medium">
+            <xccdf-1.2:title>Ensure /var/log/kube-apiserver Located On Separate Partition</xccdf-1.2:title>
+            <xccdf-1.2:description>Kubernetes API server audit logs are stored in the
+<html:code>/var/log/kube-apiserver</html:code> directory.
+<html:p>
+Partitioning Red Hat CoreOS is a Day 1 operation and cannot
+be changed afterwards. For documentation on how to add a
+MachineConfig manifest that specifies a separate <html:code>/var/log/kube-apiserver</html:code>
+partition, follow:
+
+    <html:a href="https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic">https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic</html:a>
+</html:p>
+<html:p>
+Note that the Red Hat OpenShift documentation often references a block
+device, such as <html:code>/dev/vda</html:code>. The name of the available block devices depends
+on the underlying infrastructure (bare metal vs cloud), and often the specific
+instance type. For example in AWS, some instance types have NVMe drives
+(<html:code>/dev/nvme*</html:code>), others use <html:code>/dev/xvda*</html:code>.
+
+You will need to look for relevant documentation for your infrastructure around this.
+In many cases, the simplest thing is to boot a single machine with an Ignition
+configuration that just gives you SSH access, and inspect the block devices via
+e.g. the <html:code>lsblk</html:code> command.
+
+For physical hardware, a good best practice is to reference devices via the
+<html:code>/dev/disk/by-id/</html:code> or <html:code>/dev/disk/by-path</html:code> links.
+</html:p></xccdf-1.2:description>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000357-CTR-000800</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Placing <html:code>/var/log/kube-apiserver</html:code> in its own partition
+enables better separation between Kubernetes API server audit
+files and other log files, and helps ensure that
+auditing cannot be halted due to the partition running out
+of space.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-86456-1</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-partition_for_var_log_kube_apiserver_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_partition_for_var_log_oauth_apiserver" severity="medium">
+            <xccdf-1.2:title>Ensure /var/log/oauth-apiserver Located On Separate Partition</xccdf-1.2:title>
+            <xccdf-1.2:description>OpenShift OAuth server audit logs are stored in the
+<html:code>/var/log/oauth-apiserver</html:code> directory.
+<html:p>
+Partitioning Red Hat CoreOS is a Day 1 operation and cannot
+be changed afterwards. For documentation on how to add a
+MachineConfig manifest that specifies a separate <html:code>/var/log/oauth-apiserver</html:code>
+partition, follow:
+
+    <html:a href="https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic">https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic</html:a>
+</html:p>
+<html:p>
+Note that the Red Hat OpenShift documentation often references a block
+device, such as <html:code>/dev/vda</html:code>. The name of the available block devices depends
+on the underlying infrastructure (bare metal vs cloud), and often the specific
+instance type. For example in AWS, some instance types have NVMe drives
+(<html:code>/dev/nvme*</html:code>), others use <html:code>/dev/xvda*</html:code>.
+
+You will need to look for relevant documentation for your infrastructure around this.
+In many cases, the simplest thing is to boot a single machine with an Ignition
+configuration that just gives you SSH access, and inspect the block devices via
+e.g. the <html:code>lsblk</html:code> command.
+
+For physical hardware, a good best practice is to reference devices via the
+<html:code>/dev/disk/by-id/</html:code> or <html:code>/dev/disk/by-path</html:code> links.
+</html:p></xccdf-1.2:description>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000357-CTR-000800</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Placing <html:code>/var/log/oauth-apiserver</html:code> in its own partition
+enables better separation between OpenShift OAuth server audit
+files and other log files, and helps ensure that
+auditing cannot be halted due to the partition running out
+of space.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85954-6</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-partition_for_var_log_oauth_apiserver_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_partition_for_var_log_openshift_apiserver" severity="medium">
+            <xccdf-1.2:title>Ensure /var/log/openshift-apiserver Located On Separate Partition</xccdf-1.2:title>
+            <xccdf-1.2:description>Openshift API server audit logs are stored in the
+<html:code>/var/log/openshift-apiserver</html:code> directory.
+<html:p>
+Partitioning Red Hat CoreOS is a Day 1 operation and cannot
+be changed afterwards. For documentation on how to add a
+MachineConfig manifest that specifies a separate <html:code>/var/log/openshift-apiserver</html:code>
+partition, follow:
+
+    <html:a href="https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic">https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic</html:a>
+</html:p>
+<html:p>
+Note that the Red Hat OpenShift documentation often references a block
+device, such as <html:code>/dev/vda</html:code>. The name of the available block devices depends
+on the underlying infrastructure (bare metal vs cloud), and often the specific
+instance type. For example in AWS, some instance types have NVMe drives
+(<html:code>/dev/nvme*</html:code>), others use <html:code>/dev/xvda*</html:code>.
+
+You will need to look for relevant documentation for your infrastructure around this.
+In many cases, the simplest thing is to boot a single machine with an Ignition
+configuration that just gives you SSH access, and inspect the block devices via
+e.g. the <html:code>lsblk</html:code> command.
+
+For physical hardware, a good best practice is to reference devices via the
+<html:code>/dev/disk/by-id/</html:code> or <html:code>/dev/disk/by-path</html:code> links.
+</html:p></xccdf-1.2:description>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000357-CTR-000800</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Placing <html:code>/var/log/openshift-apiserver</html:code> in its own partition
+enables better separation between Openshift API server audit
+files and other log files, and helps ensure that
+auditing cannot be halted due to the partition running out
+of space.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-86094-0</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-partition_for_var_log_openshift_apiserver_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+        </xccdf-1.2:Group>
+        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_master">
+          <xccdf-1.2:title>OpenShift - Master Node Settings</xccdf-1.2:title>
+          <xccdf-1.2:description>Contains evaluations for the master node configuration settings.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_cni_conf" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The OpenShift Container Network Interface Files</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/cni/net.d/*</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/cni/net.d/*</html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -12681,25 +14706,28 @@ To properly set the owner of <html:code>/etc/openvswitch/.conf.db.~lock~</html:c
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.10</xccdf-1.2:reference>
             <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
 writing plugins to configure network interfaces in Linux containers, along with a number
 of supported plugins. Allowing writeable access to the files could allow an attacker to modify
 the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83462-2</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84025-6</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_ovs_conf_db_lock:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_cni_conf:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_ovs_conf_db_lock_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_cni_conf_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_ovs_pid" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Open vSwitch Process ID File</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_controller_manager_kubeconfig" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The OpenShift Controller Manager Kubeconfig File</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the owner of <html:code>/var/run/openvswitch/ovs-vswitchd.pid</html:code>, run the command:
-<html:pre>$ sudo chown openvswitch /var/run/openvswitch/ovs-vswitchd.pid </html:pre></xccdf-1.2:description>
+To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig</html:code>, run the command:
+<html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Controller
+Manager service. The aforementioned service is only running on
+the nodes labeled "master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -12708,25 +14736,27 @@ To properly set the owner of <html:code>/var/run/openvswitch/ovs-vswitchd.pid</h
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83937-3</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.18</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The Controller Manager's kubeconfig contains information about how the
+component will access the API server. You should set its file ownership to
+maintain the integrity of the file.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84095-9</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_ovs_pid:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_controller_manager_kubeconfig:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_ovs_pid_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_controller_manager_kubeconfig_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_ovs_sys_id_conf" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Open vSwitch Persistent System ID</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_etcd_data_dir" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Etcd Database Directory</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the owner of <html:code>/etc/openvswitch/system-id.conf</html:code>, run the command:
-<html:pre>$ sudo chown openvswitch /etc/openvswitch/system-id.conf </html:pre></xccdf-1.2:description>
+To properly set the group owner of <html:code>/var/lib/etcd/member/</html:code>, run the command:
+<html:pre>$ sudo chgrp root /var/lib/etcd/member/</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -12735,25 +14765,27 @@ To properly set the owner of <html:code>/etc/openvswitch/system-id.conf</html:co
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84085-0</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.12</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>etcd is a highly-available key-value store used by Kubernetes deployments for
+persistent storage of all of its REST API objects. This data directory should
+be protected from any unauthorized reads or writes.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83354-1</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_ovs_sys_id_conf:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_etcd_data_dir:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_ovs_sys_id_conf_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_etcd_data_dir_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_ovs_vswitchd_pid" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Open vSwitch Daemon PID File</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_etcd_data_files" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Etcd Write-Ahead-Log Files</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the owner of <html:code>/run/openvswitch/ovs-vswitchd.pid</html:code>, run the command:
-<html:pre>$ sudo chown openvswitch /run/openvswitch/ovs-vswitchd.pid </html:pre></xccdf-1.2:description>
+To properly set the group owner of <html:code>/var/lib/etcd/member/wal/*</html:code>, run the command:
+<html:pre>$ sudo chgrp root /var/lib/etcd/member/wal/*</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -12762,25 +14794,25 @@ To properly set the owner of <html:code>/run/openvswitch/ovs-vswitchd.pid</html:
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83888-8</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.12</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>etcd is a highly-available key-value store used by Kubernetes deployments for
+persistent storage of all of its REST API objects. This data directory should
+be protected from any unauthorized reads or writes.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83816-9</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_ovs_vswitchd_pid:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_etcd_data_files:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_ovs_vswitchd_pid_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_etcd_data_files_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_ovsdb_server_pid" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Open vSwitch Database Server PID</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the owner of <html:code>/run/openvswitch/ovsdb-server.pid</html:code>, run the command:
-<html:pre>$ sudo chown openvswitch /run/openvswitch/ovsdb-server.pid </html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_etcd_member" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The etcd Member Pod Specification File</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -12789,26 +14821,28 @@ To properly set the owner of <html:code>/run/openvswitch/ovsdb-server.pid</html:
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83806-0</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.8</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The etcd pod specification file controls various parameters that
+set the behavior of the etcd service in the master node. etcd is a
+highly-available key-value store which Kubernetes uses for persistent
+storage of all of its REST API object. You should restrict its file
+permissions to maintain the integrity of the file. The file should be
+writable by only the administrators on the system.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83664-3</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_ovsdb_server_pid:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_etcd_member:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_ovsdb_server_pid_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_etcd_member_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_scheduler_kubeconfig" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Kubernetes Scheduler Kubeconfig File</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_etcd_pki_cert_files" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Etcd PKI Certificate Files</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig</html:code>, run the command:
-<html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Scheduler service.
+To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/*/*/*/*.crt</html:code>, run the command:
+<html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/*.crt</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
 The aforementioned service is only running on the nodes labeled
 "master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
@@ -12819,38 +14853,23 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.16</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The kubeconfig for the Scheduler contains paramters for the scheduler
-to access the Kube API.
-You should set its file ownership to maintain the integrity of the file.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.19</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>OpenShift makes use of a number of certificates as part of its operation.
+You should verify the ownership of the directory containing the PKI
+information and all files in that directory to maintain their integrity.
+The directory and files should be owned by the system administrator.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84017-3</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_scheduler_kubeconfig:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_scheduler_kubeconfig_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_var_lib_etcd" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The OpenShift etcd Data Directory</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the owner of <html:code>/var/lib/etcd</html:code>, run the command: <html:pre>$ sudo chown root /var/lib/etcd </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.12</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The <html:code>/var/lib/etcd</html:code> directory contains highly-avaliable distributed key/value data storage
-across an OpenShift cluster. Allowing access to users to this directory could compromise OpenShift
-data and the cluster.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83890-4</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_var_lib_etcd:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_etcd_pki_cert_files:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_var_lib_etcd_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_etcd_pki_cert_files_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_cni_conf" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the OpenShift Container Network Interface Files</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/cni/net.d/*</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/cni/net.d/*</html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ip_allocations" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the group owner of <html:code>/var/lib/cni/networks/openshift-sdn/.*</html:code>, run the command: <html:pre>$ sudo chgrp root /var/lib/cni/networks/openshift-sdn/.*</html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -12859,26 +14878,24 @@ To properly set the permissions of <html:code>/etc/cni/net.d/*</html:code>, run
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.10</xccdf-1.2:reference>
             <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
 writing plugins to configure network interfaces in Linux containers, along with a number
 of supported plugins. Allowing writeable access to the files could allow an attacker to modify
 the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83379-8</xccdf-1.2:ident>
+            <xccdf-1.2:platform idref="#ocp4-node-on-sdn"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84211-2</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_cni_conf:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ip_allocations:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_cni_conf_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ip_allocations_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_controller_manager_kubeconfig" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the OpenShift Controller Manager Kubeconfig File</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_kube_apiserver" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Kubernetes API Server Pod Specification File</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes API Server service.
 The aforementioned service is only running on the nodes labeled
 "master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
@@ -12889,26 +14906,23 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.17</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The Controller Manager's kubeconfig contains information about how the
-component will access the API server. You should restrict its file
-permissions to maintain the integrity of the file. The file should be
-writable by only the administrators on the system.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The Kubernetes specification file contains information about the configuration of the
+Kubernetes API Server that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83604-9</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83530-6</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_controller_manager_kubeconfig:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_kube_apiserver:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_controller_manager_kubeconfig_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_kube_apiserver_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_etcd_data_dir" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Etcd Database Directory</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/lib/etcd</html:code>, run the command:
-<html:pre>$ sudo chmod 0700 /var/lib/etcd</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_kube_controller_manager" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Kubernetes Controller Manager Pod Specification File</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
 The aforementioned service is only running on the nodes labeled
 "master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
@@ -12919,26 +14933,23 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.11</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>etcd is a highly-available key-value store used by Kubernetes deployments for persistent
-storage of all of its REST API objects. This data directory should be protected from any
-unauthorized reads or writes. It should not be readable or writable by any group members
-or the world.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The Kubernetes specification file contains information about the configuration of the
+Kubernetes Controller Manager Server that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84013-2</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83953-0</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_etcd_data_dir:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_kube_controller_manager:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_etcd_data_dir_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_kube_controller_manager_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_etcd_data_files" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Etcd Write-Ahead-Log Files</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/lib/etcd/member/wal/*</html:code>, run the command:
-<html:pre>$ sudo chmod 0600 /var/lib/etcd/member/wal/*</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_kube_scheduler" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Kubernetes Scheduler Pod Specification File</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Scheduler service.
 The aforementioned service is only running on the nodes labeled
 "master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
@@ -12949,26 +14960,36 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.11</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>etcd is a highly-available key-value store used by Kubernetes deployments for persistent
-storage of all of its REST API objects. This data directory should be protected from any
-unauthorized reads or writes. It should not be readable or writable by any group members
-or the world.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.6</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The Kubernetes Specification file contains information about the configuration of the
+Kubernetes scheduler that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83382-2</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83614-8</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_etcd_data_files:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_kube_scheduler:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_etcd_data_files_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_kube_scheduler_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_etcd_member" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Etcd Member Pod Specification File</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_kubeconfig" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The OpenShift Admin Kubeconfig File</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/kubernetes/kubeconfig</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/kubernetes/kubeconfig</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.14</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The <html:code>/etc/kubernetes/kubeconfig</html:code> file contains information about the administrative configuration of the
+OpenShift cluster that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_kubeconfig_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_master_admin_kubeconfigs" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The OpenShift Admin Kubeconfig Files</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
+To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig</html:code>, run the command:
+<html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes API server service.
 The aforementioned service is only running on the nodes labeled
 "master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
@@ -12979,30 +15000,26 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.7</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The etcd pod specification file controls various parameters that
-set the behavior of the etcd service in the master node. etcd is a
-highly-available key-value store which Kubernetes uses for persistent
-storage of all of its REST API object. You should restrict its file
-permissions to maintain the integrity of the file. The file should be
-writable by only the administrators on the system.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.14</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>There are various kubeconfig files that can be used by the administrator,
+defining various settings for the administration of the cluster. These files
+contain credentials that can be used to control the cluster and are needed
+for disaster recovery and each kubeconfig points to a different endpoint in
+the cluster. You should restrict its file permissions to maintain the
+integrity of the kubeconfig file as an attacker who gains access to these
+files can take over the cluster.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83973-8</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84204-7</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_etcd_member:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_master_admin_kubeconfigs:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_etcd_member_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_master_admin_kubeconfigs_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_etcd_pki_cert_files" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Etcd PKI Certificate Files</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/etcd-*/secrets/*/*.crt</html:code>, run the command:
-<html:pre>$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/etcd-*/secrets/*/*.crt</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_multus_conf" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The OpenShift Multus Container Network Interface Plugin Files</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the group owner of <html:code>/var/run/multus/cni/net.d/*</html:code>, run the command: <html:pre>$ sudo chgrp root /var/run/multus/cni/net.d/*</html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -13011,24 +15028,28 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.20</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>OpenShift makes use of a number of certificate files as part of the operation
-of its components. The permissions on these files should be set to
-<html:pre>600</html:pre> or more restrictive to protect their integrity.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83362-4</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.10</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83818-5</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_etcd_pki_cert_files:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_multus_conf:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_etcd_pki_cert_files_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_multus_conf_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_ip_allocations" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the OpenShift SDN Container Network Interface Plugin IP Address Allocations</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_cert_files" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The OpenShift PKI Certificate Files</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/lib/cni/networks/openshift-sdn/*</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /var/lib/cni/networks/openshift-sdn/*</html:pre></xccdf-1.2:description>
+To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/*/*/*/tls.crt</html:code>, run the command:
+<html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/tls.crt</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Control Plane.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -13037,26 +15058,26 @@ To properly set the permissions of <html:code>/var/lib/cni/networks/openshift-sd
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
-writing plugins to configure network interfaces in Linux containers, along with a number
-of supported plugins. Allowing writeable access to the files could allow an attacker to modify
-the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node-on-sdn"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83469-7</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.19</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>OpenShift makes use of a number of certificates as part of its operation.
+You should verify the ownership of the directory containing the PKI
+information and all files in that directory to maintain their integrity.
+The directory and files should be owned by the system administrator.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83922-5</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_ip_allocations:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_openshift_pki_cert_files:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_ip_allocations_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_openshift_pki_cert_files_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_kube_apiserver" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Kubernetes API Server Pod Specification File</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_openshift_pki_key_files" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The OpenShift PKI Private Key Files</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes API Server service.
+To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/*/*/*/*.key</html:code>, run the command:
+<html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/*/*/*/*.key</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Control Plane.
 The aforementioned service is only running on the nodes labeled
 "master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
@@ -13067,28 +15088,25 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If the Kubernetes specification file is writable by a group-owner or the
-world the risk of its compromise is increased. The file contains the configuration of
-the Kubernetes API server that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.19</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>OpenShift makes use of a number of certificates as part of its operation.
+You should verify the ownership of the directory containing the PKI
+information and all files in that directory to maintain their integrity.
+The directory and files should be owned by root:root.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83983-7</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84172-6</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_kube_apiserver:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_openshift_pki_key_files:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_kube_apiserver_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_openshift_pki_key_files_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_kube_controller_manager" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Kubernetes Controller Manager Pod Specificiation File</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_openshift_sdn_cniserver_config" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The OpenShift SDN CNI Server Config</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
+To properly set the group owner of <html:code>/var/run/openshift-sdn/cniserver/config.json</html:code>, run the command:
+<html:pre>$ sudo chgrp root /var/run/openshift-sdn/cniserver/config.json</html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -13097,56 +15115,40 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If the Kubernetes specification file is writable by a group-owner or the
-world the risk of its compromise is increased. The file contains the configuration of
-an Kubernetes Controller Manager server that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84161-9</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node-on-sdn"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83605-6</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_kube_controller_manager:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_openshift_sdn_cniserver_config:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_kube_controller_manager_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_openshift_sdn_cniserver_config_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_kube_scheduler" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Kube Scheduler Pod Specification File</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If the Kube specification file is writable by a group-owner or the
-world the risk of its compromise is increased. The file contains the configuration of
-an OpenShift scheduler that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_kube_scheduler_ocil:questionnaire:1"/>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_openvswitch" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The OpenShift Open vSwitch Files</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/openvswitch/.*</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/openvswitch/.*</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.10</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_openvswitch:def:1"/>
             </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_kubeconfig" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the OpenShift Admin Kubeconfig File</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/kubernetes/kubeconfig</html:code>, run the command:
-<html:pre>$ sudo chmod 0600 /etc/kubernetes/kubeconfig</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.13</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If the <html:code>/etc/kubernetes/kubeconfig</html:code> file is writable by a group-owner or the
-world the risk of its compromise is increased. The file contains the administration configuration of the
-OpenShift cluster that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_kubeconfig_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_openvswitch_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_master_admin_kubeconfigs" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the OpenShift Admin Kubeconfig Files</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig</html:code>, run the command:
-<html:pre>$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Control Plane.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Configuration Database</xccdf-1.2:title>
+            <xccdf-1.2:description>Check if the group owner of <html:code>/etc/openvswitch/conf.db</html:code> is
+<html:code>hugetlbfs</html:code> on architectures other than s390x or <html:code>openvswitch</html:code>
+on s390x.</xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -13155,28 +15157,25 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.13</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>There are various kubeconfig files that can be used by the administrator,
-defining various settings for the administration of the cluster. These files
-contain credentials that can be used to control the cluster and are needed
-for disaster recovery and each kubeconfig points to a different endpoint in
-the cluster. You should restrict its file permissions to maintain the
-integrity of the kubeconfig file as an attacker who gains access to these
-files can take over the cluster.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84278-1</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-88281-1</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_master_admin_kubeconfigs:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_conf_db:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_master_admin_kubeconfigs_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_conf_db_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_multus_conf" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the OpenShift Multus Container Network Interface Plugin Files</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/run/multus/cni/net.d/*</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /var/run/multus/cni/net.d/*</html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db_lock" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Configuration Database Lock</xccdf-1.2:title>
+            <xccdf-1.2:description>Check if the group owner of <html:code>/etc/openvswitch/conf.db.~lock~</html:code> is
+<html:code>hugetlbfs</html:code> on architectures other than s390x or <html:code>openvswitch</html:code>
+on s390x.</xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -13191,22 +15190,19 @@ writing plugins to configure network interfaces in Linux containers, along with
 of supported plugins. Allowing writeable access to the files could allow an attacker to modify
 the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83467-1</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90793-1</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_multus_conf:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_conf_db_lock:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_multus_conf_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_conf_db_lock_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_openshift_pki_cert_files" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the OpenShift PKI Certificate Files</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db_lock_not_s390x" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Configuration Database Lock</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/kube-*/secrets/*/tls.crt</html:code>, run the command:
-<html:pre>$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-*/secrets/*/tls.crt</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Control Plane.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
+To properly set the group owner of <html:code>/etc/openvswitch/.conf.db.~lock~</html:code>, run the command:
+<html:pre>$ sudo chgrp hugetlbfs /etc/openvswitch/.conf.db.~lock~</html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -13215,83 +15211,79 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.20</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>OpenShift makes use of a number of certificate files as part of the operation
-of its components. The permissions on these files should be set to
-<html:pre>600</html:pre> or more restrictive to protect their integrity.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83552-0</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#not_s390x_arch_and_ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84219-5</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_openshift_pki_cert_files:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_conf_db_lock_not_s390x:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_openshift_pki_cert_files_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_conf_db_lock_not_s390x_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_openshift_pki_key_files" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the OpenShift PKI Private Key Files</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db_lock_s390x" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Configuration Database Lock</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/*/*/*/*.key</html:code>, run the command:
-<html:pre>$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/*/*/*/*.key</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Control Plane.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R3.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
+To properly set the group owner of <html:code>/etc/openvswitch/.conf.db.~lock~</html:code>, run the command:
+<html:pre>$ sudo chgrp hugetlbfs /etc/openvswitch/.conf.db.~lock~</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(2)</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.21</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>OpenShift makes use of a number of key files as part of the operation of its
-components. The permissions on these files should be set to <html:pre>600</html:pre>
-to protect their integrity and confidentiality.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83580-1</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node_and_s390x_arch"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85936-3</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_openshift_pki_key_files:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_conf_db_lock_s390x:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_openshift_pki_key_files_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_conf_db_lock_s390x_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_openvswitch" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the OpenShift Open vSwitch Files</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db_not_s390x" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Configuration Database</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/openvswitch/.*</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/openvswitch/.*</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.4.9</xccdf-1.2:reference>
+To properly set the group owner of <html:code>/etc/openvswitch/conf.db</html:code>, run the command:
+<html:pre>$ sudo chgrp hugetlbfs /etc/openvswitch/conf.db</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
             <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
 writing plugins to configure network interfaces in Linux containers, along with a number
 of supported plugins. Allowing writeable access to the files could allow an attacker to modify
 the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#not_s390x_arch_and_ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84226-0</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_openvswitch:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_conf_db_not_s390x:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_openvswitch_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_conf_db_not_s390x_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_ovs_conf_db" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Open vSwitch Configuration Database</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_conf_db_s390x" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Configuration Database</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/openvswitch/conf.db</html:code>, run the command:
-<html:pre>$ sudo chmod 0640 /etc/openvswitch/conf.db</html:pre></xccdf-1.2:description>
+To properly set the group owner of <html:code>/etc/openvswitch/conf.db</html:code>, run the command:
+<html:pre>$ sudo chgrp openvswitch /etc/openvswitch/conf.db</html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -13305,20 +15297,20 @@ To properly set the permissions of <html:code>/etc/openvswitch/conf.db</html:cod
 writing plugins to configure network interfaces in Linux containers, along with a number
 of supported plugins. Allowing writeable access to the files could allow an attacker to modify
 the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83788-0</xccdf-1.2:ident>
+            <xccdf-1.2:platform idref="#ocp4-node_and_s390x_arch"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85927-2</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_ovs_conf_db:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_conf_db_s390x:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_ovs_conf_db_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_conf_db_s390x_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_ovs_conf_db_lock" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Open vSwitch Configuration Database Lock</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/openvswitch/.conf.db.~lock~</html:code>, run the command:
-<html:pre>$ sudo chmod 0600 /etc/openvswitch/.conf.db.~lock~</html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_pid" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Process ID File</xccdf-1.2:title>
+            <xccdf-1.2:description>Ensure that the file <html:pre>/var/run/openvswitch/ovs-vswitchd.pid</html:pre>,
+is owned by the group <html:pre>openvswitch</html:pre> or <html:pre>hugetlbfs</html:pre>,
+depending on your settings and Open vSwitch version.</xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -13333,19 +15325,19 @@ writing plugins to configure network interfaces in Linux containers, along with
 of supported plugins. Allowing writeable access to the files could allow an attacker to modify
 the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84202-1</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83630-4</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_ovs_conf_db_lock:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_pid:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_ovs_conf_db_lock_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_pid_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_ovs_pid" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Open vSwitch Process ID File</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/run/openvswitch/ovs-vswitchd.pid</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /var/run/openvswitch/ovs-vswitchd.pid</html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_sys_id_conf" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Persistent System ID</xccdf-1.2:title>
+            <xccdf-1.2:description>Check if the group owner of <html:code>/etc/openvswitch/system-id.conf</html:code> is
+<html:code>hugetlbfs</html:code> on architectures other than s390x or <html:code>openvswitch</html:code>
+on x390x.</xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -13360,19 +15352,19 @@ writing plugins to configure network interfaces in Linux containers, along with
 of supported plugins. Allowing writeable access to the files could allow an attacker to modify
 the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83666-8</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85892-8</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_ovs_pid:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_sys_id_conf:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_ovs_pid_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_sys_id_conf_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_ovs_sys_id_conf" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Open vSwitch Persistent System ID</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_sys_id_conf_not_s390x" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Persistent System ID</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/openvswitch/system-id.conf</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/openvswitch/system-id.conf</html:pre></xccdf-1.2:description>
+To properly set the group owner of <html:code>/etc/openvswitch/system-id.conf</html:code>, run the command:
+<html:pre>$ sudo chgrp hugetlbfs /etc/openvswitch/system-id.conf</html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -13386,20 +15378,20 @@ To properly set the permissions of <html:code>/etc/openvswitch/system-id.conf</h
 writing plugins to configure network interfaces in Linux containers, along with a number
 of supported plugins. Allowing writeable access to the files could allow an attacker to modify
 the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83400-2</xccdf-1.2:ident>
+            <xccdf-1.2:platform idref="#not_s390x_arch_and_ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83677-5</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_ovs_sys_id_conf:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_sys_id_conf_not_s390x:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_ovs_sys_id_conf_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_sys_id_conf_not_s390x_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_ovs_vswitchd_pid" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Open vSwitch Daemon PID File</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_sys_id_conf_s390x" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Persistent System ID</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/run/openvswitch/ovs-vswitchd.pid</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /run/openvswitch/ovs-vswitchd.pid</html:pre></xccdf-1.2:description>
+To properly set the group owner of <html:code>/etc/openvswitch/system-id.conf</html:code>, run the command:
+<html:pre>$ sudo chgrp hugetlbfs /etc/openvswitch/system-id.conf</html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -13413,20 +15405,20 @@ To properly set the permissions of <html:code>/run/openvswitch/ovs-vswitchd.pid<
 writing plugins to configure network interfaces in Linux containers, along with a number
 of supported plugins. Allowing writeable access to the files could allow an attacker to modify
 the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83710-4</xccdf-1.2:ident>
+            <xccdf-1.2:platform idref="#ocp4-node_and_s390x_arch"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85928-0</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_ovs_vswitchd_pid:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_sys_id_conf_s390x:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_ovs_vswitchd_pid_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_sys_id_conf_s390x_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_ovsdb_server_pid" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Open vSwitch Database Server PID</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/run/openvswitch/ovsdb-server.pid</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /run/openvswitch/ovsdb-server.pid</html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovs_vswitchd_pid" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Daemon PID File</xccdf-1.2:title>
+            <xccdf-1.2:description>Ensure that the file <html:pre>/run/openvswitch/ovs-vswitchd.pid</html:pre>,
+is owned by the group <html:pre>openvswitch</html:pre> or <html:pre>hugetlbfs</html:pre>,
+depending on your settings and Open vSwitch version.</xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -13441,22 +15433,19 @@ writing plugins to configure network interfaces in Linux containers, along with
 of supported plugins. Allowing writeable access to the files could allow an attacker to modify
 the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83679-1</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84129-6</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_ovsdb_server_pid:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovs_vswitchd_pid:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_ovsdb_server_pid_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovs_vswitchd_pid_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_scheduler" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Kubernetes Scheduler Pod Specification File</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Scheduler service.
-The aforementioned service is only running on the nodes labeled
-"master" by default.</xccdf-1.2:warning>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_ovsdb_server_pid" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Open vSwitch Database Server PID</xccdf-1.2:title>
+            <xccdf-1.2:description>Ensure that the file <html:pre>/run/openvswitch/ovsdb-server.pid</html:pre>,
+is owned by the group <html:pre>openvswitch</html:pre> or <html:pre>hugetlbfs</html:pre>,
+depending on your settings and Open vSwitch version.</xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -13465,25 +15454,25 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If the Kubernetes specification file is writable by a group-owner or the
-world the risk of its compromise is increased. The file contains the configuration of
-an Kubernetes Scheduler service that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84057-9</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84166-8</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_scheduler:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_ovsdb_server_pid:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_scheduler_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_ovsdb_server_pid_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_scheduler_kubeconfig" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Kubernetes Scheduler Kubeconfig File</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_scheduler_kubeconfig" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Kubernetes Scheduler Kubeconfig File</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig</html:pre></xccdf-1.2:description>
+To properly set the group owner of <html:code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig</html:code>, run the command:
+<html:pre>$ sudo chgrp root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig</html:pre></xccdf-1.2:description>
             <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Scheduler service.
 The aforementioned service is only running on the nodes labeled
 "master" by default.</xccdf-1.2:warning>
@@ -13495,41 +15484,22 @@ The aforementioned service is only running on the nodes labeled
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.15</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.16</xccdf-1.2:reference>
             <xccdf-1.2:rationale>The kubeconfig for the Scheduler contains paramters for the scheduler
-to access the Kube API. You should restrict its file permissions to maintain
-the integrity of the file. The file should be writable by only the
-administrators on the system.</xccdf-1.2:rationale>
+to access the Kube API.
+You should set its file ownership to maintain the integrity of the file.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-master-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83772-4</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_scheduler_kubeconfig:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_scheduler_kubeconfig_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_var_lib_etcd" severity="medium">
-            <xccdf-1.2:title>The OpenShift etcd Data Directory Must Have Mode 0700</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/lib/etcd</html:code>, run the command:
-<html:pre>$ sudo chmod 0700 /var/lib/etcd</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.11</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The <html:code>/var/lib/etcd</html:code> directory contains highly-avaliable distributed key/value data storage
-across an OpenShift cluster. Allowing access to users to this directory could compromise OpenShift
-data and the cluster.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83471-3</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_var_lib_etcd:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_scheduler_kubeconfig:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_var_lib_etcd_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_scheduler_kubeconfig_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_perms_openshift_sdn_cniserver_config" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the OpenShift SDN CNI Server Config</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/run/openshift-sdn/cniserver/config.json</html:code>, run the command:
-<html:pre>$ sudo chmod 0444 /var/run/openshift-sdn/cniserver/config.json</html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_cni_conf" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The OpenShift Container Network Interface Files</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/cni/net.d/*</html:code>, run the command: <html:pre>$ sudo chown root /etc/cni/net.d/* </html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -13538,1115 +15508,831 @@ To properly set the permissions of <html:code>/var/run/openshift-sdn/cniserver/c
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.10</xccdf-1.2:reference>
             <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
 writing plugins to configure network interfaces in Linux containers, along with a number
 of supported plugins. Allowing writeable access to the files could allow an attacker to modify
 the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node-on-sdn"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83927-4</xccdf-1.2:ident>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83460-6</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_perms_openshift_sdn_cniserver_config:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_cni_conf:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_perms_openshift_sdn_cniserver_config_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_cni_conf_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_networking">
-          <xccdf-1.2:title>Kubernetes - Network Configuration and Firewalls</xccdf-1.2:title>
-          <xccdf-1.2:description>Most systems must be connected to a network of some
-sort, and this brings with it the substantial risk of network
-attack. This section discusses the security impact of decisions
-about networking which must be made when configuring a system.
-<html:br/><html:br/>
-This section also discusses firewalls, network access
-controls, and other network security frameworks, which allow
-system-level rules to be written that can limit an attackers' ability
-to connect to your system. These rules can specify that network
-traffic should be allowed or denied from certain IP addresses,
-hosts, and networks. The rules can also specify which of the
-system's network services are available to particular hosts or
-networks.</xccdf-1.2:description>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_cluster_wide_proxy_set" severity="medium">
-            <xccdf-1.2:title>Ensure that cluster-wide proxy is set</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_controller_manager_kubeconfig" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The OpenShift Controller Manager Kubeconfig File</xccdf-1.2:title>
             <xccdf-1.2:description>
-              <html:p>
-Production environments can deny direct access to the Internet and instead have
-an HTTP or HTTPS proxy available.
-</html:p>
-              <html:p>
-The Proxy object is used to manage the cluster-wide egress proxy. Setting this
-will ensure that containers get the appropriate environment variables set
-to ensure traffic goes to the proxy per organizational requirements.
-</html:p>
-              <html:p>
-For more information, see <html:a href="https://docs.openshift.com/container-platform/latest/networking/enable-cluster-wide-proxy.html">the relevant documentation.</html:a>
-</html:p>
-            </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/config.openshift.io/v1/proxies/cluster</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/config.openshift.io/v1/proxies/cluster</html:code> file.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.4</xccdf-1.2:reference>
+To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig</html:code>, run the command:
+<html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(8)</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>External networks tend to be outside of organizational control. By ensuring
-that egress traffic goes through an authorized proxy, one is able to ensure
-that expected and safe traffic is coming out, and malicious actors
-aren't leaking sensitive information, or calling back from a central command
-center to get further instructions upon intrusion.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90765-9</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.18</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The Controller Manager's kubeconfig contains information about how the
+component will access the API server. You should set its file ownership to
+maintain the integrity of the file.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83904-3</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-cluster_wide_proxy_set:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_controller_manager_kubeconfig:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_controller_manager_kubeconfig_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_configure_network_policies" severity="high">
-            <xccdf-1.2:title>Ensure that the CNI in use supports Network Policies</xccdf-1.2:title>
-            <xccdf-1.2:description>There are a variety of CNI plugins available for Kubernetes. If the CNI in
-use does not support Network Policies it may not be possible to effectively
-restrict traffic in the cluster. OpenShift supports Kubernetes NetworkPolicy
-using a Kubernetes Container Network Interface (CNI) plug-in.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-<html:ul><html:li><html:code class="ocp-api-endpoint" id="35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498">/apis/operator.openshift.io/v1/networks/cluster</html:code>
-    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
-    <html:code class="ocp-api-filter" id="filter-35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498">[.spec.defaultNetwork.type]</html:code>
-    and persist it to the local
-    <html:code class="ocp-dump-location" id="dump-35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/operator.openshift.io/v1/networks/cluster#35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498</html:code>
-    file.
-  </html:li></html:ul></xccdf-1.2:warning>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_etcd_data_dir" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The Etcd Database Directory</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the owner of <html:code>/var/lib/etcd/member/</html:code>, run the command:
+<html:pre>$ sudo chown root /var/lib/etcd/member/ </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000038-CTR-000105</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000039-CTR-000110</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Kubernetes network policies are enforced by the CNI plugin in use. As such
-it is important to ensure that the CNI plugin supports both Ingress and
-Egress network policies.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.12</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>etcd is a highly-available key-value store used by Kubernetes deployments for
+persistent storage of all of its REST API objects. This data directory should
+be protected from any unauthorized reads or writes.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83905-0</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-configure_network_policies:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_etcd_data_dir:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-configure_network_policies_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_etcd_data_dir_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces" severity="high">
-            <xccdf-1.2:title>Ensure that application Namespaces have Network Policies defined.</xccdf-1.2:title>
-            <xccdf-1.2:description>Use network policies to isolate traffic in your cluster network.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-<html:ul><html:li><html:code class="ocp-api-endpoint" id="51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300">/apis/networking.k8s.io/v1/networkpolicies</html:code>
-    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
-    <html:code class="ocp-api-filter" id="filter-51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300">[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique</html:code>
-    and persist it to the local
-    <html:code class="ocp-dump-location" id="dump-51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/networking.k8s.io/v1/networkpolicies#51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300</html:code>
-    file.
-  </html:li><html:li><html:code class="ocp-api-endpoint" id="34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d">/api/v1/namespaces</html:code>
-    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
-    <html:code class="ocp-api-filter" id="filter-34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d">[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default")]</html:code>
-    and persist it to the local
-    <html:code class="ocp-dump-location" id="dump-34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/api/v1/namespaces#34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d</html:code>
-    file.
-  </html:li></html:ul></xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5</xccdf-1.2:reference>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_etcd_data_files" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The Etcd Write-Ahead-Log Files</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the owner of <html:code>/var/lib/etcd/member/wal/*</html:code>, run the command:
+<html:pre>$ sudo chown root /var/lib/etcd/member/wal/* </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.4</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4(21)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(5)</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(3)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(5)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(8)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(12)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(13)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(18)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(10)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(22)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000038-CTR-000105</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000039-CTR-000110</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000141-CTR-000315</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000141-CTR-000320</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000142-CTR-000325</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000142-CTR-000330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000645-CTR-001410</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Running different applications on the same Kubernetes cluster creates a risk of one
-compromised application attacking a neighboring application. Network segmentation is
-important to ensure that containers can communicate only with those they are supposed
-to. When a network policy is introduced to a given namespace, all traffic not allowed
-by the policy is denied. However, if there are no network policies in a namespace all
-traffic will be allowed into and out of the pods in that namespace.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.12</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>etcd is a highly-available key-value store used by Kubernetes deployments for
+persistent storage of all of its REST API objects. This data directory should
+be protected from any unauthorized reads or writes.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84010-8</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-configure_network_policies_namespaces:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_etcd_data_files:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-configure_network_policies_namespaces_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_etcd_data_files_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_default_ingress_ca_replaced" severity="medium">
-            <xccdf-1.2:title>Ensure that the default Ingress CA (wildcard issuer) has been replaced</xccdf-1.2:title>
-            <xccdf-1.2:description>Check that the default Ingress CA has been replaced.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/config.openshift.io/v1/proxies/cluster</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/config.openshift.io/v1/proxies/cluster</html:code> file.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-17</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>OpenShift auto-generates several PKIs to serve TLS on different
-endpoints of the system. It is possible and necessary to configure a
-custom PKI which allows external clients to trust the endpoints.
-
-The Ingress Operator is the component responsible for enabling external
-access to OpenShift Container Platform cluster services. The aforementioned
-operator creates an internal CA and issues a wildcard certificate that is
-valid for applications under the .apps sub-domain. Both the web console
-and CLI use this certificate as well. The certificate and key would need
-to be replaced since a certificate coming from a trusted provider is
-needed.
-
-
-      <html:a href="https://docs.openshift.com/container-platform/latest/security/certificates/replacing-default-ingress-certificate.html">https://docs.openshift.com/container-platform/latest/security/certificates/replacing-default-ingress-certificate.html</html:a></xccdf-1.2:rationale>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_etcd_member" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The Etcd Member Pod Specification File</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml</html:code>, run the command: <html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.8</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The etcd pod specification file controls various parameters that
+set the behavior of the etcd service in the master node. etcd is a
+highly-available key-value store which Kubernetes uses for persistent
+storage of all of its REST API object. You should restrict its file
+permissions to maintain the integrity of the file. The file should be
+writable by only the administrators on the system.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83988-6</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-default_ingress_ca_replaced:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_etcd_member:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-default_ingress_ca_replaced_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_etcd_member_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_ingress_controller_certificate" severity="medium">
-            <xccdf-1.2:title>Ensure that the default Ingress certificate has been replaced</xccdf-1.2:title>
-            <xccdf-1.2:description>Check that the default Ingress certificate has been replaced.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default</html:code> file.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>OpenShift auto-generates several PKIs to serve TLS on different
-endpoints of the system. It is possible and necessary to configure a
-custom PKI which allows external clients to trust the endpoints.
-
-The Ingress Operator is the component responsible for enabling external
-access to OpenShift Container Platform cluster services. The aforementioned
-operator creates an internal CA and issues a wildcard certificate that is
-valid for applications under the .apps sub-domain. Both the web console
-and CLI use this certificate as well. The certificate and key would need
-to be replaced since a certificate coming from a trusted provider is
-needed.
-
-
-      <html:a href="https://docs.openshift.com/container-platform/latest/security/certificates/replacing-default-ingress-certificate.html">https://docs.openshift.com/container-platform/latest/security/certificates/replacing-default-ingress-certificate.html</html:a></xccdf-1.2:rationale>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_etcd_pki_cert_files" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The Etcd PKI Certificate Files</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/*/*/*/*.crt</html:code>, run the command:
+<html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/*.crt </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.19</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>OpenShift makes use of a number of certificates as part of its operation.
+You should verify the ownership of the directory containing the PKI
+information and all files in that directory to maintain their integrity.
+The directory and files should be owned by the system administrator.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83898-7</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-ingress_controller_certificate:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_etcd_pki_cert_files:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-ingress_controller_certificate_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_etcd_pki_cert_files_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_route_ip_whitelist" severity="medium">
-            <xccdf-1.2:title>Ensure that all Routes has rate limit enabled</xccdf-1.2:title>
-            <xccdf-1.2:description>OpenShift has an option to set the IP whitelist for Routes [1] when
-creating new Routes. All routes outside the openshift namespaces and 
-the kube namespaces should use the IP whitelist annotations. Requests
-from IP addresses that are not in the whitelist are dropped.
-
-[1] https://docs.openshift.com/container-platform/latest/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-<html:ul><html:li><html:code class="ocp-api-endpoint" id="aec152a4446d7917fcbebee892a2ec3fbdef3b71cc0784c9457b2e54fd64dd3b">/apis/route.openshift.io/v1/routes?limit=500</html:code>
-    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
-    <html:code class="ocp-api-filter" id="filter-aec152a4446d7917fcbebee892a2ec3fbdef3b71cc0784c9457b2e54fd64dd3b">[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.annotations["haproxy.router.openshift.io/ip_whitelist"] | not) | .metadata.name]</html:code>
-    and persist it to the local
-    <html:code class="ocp-dump-location" id="dump-aec152a4446d7917fcbebee892a2ec3fbdef3b71cc0784c9457b2e54fd64dd3b"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/route.openshift.io/v1/routes?limit=500#aec152a4446d7917fcbebee892a2ec3fbdef3b71cc0784c9457b2e54fd64dd3b</html:code>
-    file.
-  </html:li></html:ul></xccdf-1.2:warning>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(5)</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The usage of IP whitelist for Routes provides basic protection against unwanted access.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90596-8</xccdf-1.2:ident>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_ip_allocations" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the owner of <html:code>/var/lib/cni/networks/openshift-sdn/.*</html:code>, run the command: <html:pre>$ sudo chown root /var/lib/cni/networks/openshift-sdn/.* </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.10</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node-on-sdn"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84248-4</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-route_ip_whitelist:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_ip_allocations:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-route_ip_whitelist_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_ip_allocations_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_routes_protected_by_tls" severity="medium">
-            <xccdf-1.2:title>Ensure that all OpenShift Routes prefer TLS</xccdf-1.2:title>
-            <xccdf-1.2:description>OpenShift Container Platform provides methods for communicating from
-outside the cluster with services running in the cluster. TLS must
-be used to protect these communications. OpenShift
-Routes provide the ability to configure the needed TLS settings. With
-these, one is able to configure that any request coming from the outside
-must use TLS. To verify this, ensure that every Route in the system
-has a policy of <html:code>Disable</html:code> or <html:code>Redirect</html:code> to ensure a
-secure endpoint is used. The aforementioned policy will be set in
-a Routes <html:code>.spec.tls.insecureEdgeTerminationPolicy</html:code> setting.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/route.openshift.io/v1/routes?limit=500</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/route.openshift.io/v1/routes?limit=500</html:code> file.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5</xccdf-1.2:reference>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_kube_apiserver" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The Kubernetes API Server Pod Specification File</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml</html:code>, run the command: <html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes API Server service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4(21)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(3)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8(2)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-6.5.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000038-CTR-000105</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000039-CTR-000110</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000441-CTR-001090</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000442-CTR-001095</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Using clear-text in communications coming to or from outside
-the cluster's network may leak sensitive information.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84225-2</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The Kubernetes specification file contains information about the configuration of the
+Kubernetes API Server that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83372-3</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-routes_protected_by_tls:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_kube_apiserver:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-routes_protected_by_tls_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_kube_apiserver_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_routes_rate_limit" severity="medium">
-            <xccdf-1.2:title>Ensure that all Routes has rate limit enabled</xccdf-1.2:title>
-            <xccdf-1.2:description>OpenShift has an option to set the rate limit for Routes [1] when creating new Routes.
-All routes outside the openshift namespaces and the kube namespaces should use the
-rate-limiting annotations.
-
-[1] https://docs.openshift.com/container-platform/4.9/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-<html:ul><html:li><html:code class="ocp-api-endpoint" id="842fa6716f17342d62e70f2755db709b9d7a161cf0338ea8bfae9b06dab5e6cc">/apis/route.openshift.io/v1/routes?limit=500</html:code>
-    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
-    <html:code class="ocp-api-filter" id="filter-842fa6716f17342d62e70f2755db709b9d7a161cf0338ea8bfae9b06dab5e6cc">[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name]</html:code>
-    and persist it to the local
-    <html:code class="ocp-dump-location" id="dump-842fa6716f17342d62e70f2755db709b9d7a161cf0338ea8bfae9b06dab5e6cc"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/route.openshift.io/v1/routes?limit=500#842fa6716f17342d62e70f2755db709b9d7a161cf0338ea8bfae9b06dab5e6cc</html:code>
-    file.
-  </html:li></html:ul></xccdf-1.2:warning>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000246-CTR-000605</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000435-CTR-001070</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The usage of rate limit for Routes provides basic protection against distributed denial-of-service (DDoS) attacks.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90779-0</xccdf-1.2:ident>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_kube_controller_manager" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The Kubernetes Controller Manager Pod Specificiation File</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml</html:code>, run the command: <html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The Kubernetes specification file contains information about the configuration of the
+Kubernetes Controller Manager Server that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83795-5</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-routes_rate_limit:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_kube_controller_manager:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-routes_rate_limit_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_kube_controller_manager_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_openshift-api-server">
-          <xccdf-1.2:title>OpenShift API Server</xccdf-1.2:title>
-          <xccdf-1.2:description>This section contains recommendations for openshift-apiserver configuration.</xccdf-1.2:description>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_openshift_api_server_audit_log_path" severity="high">
-            <xccdf-1.2:title>Configure the Audit Log Path</xccdf-1.2:title>
-            <xccdf-1.2:description>To enable auditing on the OpenShift API Server, the audit log path must be set.
-Edit the <html:code>openshift-apiserver</html:code> configmap
-and set the <html:code>audit-log-path</html:code> to a suitable path and file
-where audit logs should be written. For example:
-<html:pre>
-"apiServerArguments":{
-  ...
-  "audit-log-path":"/var/log/openshift-apiserver/audit.log",
-  ...
-</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/api/v1/namespaces/openshift-apiserver/configmaps/config</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/api/v1/namespaces/openshift-apiserver/configmaps/config</html:code> file.</xccdf-1.2:warning>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_kube_scheduler" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The Kubernetes Scheduler Pod Specification File</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml</html:code>, run the command: <html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Scheduler service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.2.22</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Auditing of the API Server is not enabled by default. Auditing the API Server
-provides a security-relevant chronological set of records documenting the sequence
-of activities that have affected the system by users, administrators, or other
-system components.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83547-0</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.6</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The Kubernetes specification file contains information about the configuration of the
+Kubernetes scheduler that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83393-9</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-openshift_api_server_audit_log_path:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_kube_scheduler:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-openshift_api_server_audit_log_path_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_kube_scheduler_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_rbac">
-          <xccdf-1.2:title>Role-based Acess Control</xccdf-1.2:title>
-          <xccdf-1.2:description>Role-based access control (RBAC) objects determine
-whether a user is allowed to perform a given action
-within a project.
-
-Cluster administrators can use the cluster roles and
-bindings to control who has various access levels to
-the OpenShift Container Platform platform itself
-and all projects.
-
-Developers can use local roles and bindings to control
-who has access to their projects. Note that authorization
-is a separate step from authentication, which is more
-about determining the identity of who is taking the action.</xccdf-1.2:description>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rbac_cluster_roles_defined" severity="medium">
-            <xccdf-1.2:title>Ensure cluster roles are defined in the cluster</xccdf-1.2:title>
-            <xccdf-1.2:description>
-              <html:p>
-RBAC is a critical feature in terms of security for Kubernetes and
-OpenShift. It enables administrators to segment the privileges
-granted to a service account, and thus allows us to limit the
-access to resources that they get. By defining cluster roles appropriately
-one is able to codify organizational policy. [1]
-</html:p>
-              <html:p>
-[1] 
-      <html:a href="https://docs.openshift.com/container-platform/latest/authentication/using-rbac.html">https://docs.openshift.com/container-platform/latest/authentication/using-rbac.html</html:a>
-</html:p>
-            </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/rbac.authorization.k8s.io/v1/clusterroles?limit=1000</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/rbac.authorization.k8s.io/v1/clusterroles?limit=1000</html:code> file.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>By defining RBAC cluster roles, one is able to limit the permissions
-given to a Service Account, and thus limit the blast radius
-that an account compromise would have.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-86595-6</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-rbac_cluster_roles_defined:def:1"/>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_kubeconfig" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The OpenShift Admin Kubeconfig File</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/kubernetes/kubeconfig</html:code>, run the command: <html:pre>$ sudo chown root /etc/kubernetes/kubeconfig </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.14</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The <html:code>/etc/kubernetes/kubeconfig</html:code> file contains information about the administrative configuration of the
+OpenShift cluster that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_kubeconfig_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rbac_debug_role_protects_pprof" severity="medium">
-            <xccdf-1.2:title>Profiling is protected by RBAC</xccdf-1.2:title>
-            <xccdf-1.2:description>Ensure that the cluster-debugger cluster role includes the /debug/pprof
-resource URL. This demonstrates that profiling is protected by RBAC, with a
-specific cluster role to allow access.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger</html:code> file.</xccdf-1.2:warning>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_master_admin_kubeconfigs" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The OpenShift Admin Kubeconfig Files</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig</html:code>, run the command:
+<html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Control Plane.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Profiling allows for the identification of specific performance bottlenecks.
-It generates a significant amount of program data that could potentially be
-exploited to uncover system and program details. If you are not experiencing
-any bottlenecks and do not need the profiler for troubleshooting purposes, it
-is recommended to turn it off to reduce the potential attack surface. To
-ensure the collected data is not exploited, profiling endpoints are secured
-via RBAC (see cluster-debugger role). By default, the profiling endpoints are
-accessible only by users bound to cluster-admin or cluster-debugger role.
-Profiling can not be disabled.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84182-5</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.14</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>There are various kubeconfig files that can be used by the administrator,
+defining various settings for the administration of the cluster. These files
+contain credentials that can be used to control the cluster and are needed
+for disaster recovery and each kubeconfig points to a different endpoint in
+the cluster. You should restrict its file permissions to maintain the
+integrity of the kubeconfig file as an attacker who gains access to these
+files can take over the cluster.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83719-5</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-rbac_debug_role_protects_pprof:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_master_admin_kubeconfigs:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-rbac_debug_role_protects_pprof_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_master_admin_kubeconfigs_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rbac_limit_cluster_admin" severity="medium">
-            <xccdf-1.2:title>Ensure that the cluster-admin role is only used where required</xccdf-1.2:title>
-            <xccdf-1.2:description>The RBAC role cluster-admin provides wide-ranging powers over the
-environment and should be used only where and when needed.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_multus_conf" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The OpenShift Multus Container Network Interface Plugin Files</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the owner of <html:code>/var/run/multus/cni/net.d/*</html:code>, run the command: <html:pre>$ sudo chown root /var/run/multus/cni/net.d/* </html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Kubernetes provides a set of default roles where RBAC is used. Some of these
-roles such as cluster-admin provide wide-ranging privileges which should
-only be applied where absolutely necessary. Roles such as cluster-admin
-allow super-user access to perform any action on any resource. When used in
-a ClusterRoleBinding, it gives full control over every resource in the
-cluster and in all namespaces. When used in a RoleBinding, it gives full
-control over every resource in the rolebinding's namespace, including the
-namespace itself.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.10</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83603-1</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_multus_conf:def:1"/>
+            </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-rbac_limit_cluster_admin_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_multus_conf_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rbac_limit_secrets_access" severity="medium">
-            <xccdf-1.2:title>Limit Access to Kubernetes Secrets</xccdf-1.2:title>
-            <xccdf-1.2:description>The Kubernetes API stores secrets, which may be service
-account tokens for the Kubernetes API or credentials used
-by workloads in the cluster. Access to these secrets should
-be restricted to the smallest possible group of users to
-reduce the risk of privilege escalation. To restrict users from
-secrets, remove <html:code>get</html:code>, <html:code>list</html:code>, and <html:code>watch</html:code>
-access to unauthorized users to secret objects in the cluster.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_openshift_pki_cert_files" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The OpenShift PKI Certificate Files</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/*/*/*/tls.crt</html:code>, run the command:
+<html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/tls.crt </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Control Plane.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Inappropriate access to secrets stored within the Kubernetes
-cluster can allow for an attacker to gain additional access to
-the Kubernetes cluster or external resources whose credentials
-are stored as secrets.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.19</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>OpenShift makes use of a number of certificates as part of its operation.
+You should verify the ownership of the directory containing the PKI
+information and all files in that directory to maintain their integrity.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83558-7</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_openshift_pki_cert_files:def:1"/>
+            </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-rbac_limit_secrets_access_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_openshift_pki_cert_files_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rbac_pod_creation_access" severity="medium">
-            <xccdf-1.2:title>Minimize Access to Pod Creation</xccdf-1.2:title>
-            <xccdf-1.2:description>The ability to create pods in a namespace can provide a
-number of opportunities for privilege escalation. Where
-applicable, remove <html:code>create</html:code> access to <html:code>pod</html:code>
-objects in the cluster.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_openshift_pki_key_files" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The OpenShift PKI Private Key Files</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/*/*/*/*.key</html:code>, run the command:
+<html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/*/*/*/*.key </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Control Plane.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The ability to create pods in a cluster opens up the cluster
-for privilege escalation.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.19</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>OpenShift makes use of a number of certificates as part of its operation.
+You should verify the ownership of the directory containing the PKI
+information and all files in that directory to maintain their integrity.
+The directory and files should be owned by root:root.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83435-8</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_openshift_pki_key_files:def:1"/>
+            </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-rbac_pod_creation_access_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_openshift_pki_key_files_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rbac_roles_defined" severity="medium">
-            <xccdf-1.2:title>Ensure roles are defined in the cluster</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_openshift_sdn_cniserver_config" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The OpenShift SDN CNI Server Config</xccdf-1.2:title>
             <xccdf-1.2:description>
-              <html:p>
-RBAC is a critical feature in terms of security for Kubernetes and
-OpenShift. It enables administrators to segment the privileges
-granted to a service account, and thus allows us to limit the
-access to resources that they get. By defining roles appropriately
-one is able to codify organizational policy. [1]
-</html:p>
-              <html:p>
-[1] 
-      <html:a href="https://docs.openshift.com/container-platform/latest/authentication/using-rbac.html">https://docs.openshift.com/container-platform/latest/authentication/using-rbac.html</html:a>
-</html:p>
-            </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/rbac.authorization.k8s.io/v1/roles?limit=1000</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/rbac.authorization.k8s.io/v1/roles?limit=1000</html:code> file.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>By defining RBAC roles, one is able to limit the permissions
-given to a Service Account, and thus limit the blast radius
-that an account compromise would have.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-86588-1</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-rbac_roles_defined:def:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rbac_wildcard_use" severity="medium">
-            <xccdf-1.2:title>Minimize Wildcard Usage in Cluster and Local Roles</xccdf-1.2:title>
-            <xccdf-1.2:description>Kubernetes Cluster and Local Roles provide access to resources
-based on sets of objects and actions that can be taken on
-those objects. It is possible to set either of these using a
-wildcard <html:code>*</html:code> which matches all items. This violates the
-principle of least privilege and leaves a cluster in a more
-vulnerable state to privilege abuse.</xccdf-1.2:description>
+To properly set the owner of <html:code>/var/run/openshift-sdn/cniserver/config.json</html:code>, run the command:
+<html:pre>$ sudo chown root /var/run/openshift-sdn/cniserver/config.json </html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The principle of least privilege recommends that users are
-provided only the access required for their role and nothing
-more. The use of wildcard rights grants is likely to provide
-excessive rights to the Kubernetes API.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node-on-sdn"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83932-4</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_openshift_sdn_cniserver_config:def:1"/>
+            </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-rbac_wildcard_use_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_openshift_sdn_cniserver_config_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_registry">
-          <xccdf-1.2:title>Kubernetes - Registry Security Practices</xccdf-1.2:title>
-          <xccdf-1.2:description>Contains evaluations for Kubernetes registry security practices, and cluster-wide registry configuration.</xccdf-1.2:description>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_ocp_allowed_registries" severity="medium">
-            <xccdf-1.2:title>Allowed registries are configured</xccdf-1.2:title>
-            <xccdf-1.2:description>The configuration <html:code>registrySources.allowedRegistries</html:code> determines the
-permitted registries that the OpenShift container runtime can access for builds
-and pods. This configuration setting ensures that all registries other than
-those specified are blocked.
-
-You can set the allowed repositories by applying the following manifest using
-<html:pre>oc patch</html:pre>, e.g. if you save the following snippet to
-<html:pre>/tmp/allowed-registries-patch.yaml</html:pre>
-<html:pre>
-spec:
-  registrySources:
-    allowedRegistries:
-    - my-trusted-registry.internal.example.com
-</html:pre> you would call
-<html:pre>oc patch image.config.openshift.io cluster --patch="$(cat /tmp/allowed-registries-patch.yaml)" --type=merge</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/config.openshift.io/v1/images/cluster</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/config.openshift.io/v1/images/cluster</html:code> file.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(2)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(5)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000131-CTR-000280</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000131-CTR-000285</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000384-CTR-000915</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Allowed registries should be configured to restrict the registries that the
-OpenShift container runtime can access, and all other registries should be
-blocked.</xccdf-1.2:rationale>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_openvswitch" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The OpenShift Open vSwitch Files</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/openvswitch/.*</html:code>, run the command: <html:pre>$ sudo chown root /etc/openvswitch/.* </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.10</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-ocp_allowed_registries:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_openvswitch:def:1"/>
             </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_ocp_allowed_registries_for_import" severity="medium">
-            <xccdf-1.2:title>Allowed registries for import are configured</xccdf-1.2:title>
-            <xccdf-1.2:description>The configuration <html:code>allowedRegistriesForImport</html:code> limits the container
-image registries from which normal users may import images. This is important
-to control, as a user who can stand up a malicious registry can then import
-content which claims to include the SHAs of legimitate content layers.
-You can set the allowed repositories for import by applying the following
-manifest using <html:pre>oc patch</html:pre>, e.g. if you save the following snippet to
-<html:pre>/tmp/allowed-import-registries-patch.yaml</html:pre>
-<html:pre>
-spec:
-  allowedRegistriesForImport:
-  - domainName: my-trusted-registry.internal.example.com
-    insecure: false
-</html:pre> you would call
-<html:pre>oc patch image.config.openshift.io cluster --patch="$(cat /tmp/allowed-import-registries-patch.yaml)" --type=merge</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/config.openshift.io/v1/images/cluster</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/config.openshift.io/v1/images/cluster</html:code> file.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(2)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(5)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000131-CTR-000280</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000131-CTR-000285</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000384-CTR-000915</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Allowed registries for import should be specified to limit the registries 
-from which users may import images.</xccdf-1.2:rationale>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-ocp_allowed_registries_for_import:def:1"/>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_openvswitch_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_risk-assessment">
-          <xccdf-1.2:title>OpenShift - Risk Assessment Settings</xccdf-1.2:title>
-          <xccdf-1.2:description>Contains evaluations for the cluster's risk assessment configuration settings.</xccdf-1.2:description>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_compliancesuite_exists" severity="medium">
-            <xccdf-1.2:title>Ensure that Compliance Operator is scanning the cluster</xccdf-1.2:title>
-            <xccdf-1.2:description><html:a href="https://docs.openshift.com/container-platform/4.7/security/compliance_operator/compliance-operator-understanding.html#compliance-operator-understanding">The Compliance Operator</html:a>
-scans the hosts and the platform (OCP)
-configurations for software flaws and improper configurations according
-to different compliance benchmarks. It uses OpenSCAP as a backend,
-which is a known and certified tool to do such scans.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/compliance.openshift.io/v1alpha1/compliancesuites?limit=5</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/compliance.openshift.io/v1alpha1/compliancesuites?limit=5</html:code> file.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.3</xccdf-1.2:reference>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_ovs_conf_db" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The Open vSwitch Configuration Database</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the owner of <html:code>/etc/openvswitch/conf.db</html:code>, run the command:
+<html:pre>$ sudo chown openvswitch /etc/openvswitch/conf.db </html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 4.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R3.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R8.4</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">RA-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">RA-5(5)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-4(8)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000414-CTR-001010</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Vulnerability scanning and risk management are important detective controls
-for all systems, to detect potential flaws and unauthorised access.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83697-3</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83489-5</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-compliancesuite_exists:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_ovs_conf_db:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-compliancesuite_exists_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_ovs_conf_db_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_scc">
-          <xccdf-1.2:title>Security Context Constraints (SCC)</xccdf-1.2:title>
-          <xccdf-1.2:description>Similar to the way that RBAC resources control user access,
-administrators can use Security Context Constraints (SCCs)
-to control permissions for pods. These permissions include
-actions that a pod, a collection of containers, can perform
-and what resources it can access. You can use SCCs to define
-a set of conditions that a pod must run with in order to be
-accepted into the system.</xccdf-1.2:description>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sccs_with_allowed_capabilities_regex" type="string">
-            <xccdf-1.2:title>Permitted SCCs with allowedCapabilities</xccdf-1.2:title>
-            <xccdf-1.2:description>A regular expression that lists all SCCs that are permitted to set the allowedCapabilities attribute</xccdf-1.2:description>
-            <xccdf-1.2:value>^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scc_drop_container_capabilities" severity="medium">
-            <xccdf-1.2:title>Drop Container Capabilities</xccdf-1.2:title>
-            <xccdf-1.2:description>Containers should not enable more capabilites than needed as this
-opens the door for malicious use. To disable the
-capabilities, the appropriate Security Context Constraints (SCCs)
-should set all capabilities as <html:code>*</html:code> or a list of capabilities in
-<html:code>requiredDropCapabilities</html:code>.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_ovs_conf_db_lock" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The Open vSwitch Configuration Database Lock</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the owner of <html:code>/etc/openvswitch/.conf.db.~lock~</html:code>, run the command:
+<html:pre>$ sudo chown openvswitch /etc/openvswitch/.conf.db.~lock~ </html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>By default, containers run with a default set of capabilities as assigned
-by the Container Runtime which can include dangerous or highly privileged
-capabilities. Capabilities should be dropped unless absolutely critical for
-the container to run software as added capabilities that are not required
-allow for malicious containers or attackers.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83462-2</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_ovs_conf_db_lock:def:1"/>
+            </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scc_drop_container_capabilities_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_ovs_conf_db_lock_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities" severity="medium">
-            <xccdf-1.2:title>Limit Container Capabilities</xccdf-1.2:title>
-            <xccdf-1.2:description>Containers should not enable more capabilites than needed as this
-opens the door for malicious use. To enable only the
-required capabilities, the appropriate Security Context Constraints (SCCs)
-should set capabilities as a list in <html:code>allowedCapabilities</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-<html:ul><html:li><html:code class="ocp-api-endpoint" id="395df9a25b06bd949effbff7e3071c03493e0dd679ee1c7bfcfcb35647e9328c">/apis/security.openshift.io/v1/securitycontextconstraints</html:code>
-    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
-    <html:code class="ocp-api-filter" id="filter-395df9a25b06bd949effbff7e3071c03493e0dd679ee1c7bfcfcb35647e9328c">[.items[] | select(.metadata.name | test("{{.var_sccs_with_allowed_capabilities_regex}}"; "") | not)] | map(.allowedCapabilities == null)</html:code>
-    and persist it to the local
-    <html:code class="ocp-dump-location" id="dump-395df9a25b06bd949effbff7e3071c03493e0dd679ee1c7bfcfcb35647e9328c"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/security.openshift.io/v1/securitycontextconstraints#395df9a25b06bd949effbff7e3071c03493e0dd679ee1c7bfcfcb35647e9328c</html:code>
-    file.
-  </html:li></html:ul></xccdf-1.2:warning>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_ovs_pid" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The Open vSwitch Process ID File</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the owner of <html:code>/var/run/openvswitch/ovs-vswitchd.pid</html:code>, run the command:
+<html:pre>$ sudo chown openvswitch /var/run/openvswitch/ovs-vswitchd.pid </html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.8</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>By default, containers run with a default set of capabilities as assigned
-by the Container Runtime which can include dangerous or highly privileged
-capabilities. Capabilities should be dropped unless absolutely critical for
-the container to run software as added capabilities that are not required
-allow for malicious containers or attackers.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83937-3</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-scc_limit_container_allowed_capabilities:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_ovs_pid:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scc_limit_container_allowed_capabilities_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_ovs_pid_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace" severity="medium">
-            <xccdf-1.2:title>Limit Access to the Host IPC Namespace</xccdf-1.2:title>
-            <xccdf-1.2:description>Containers should not be allowed access to the host's Interprocess Commication (IPC)
-namespace. To prevent containers from getting access to a host's
-IPC namespace, the appropriate Security Context Constraints (SCCs)
-should set <html:code>allowHostIPC</html:code> to <html:code>false</html:code>.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_ovs_sys_id_conf" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The Open vSwitch Persistent System ID</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the owner of <html:code>/etc/openvswitch/system-id.conf</html:code>, run the command:
+<html:pre>$ sudo chown openvswitch /etc/openvswitch/system-id.conf </html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>A container running in the host's IPC namespace can use IPC
-to interact with processes outside the container potentially
-allowing an attacker to exploit a host process thereby enabling an
-attacker to exploit other services.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84042-1</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84085-0</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_ovs_sys_id_conf:def:1"/>
+            </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scc_limit_ipc_namespace_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_ovs_sys_id_conf_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scc_limit_net_raw_capability" severity="medium">
-            <xccdf-1.2:title>Limit Use of the CAP_NET_RAW</xccdf-1.2:title>
-            <xccdf-1.2:description>Containers should not enable more capabilites than needed as this
-opens the door for malicious use. <html:code>CAP_NET_RAW</html:code> enables a container
-to launch a network attack on another container or cluster. To disable the
-<html:code>CAP_NET_RAW</html:code> capability, the appropriate Security Context Constraints (SCCs)
-should set <html:code>NET_RAW</html:code> in <html:code>requiredDropCapabilities</html:code>.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_ovs_vswitchd_pid" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The Open vSwitch Daemon PID File</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the owner of <html:code>/run/openvswitch/ovs-vswitchd.pid</html:code>, run the command:
+<html:pre>$ sudo chown openvswitch /run/openvswitch/ovs-vswitchd.pid </html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.7</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>By default, containers run with a default set of capabilities as assigned
-by the Container Runtime which can include dangerous or highly privileged
-capabilities. If the CAP_NET_RAW is enabled, it may be misused
-by malicious containers or attackers.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83888-8</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_ovs_vswitchd_pid:def:1"/>
+            </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scc_limit_net_raw_capability_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_ovs_vswitchd_pid_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scc_limit_network_namespace" severity="medium">
-            <xccdf-1.2:title>Limit Access to the Host Network Namespace</xccdf-1.2:title>
-            <xccdf-1.2:description>Containers should not be allowed access to the host's network
-namespace. To prevent containers from getting access to a host's
-network namespace, the appropriate Security Context Constraints (SCCs)
-should set <html:code>allowHostNetwork</html:code> to <html:code>false</html:code>.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_ovsdb_server_pid" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The Open vSwitch Database Server PID</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the owner of <html:code>/run/openvswitch/ovsdb-server.pid</html:code>, run the command:
+<html:pre>$ sudo chown openvswitch /run/openvswitch/ovsdb-server.pid </html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>A container running in the host's network namespace could
-access the host network traffic to and from other pods
-potentially allowing an attacker to exploit pods and network
-traffic.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83492-9</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83806-0</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_ovsdb_server_pid:def:1"/>
+            </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scc_limit_network_namespace_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_ovsdb_server_pid_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scc_limit_privilege_escalation" severity="medium">
-            <xccdf-1.2:title>Limit Containers Ability to Escalate Privileges</xccdf-1.2:title>
-            <xccdf-1.2:description>Containers should be limited to only the privileges required
-to run and should not be allowed to escalate their privileges.
-To prevent containers from escalating privileges,
-the appropriate Security Context Constraints (SCCs)
-should set <html:code>allowPrivilegeEscalation</html:code> to <html:code>false</html:code>.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_scheduler_kubeconfig" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The Kubernetes Scheduler Kubeconfig File</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the owner of <html:code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig</html:code>, run the command:
+<html:pre>$ sudo chown root /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Scheduler service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.5</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Privileged containers have access to more of the Linux Kernel
-capabilities and devices. If a privileged container were
-compromised, an attacker would have full access to the container
-and host.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83447-3</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.16</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The kubeconfig for the Scheduler contains paramters for the scheduler
+to access the Kube API.
+You should set its file ownership to maintain the integrity of the file.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84017-3</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_scheduler_kubeconfig:def:1"/>
+            </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scc_limit_privilege_escalation_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_scheduler_kubeconfig_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scc_limit_privileged_containers" severity="medium">
-            <xccdf-1.2:title>Limit Privileged Container Use</xccdf-1.2:title>
-            <xccdf-1.2:description>Containers should be limited to only the privileges required
-to run. To prevent containers from running as privileged containers,
-the appropriate Security Context Constraints (SCCs) should set
-<html:code>allowPrivilegedContainer</html:code> to <html:code>false</html:code>.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_var_lib_etcd" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The OpenShift etcd Data Directory</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the owner of <html:code>/var/lib/etcd</html:code>, run the command: <html:pre>$ sudo chown root /var/lib/etcd </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.12</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The <html:code>/var/lib/etcd</html:code> directory contains highly-avaliable distributed key/value data storage
+across an OpenShift cluster. Allowing access to users to this directory could compromise OpenShift
+data and the cluster.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_var_lib_etcd:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_var_lib_etcd_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_cni_conf" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the OpenShift Container Network Interface Files</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/cni/net.d/*</html:code>, run the command:
+<html:pre>$ sudo chmod 0644 /etc/cni/net.d/*</html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Privileged containers have access to all Linux Kernel
-capabilities and devices. If a privileged container were
-compromised, an attacker would have full access to the container
-and host.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83379-8</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_cni_conf:def:1"/>
+            </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scc_limit_privileged_containers_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_cni_conf_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scc_limit_process_id_namespace" severity="medium">
-            <xccdf-1.2:title>Limit Access to the Host Process ID Namespace</xccdf-1.2:title>
-            <xccdf-1.2:description>Containers should not be allowed access to the host's process
-ID namespace. To prevent containers from getting access to a host's
-process ID namespace, the appropriate Security Context Constraints (SCCs)
-should set <html:code>allowHostPID</html:code> to <html:code>false</html:code>.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_controller_manager_kubeconfig" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the OpenShift Controller Manager Kubeconfig File</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig</html:code>, run the command:
+<html:pre>$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/configmaps/controller-manager-kubeconfig/kubeconfig</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>A container running in the host's PID namespace can inspect
-processes running outside the container which can be used to
-escalate privileges outside of the container.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.17</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The Controller Manager's kubeconfig contains information about how the
+component will access the API server. You should restrict its file
+permissions to maintain the integrity of the file. The file should be
+writable by only the administrators on the system.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83604-9</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_controller_manager_kubeconfig:def:1"/>
+            </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scc_limit_process_id_namespace_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_controller_manager_kubeconfig_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scc_limit_root_containers" severity="medium">
-            <xccdf-1.2:title>Limit Container Running As Root User</xccdf-1.2:title>
-            <xccdf-1.2:description>Containers should be limited to only the privileges required
-to run and should very rarely be run as root user. To prevent
-containers from running as root user,
-the appropriate Security Context Constraints (SCCs) should set
-<html:code>allowPrivilegedContainer</html:code> to <html:code>false</html:code>.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_etcd_data_dir" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the Etcd Database Directory</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/var/lib/etcd</html:code>, run the command:
+<html:pre>$ sudo chmod 0700 /var/lib/etcd</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.6</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Privileged containers have access to all Linux Kernel
-capabilities and devices. If a privileged container were
-compromised, an attacker would have full access to the container
-and host.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.11</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>etcd is a highly-available key-value store used by Kubernetes deployments for persistent
+storage of all of its REST API objects. This data directory should be protected from any
+unauthorized reads or writes. It should not be readable or writable by any group members
+or the world.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84013-2</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_etcd_data_dir:def:1"/>
+            </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scc_limit_root_containers_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_etcd_data_dir_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_scheduler">
-          <xccdf-1.2:title>OpenShift - Kubernetes - Scheduler Settings</xccdf-1.2:title>
-          <xccdf-1.2:description>Contains evaluations for kube-scheduler configuration settings.</xccdf-1.2:description>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_scheduler_argument_filter" type="string">
-            <xccdf-1.2:title>Kube scheduler config filter</xccdf-1.2:title>
-            <xccdf-1.2:description>Kube scheduler filter</xccdf-1.2:description>
-            <xccdf-1.2:value>[.data."pod.yaml"]</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_scheduler_filepath" type="string">
-            <xccdf-1.2:title>Kube scheduler config file path</xccdf-1.2:title>
-            <xccdf-1.2:description>Kube scheduler config file path</xccdf-1.2:description>
-            <xccdf-1.2:value>/api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scheduler_no_bind_address" severity="medium">
-            <xccdf-1.2:title>Ensure that the bind-address parameter is not used</xccdf-1.2:title>
-            <xccdf-1.2:description>The Scheduler API service which runs on port 10251/TCP by default is used for
-health and metrics information and is available without authentication or
-encryption. As such it should only be bound to a localhost interface, to
-minimize the cluster's attack surface.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-<html:ul><html:li><html:code class="ocp-api-endpoint" id="569895645b4f9b87d4e21ab3c6fe4cc03627259826715e5043d5d8889c6c12d3">{{.var_scheduler_filepath}}</html:code>
-    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
-    <html:code class="ocp-api-filter" id="filter-569895645b4f9b87d4e21ab3c6fe4cc03627259826715e5043d5d8889c6c12d3">{{.var_scheduler_argument_filter}}</html:code>
-    and persist it to the local
-    <html:code class="ocp-dump-location" id="dump-569895645b4f9b87d4e21ab3c6fe4cc03627259826715e5043d5d8889c6c12d3"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod#569895645b4f9b87d4e21ab3c6fe4cc03627259826715e5043d5d8889c6c12d3</html:code>
-    file.
-  </html:li></html:ul></xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_etcd_data_files" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the Etcd Write-Ahead-Log Files</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/var/lib/etcd/member/wal/*</html:code>, run the command:
+<html:pre>$ sudo chmod 0600 /var/lib/etcd/member/wal/*</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>In OpenShift 4, The Kubernetes Scheduler operator manages and updates the
-Kubernetes Scheduler deployed on top of OpenShift. By default, the operator
-exposes metrics via metrics service. The metrics are collected from the
-Kubernetes Scheduler operator. Profiling data is sent to healthzPort,
-the port of the localhost healthz endpoint. Changing this value may disrupt
-components that monitor the kubelet health.</xccdf-1.2:rationale>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83674-2</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-scheduler_no_bind_address:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scheduler_no_bind_address_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scheduler_port_is_zero" severity="medium">
-            <xccdf-1.2:title>Ensure that the port parameter is zero</xccdf-1.2:title>
-            <xccdf-1.2:description>The Scheduler API service which runs on port 10251/TCP by default is used for
-health and metrics information and is available without authentication or
-encryption. As such it should only be bound to a localhost interface, to
-minimize the cluster's attack surface.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-<html:ul><html:li><html:code class="ocp-api-endpoint" id="569895645b4f9b87d4e21ab3c6fe4cc03627259826715e5043d5d8889c6c12d3">{{.var_scheduler_filepath}}</html:code>
-    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
-    <html:code class="ocp-api-filter" id="filter-569895645b4f9b87d4e21ab3c6fe4cc03627259826715e5043d5d8889c6c12d3">{{.var_scheduler_argument_filter}}</html:code>
-    and persist it to the local
-    <html:code class="ocp-dump-location" id="dump-569895645b4f9b87d4e21ab3c6fe4cc03627259826715e5043d5d8889c6c12d3"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod#569895645b4f9b87d4e21ab3c6fe4cc03627259826715e5043d5d8889c6c12d3</html:code>
-    file.
-  </html:li></html:ul></xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>In OpenShift 4, The Kubernetes Scheduler operator manages and updates the
-Kubernetes Scheduler deployed on top of OpenShift. By default, the operator
-exposes metrics via metrics service. The metrics are collected from the
-Kubernetes Scheduler operator. Profiling data is sent to healthzPort,
-the port of the localhost healthz endpoint. Changing this value may disrupt
-components that monitor the kubelet health.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.11</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>etcd is a highly-available key-value store used by Kubernetes deployments for persistent
+storage of all of its REST API objects. This data directory should be protected from any
+unauthorized reads or writes. It should not be readable or writable by any group members
+or the world.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83382-2</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-scheduler_port_is_zero:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_etcd_data_files:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scheduler_port_is_zero_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_etcd_data_files_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_secrets">
-          <xccdf-1.2:title>Kubernetes Secrets Management</xccdf-1.2:title>
-          <xccdf-1.2:description>Secrets let you store and manage sensitive information,
-such as passwords, OAuth tokens, and ssh keys.
-Such information might otherwise be put in a Pod
-specification or in an image.		</xccdf-1.2:description>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_secrets_consider_external_storage" severity="medium">
-            <xccdf-1.2:title>Consider external secret storage</xccdf-1.2:title>
-            <xccdf-1.2:description>Consider the use of an external secrets storage and management system,
-instead of using Kubernetes Secrets directly, if you have more complex
-secret management needs. Ensure the solution requires authentication to
-access secrets, has auditing of access to and use of secrets, and encrypts
-secrets. Some solutions also make it easier to rotate secrets.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_etcd_member" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the Etcd Member Pod Specification File</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml</html:code>, run the command:
+<html:pre>$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/etcd-pod-*/etcd-pod.yaml</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Kubernetes supports secrets as first-class objects, but care needs to be
-taken to ensure that access to secrets is carefully limited. Using an
-external secrets provider can ease the management of access to secrets,
-especially where secrets are used across both Kubernetes and non-Kubernetes
-environments.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.7</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The etcd pod specification file controls various parameters that
+set the behavior of the etcd service in the master node. etcd is a
+highly-available key-value store which Kubernetes uses for persistent
+storage of all of its REST API object. You should restrict its file
+permissions to maintain the integrity of the file. The file should be
+writable by only the administrators on the system.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83973-8</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_etcd_member:def:1"/>
+            </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-secrets_consider_external_storage_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_etcd_member_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_secrets_no_environment_variables" severity="medium">
-            <xccdf-1.2:title>Do Not Use Environment Variables with Secrets</xccdf-1.2:title>
-            <xccdf-1.2:description>Secrets should be mounted as data volumes instead of environment
-variables.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_etcd_pki_cert_files" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the Etcd PKI Certificate Files</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/etcd-*/secrets/*/*.crt</html:code>, run the command:
+<html:pre>$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/etcd-*/secrets/*/*.crt</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Etcd service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Environment variables are subject and very susceptible to
-malicious hijacking methods by an adversary, as such,
-environment variables should never be used for secrets.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.20</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>OpenShift makes use of a number of certificate files as part of the operation
+of its components. The permissions on these files should be set to
+<html:pre>600</html:pre> or more restrictive to protect their integrity.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83362-4</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_etcd_pki_cert_files:def:1"/>
+            </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-secrets_no_environment_variables_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_etcd_pki_cert_files_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_worker">
-          <xccdf-1.2:title>Kubernetes - Worker Node Settings</xccdf-1.2:title>
-          <xccdf-1.2:description>Contains evaluations for the worker node configuration settings.</xccdf-1.2:description>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Kubelet Configuration File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/kubernetes/kubelet.conf</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/kubernetes/kubelet.conf</html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_ip_allocations" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the OpenShift SDN Container Network Interface Plugin IP Address Allocations</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/var/lib/cni/networks/openshift-sdn/*</html:code>, run the command:
+<html:pre>$ sudo chmod 0644 /var/lib/cni/networks/openshift-sdn/*</html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -14655,55 +16341,58 @@ environment variables should never be used for secrets.</xccdf-1.2:rationale>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.6</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The kubelet configuration file contains information about the configuration of the
-OpenShift node that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84233-6</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node-on-sdn"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83469-7</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_kubelet_conf:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_ip_allocations:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_kubelet_conf_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_ip_allocations_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_proxy_kubeconfig" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Worker Proxy Kubeconfig File</xccdf-1.2:title>
-            <xccdf-1.2:description>To ensure the Kubernetes ConfigMap is mounted into the sdn daemonset pods with the
-correct ownership, make sure that the <html:code>sdn-config</html:code> ConfigMap is mounted using
-a ConfigMap at the <html:code>/config</html:code> mount point and that the <html:code>sdn</html:code> container
-points to that configuration using the <html:code>--proxy-config</html:code> command line option.
-Run:
-<html:pre> oc get -nopenshift-sdn ds sdn -ojson | jq -r '.spec.template.spec.containers[] | select(.name == "sdn")'</html:pre>
-and ensure the <html:code>--proxy-config</html:code> parameter points to 
-<html:code>/config/kube-proxy-config.yaml</html:code> and that the <html:code>config</html:code> mount point is
-mounted from the <html:code>sdn-config</html:code> ConfigMap.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_kube_apiserver" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the Kubernetes API Server Pod Specification File</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml</html:code>, run the command:
+<html:pre>$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/kube-apiserver-pod-*/kube-apiserver-pod.yaml</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes API Server service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The kubeconfig file for kube-proxy provides permissions to the kube-proxy service.
-The proxy kubeconfig file contains information about the administrative configuration of the
-OpenShift cluster that is configured on the system. Protection of this file is
-critical for OpenShift security.
-
-The file is provided via a ConfigMap mount, so the kubelet itself makes sure that the
-file permissions are appropriate for the container taking it into use.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-on-sdn"/>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>If the Kubernetes specification file is writable by a group-owner or the
+world the risk of its compromise is increased. The file contains the configuration of
+the Kubernetes API server that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83983-7</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_kube_apiserver:def:1"/>
+            </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_proxy_kubeconfig_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_kube_apiserver_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_worker_ca" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns the Worker Certificate Authority File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/kubernetes/kubelet-ca.crt</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/kubernetes/kubelet-ca.crt</html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_kube_controller_manager" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the Kubernetes Controller Manager Pod Specificiation File</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml</html:code>, run the command:
+<html:pre>$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-*/kube-controller-manager-pod.yaml</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Controller Manager service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -14712,22 +16401,56 @@ file permissions are appropriate for the container taking it into use.</xccdf-1.
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.8</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The worker certificate authority file contains the certificate authority
-certificate for an OpenShift node that is configured on the system. Protection of this file is
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>If the Kubernetes specification file is writable by a group-owner or the
+world the risk of its compromise is increased. The file contains the configuration of
+an Kubernetes Controller Manager server that is configured on the system. Protection of this file is
 critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83440-8</xccdf-1.2:ident>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84161-9</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_worker_ca:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_kube_controller_manager:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_worker_ca_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_kube_controller_manager_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The Worker Kubeconfig File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the group owner of <html:code>/var/lib/kubelet/kubeconfig</html:code>, run the command: <html:pre>$ sudo chgrp root /var/lib/kubelet/kubeconfig</html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_kube_scheduler" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the Kube Scheduler Pod Specification File</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml</html:code>, run the command:
+<html:pre>$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/kube-scheduler-pod.yaml</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>If the Kube specification file is writable by a group-owner or the
+world the risk of its compromise is increased. The file contains the configuration of
+an OpenShift scheduler that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_kube_scheduler_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_kubeconfig" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the OpenShift Admin Kubeconfig File</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/kubernetes/kubeconfig</html:code>, run the command:
+<html:pre>$ sudo chmod 0600 /etc/kubernetes/kubeconfig</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.13</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>If the <html:code>/etc/kubernetes/kubeconfig</html:code> file is writable by a group-owner or the
+world the risk of its compromise is increased. The file contains the administration configuration of the
+OpenShift cluster that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_kubeconfig_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_master_admin_kubeconfigs" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the OpenShift Admin Kubeconfig Files</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig</html:code>, run the command:
+<html:pre>$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/*.kubeconfig</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Control Plane.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -14736,24 +16459,28 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.10</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The worker kubeconfig file contains information about the administrative configuration of the
-OpenShift cluster that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83409-3</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.13</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>There are various kubeconfig files that can be used by the administrator,
+defining various settings for the administration of the cluster. These files
+contain credentials that can be used to control the cluster and are needed
+for disaster recovery and each kubeconfig points to a different endpoint in
+the cluster. You should restrict its file permissions to maintain the
+integrity of the kubeconfig file as an attacker who gains access to these
+files can take over the cluster.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84278-1</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_worker_kubeconfig:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_master_admin_kubeconfigs:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_worker_kubeconfig_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_master_admin_kubeconfigs_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_worker_service" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns The OpenShift Node Service File</xccdf-1.2:title>
-            <xccdf-1.2:description>'
-  To properly set the group owner of <html:code>/etc/systemd/system/kubelet.service</html:code>, run the command:
-  <html:pre>$ sudo chgrp root /etc/systemd/system/kubelet.service</html:pre>'</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_multus_conf" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the OpenShift Multus Container Network Interface Plugin Files</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/var/run/multus/cni/net.d/*</html:code>, run the command:
+<html:pre>$ sudo chmod 0644 /var/run/multus/cni/net.d/*</html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -14762,23 +16489,28 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The <html:code>/etc/systemd/system/kubelet.service</html:code>
-file contains information about the configuration of the
-OpenShift node service that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83975-3</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83467-1</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_worker_service:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_multus_conf:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_worker_service_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_multus_conf_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_kubelet" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Kubelet Configuration File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the owner of <html:code>/var/lib/kubelet/config.json</html:code>, run the command: <html:pre>$ sudo chown root /var/lib/kubelet/config.json </html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_openshift_pki_cert_files" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the OpenShift PKI Certificate Files</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/kube-*/secrets/*/tls.crt</html:code>, run the command:
+<html:pre>$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/kube-*/secrets/*/tls.crt</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Control Plane.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -14787,22 +16519,83 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.6</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The kubelet configuration file contains information about the configuration of the
-OpenShift node that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85900-9</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.20</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>OpenShift makes use of a number of certificate files as part of the operation
+of its components. The permissions on these files should be set to
+<html:pre>600</html:pre> or more restrictive to protect their integrity.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83552-0</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_kubelet:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_openshift_pki_cert_files:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_kubelet_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_openshift_pki_cert_files_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_kubelet_conf" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Kubelet Configuration File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/kubernetes/kubelet.conf</html:code>, run the command: <html:pre>$ sudo chown root /etc/kubernetes/kubelet.conf </html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_openshift_pki_key_files" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the OpenShift PKI Private Key Files</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/*/*/*/*.key</html:code>, run the command:
+<html:pre>$ sudo chmod 0600 /etc/kubernetes/static-pod-resources/*/*/*/*.key</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Control Plane.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R3.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R3.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(2)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.21</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>OpenShift makes use of a number of key files as part of the operation of its
+components. The permissions on these files should be set to <html:pre>600</html:pre>
+to protect their integrity and confidentiality.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83580-1</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_openshift_pki_key_files:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_openshift_pki_key_files_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_openvswitch" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the OpenShift Open vSwitch Files</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/openvswitch/.*</html:code>, run the command:
+<html:pre>$ sudo chmod 0644 /etc/openvswitch/.*</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.4.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_openvswitch:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_openvswitch_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_ovs_conf_db" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the Open vSwitch Configuration Database</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/openvswitch/conf.db</html:code>, run the command:
+<html:pre>$ sudo chmod 0640 /etc/openvswitch/conf.db</html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -14811,55 +16604,52 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.6</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The kubelet configuration file contains information about the configuration of the
-OpenShift node that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83976-1</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83788-0</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_kubelet_conf:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_ovs_conf_db:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_kubelet_conf_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_ovs_conf_db_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_proxy_kubeconfig" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Worker Proxy Kubeconfig File</xccdf-1.2:title>
-            <xccdf-1.2:description>To ensure the Kubernetes ConfigMap is mounted into the sdn daemonset pods with the
-correct ownership, make sure that the <html:code>sdn-config</html:code> ConfigMap is mounted using
-a ConfigMap at the <html:code>/config</html:code> mount point and that the <html:code>sdn</html:code> container
-points to that configuration using the <html:code>--proxy-config</html:code> command line option.
-Run:
-<html:pre> oc get -nopenshift-sdn ds sdn -ojson | jq -r '.spec.template.spec.containers[] | select(.name == "sdn")'</html:pre>
-and ensure the <html:code>--proxy-config</html:code> parameter points to 
-<html:code>/config/kube-proxy-config.yaml</html:code> and that the <html:code>config</html:code> mount point is
-mounted from the <html:code>sdn-config</html:code> ConfigMap.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_ovs_conf_db_lock" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the Open vSwitch Configuration Database Lock</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/openvswitch/.conf.db.~lock~</html:code>, run the command:
+<html:pre>$ sudo chmod 0600 /etc/openvswitch/.conf.db.~lock~</html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The kubeconfig file for kube-proxy provides permissions to the kube-proxy service.
-The proxy kubeconfig file contains information about the administrative configuration of the
-OpenShift cluster that is configured on the system. Protection of this file is
-critical for OpenShift security.
-
-The file is provided via a ConfigMap mount, so the kubelet itself makes sure that the
-file permissions are appropriate for the container taking it into use.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-on-sdn"/>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84202-1</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_ovs_conf_db_lock:def:1"/>
+            </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_proxy_kubeconfig_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_ovs_conf_db_lock_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_worker_ca" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns the Worker Certificate Authority File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/kubernetes/kubelet-ca.crt</html:code>, run the command: <html:pre>$ sudo chown root /etc/kubernetes/kubelet-ca.crt </html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_ovs_pid" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the Open vSwitch Process ID File</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/var/run/openvswitch/ovs-vswitchd.pid</html:code>, run the command:
+<html:pre>$ sudo chmod 0644 /var/run/openvswitch/ovs-vswitchd.pid</html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -14868,22 +16658,25 @@ file permissions are appropriate for the container taking it into use.</xccdf-1.
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.8</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The worker certificate authority file contains the certificate authority
-certificate for an OpenShift node that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83495-2</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83666-8</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_worker_ca:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_ovs_pid:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_worker_ca_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_ovs_pid_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The Worker Kubeconfig File</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the owner of <html:code>/var/lib/kubelet/kubeconfig</html:code>, run the command: <html:pre>$ sudo chown root /var/lib/kubelet/kubeconfig </html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_ovs_sys_id_conf" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the Open vSwitch Persistent System ID</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/openvswitch/system-id.conf</html:code>, run the command:
+<html:pre>$ sudo chmod 0644 /etc/openvswitch/system-id.conf</html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -14892,24 +16685,25 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.10</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The worker kubeconfig file contains information about the administrative configuration of the
-OpenShift cluster that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83408-5</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83400-2</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_worker_kubeconfig:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_ovs_sys_id_conf:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_worker_kubeconfig_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_ovs_sys_id_conf_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_worker_service" severity="medium">
-            <xccdf-1.2:title>Verify User Who Owns The OpenShift Node Service File</xccdf-1.2:title>
-            <xccdf-1.2:description>'
-  To properly set the owner of <html:code>/etc/systemd/system/kubelet.service</html:code>, run the command:
-  <html:pre>$ sudo chown root /etc/systemd/system/kubelet.service </html:pre>'</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_ovs_vswitchd_pid" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the Open vSwitch Daemon PID File</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/run/openvswitch/ovs-vswitchd.pid</html:code>, run the command:
+<html:pre>$ sudo chmod 0644 /run/openvswitch/ovs-vswitchd.pid</html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -14918,25 +16712,25 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The <html:code>/etc/systemd/system/kubelet.service</html:code>
-file contains information about the configuration of the
-OpenShift node service that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84193-2</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83710-4</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_worker_service:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_ovs_vswitchd_pid:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_worker_service_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_ovs_vswitchd_pid_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_kubelet" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on The Kubelet Configuration File</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_ovsdb_server_pid" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the Open vSwitch Database Server PID</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/lib/kubelet/config.json</html:code>, run the command:
-<html:pre>$ sudo chmod 0600 /var/lib/kubelet/config.json</html:pre></xccdf-1.2:description>
+To properly set the permissions of <html:code>/run/openvswitch/ovsdb-server.pid</html:code>, run the command:
+<html:pre>$ sudo chmod 0644 /run/openvswitch/ovsdb-server.pid</html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -14945,25 +16739,28 @@ To properly set the permissions of <html:code>/var/lib/kubelet/config.json</html
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If the kubelet configuration file is writable by a group-owner or the
-world the risk of its compromise is increased. The file contains the configuration of
-an OpenShift node that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
             <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85896-9</xccdf-1.2:ident>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83679-1</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_kubelet:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_ovsdb_server_pid:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_kubelet_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_ovsdb_server_pid_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_kubelet_conf" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on The Kubelet Configuration File</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_scheduler" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the Kubernetes Scheduler Pod Specification File</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/kubernetes/kubelet.conf</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/kubernetes/kubelet.conf</html:pre></xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml</html:code>, run the command:
+<html:pre>$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/kube-scheduler-pod.yaml</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Scheduler service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -14972,71 +16769,71 @@ To properly set the permissions of <html:code>/etc/kubernetes/kubelet.conf</html
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If the kubelet configuration file is writable by a group-owner or the
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>If the Kubernetes specification file is writable by a group-owner or the
 world the risk of its compromise is increased. The file contains the configuration of
-an OpenShift node that is configured on the system. Protection of this file is
+an Kubernetes Scheduler service that is configured on the system. Protection of this file is
 critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83470-5</xccdf-1.2:ident>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84057-9</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_kubelet_conf:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_scheduler:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_kubelet_conf_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_scheduler_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_proxy_kubeconfig" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Worker Proxy Kubeconfig File</xccdf-1.2:title>
-            <xccdf-1.2:description>To ensure the Kubernetes ConfigMap is mounted into the sdn daemonset pods with the
-correct permissions, make sure that the <html:code>sdn-config</html:code> ConfigMap is mounted using
-restrictive permissions. Check that the <html:code>config</html:code> VolumeMount mounts the
-<html:code>sdn-config</html:code> configMap with permissions set to 420:
-<html:pre>
-{
-"configMap": {
-  "defaultMode": 420,
-  "name": "sdn-config"
-  },
-"name": "config"
-}
-</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
-Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn</html:code> file.</xccdf-1.2:warning>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_scheduler_kubeconfig" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the Kubernetes Scheduler Kubeconfig File</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig</html:code>, run the command:
+<html:pre>$ sudo chmod 0644 /etc/kubernetes/static-pod-resources/kube-scheduler-pod-*/configmaps/scheduler-kubeconfig/kubeconfig</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="dependency">This rule is only applicable for nodes that run the Kubernetes Scheduler service.
+The aforementioned service is only running on the nodes labeled
+"master" by default.</xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The kube-proxy kubeconfig file controls various parameters of the kube-proxy
-service in the worker node. If used, you should restrict its file permissions
-to maintain the integrity of the file. The file should be writable by only
-the administrators on the system.
-
-The kube-proxy runs with the kubeconfig parameters configured as
-a Kubernetes ConfigMap instead of a file. In this case, there is no proxy
-kubeconfig file. But appropriate permissions still need to be set in the
-ConfigMap mount.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-on-sdn"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84047-0</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.15</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The kubeconfig for the Scheduler contains paramters for the scheduler
+to access the Kube API. You should restrict its file permissions to maintain
+the integrity of the file. The file should be writable by only the
+administrators on the system.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-master-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83772-4</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_proxy_kubeconfig:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_scheduler_kubeconfig:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_proxy_kubeconfig_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_scheduler_kubeconfig_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_worker_ca" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Worker Certificate Authority File</xccdf-1.2:title>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_var_lib_etcd" severity="medium">
+            <xccdf-1.2:title>The OpenShift etcd Data Directory Must Have Mode 0700</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/kubernetes/kubelet-ca.crt</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/kubernetes/kubelet-ca.crt</html:pre></xccdf-1.2:description>
+To properly set the permissions of <html:code>/var/lib/etcd</html:code>, run the command:
+<html:pre>$ sudo chmod 0700 /var/lib/etcd</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.11</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The <html:code>/var/lib/etcd</html:code> directory contains highly-avaliable distributed key/value data storage
+across an OpenShift cluster. Allowing access to users to this directory could compromise OpenShift
+data and the cluster.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_var_lib_etcd:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_var_lib_etcd_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_perms_openshift_sdn_cniserver_config" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the OpenShift SDN CNI Server Config</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/var/run/openshift-sdn/cniserver/config.json</html:code>, run the command:
+<html:pre>$ sudo chmod 0444 /var/run/openshift-sdn/cniserver/config.json</html:pre></xccdf-1.2:description>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
@@ -15045,3518 +16842,5879 @@ To properly set the permissions of <html:code>/etc/kubernetes/kubelet-ca.crt</ht
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.7</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If the worker certificate authority file is writable by a group-owner or the
-world the risk of its compromise is increased. The file contains the certificate authority
-certificate for an OpenShift node that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83493-7</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>CNI (Container Network Interface) files consist of a specification and libraries for
+writing plugins to configure network interfaces in Linux containers, along with a number
+of supported plugins. Allowing writeable access to the files could allow an attacker to modify
+the networking configuration potentially adding a rogue network connection.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node-on-sdn"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83927-4</xccdf-1.2:ident>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_worker_ca:def:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_perms_openshift_sdn_cniserver_config:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_worker_ca_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_perms_openshift_sdn_cniserver_config_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the Worker Kubeconfig File</xccdf-1.2:title>
+        </xccdf-1.2:Group>
+        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_networking">
+          <xccdf-1.2:title>Kubernetes - Network Configuration and Firewalls</xccdf-1.2:title>
+          <xccdf-1.2:description>Most systems must be connected to a network of some
+sort, and this brings with it the substantial risk of network
+attack. This section discusses the security impact of decisions
+about networking which must be made when configuring a system.
+<html:br/><html:br/>
+This section also discusses firewalls, network access
+controls, and other network security frameworks, which allow
+system-level rules to be written that can limit an attackers' ability
+to connect to your system. These rules can specify that network
+traffic should be allowed or denied from certain IP addresses,
+hosts, and networks. The rules can also specify which of the
+system's network services are available to particular hosts or
+networks.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_cluster_wide_proxy_set" severity="medium">
+            <xccdf-1.2:title>Ensure that cluster-wide proxy is set</xccdf-1.2:title>
             <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/lib/kubelet/kubeconfig</html:code>, run the command:
-<html:pre>$ sudo chmod 0600 /var/lib/kubelet/kubeconfig</html:pre></xccdf-1.2:description>
+              <html:p>
+Production environments can deny direct access to the Internet and instead have
+an HTTP or HTTPS proxy available.
+</html:p>
+              <html:p>
+The Proxy object is used to manage the cluster-wide egress proxy. Setting this
+will ensure that containers get the appropriate environment variables set
+to ensure traffic goes to the proxy per organizational requirements.
+</html:p>
+              <html:p>
+For more information, see <html:a href="https://docs.openshift.com/container-platform/latest/networking/enable-cluster-wide-proxy.html">the relevant documentation.</html:a>
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/config.openshift.io/v1/proxies/cluster</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/config.openshift.io/v1/proxies/cluster</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(8)</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>External networks tend to be outside of organizational control. By ensuring
+that egress traffic goes through an authorized proxy, one is able to ensure
+that expected and safe traffic is coming out, and malicious actors
+aren't leaking sensitive information, or calling back from a central command
+center to get further instructions upon intrusion.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90765-9</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-cluster_wide_proxy_set:def:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_configure_network_policies" severity="high">
+            <xccdf-1.2:title>Ensure that the CNI in use supports Network Policies</xccdf-1.2:title>
+            <xccdf-1.2:description>There are a variety of CNI plugins available for Kubernetes. If the CNI in
+use does not support Network Policies it may not be possible to effectively
+restrict traffic in the cluster. OpenShift supports Kubernetes NetworkPolicy
+using a Kubernetes Container Network Interface (CNI) plug-in.</xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the following:
+<html:ul><html:li><html:code class="ocp-api-endpoint" id="35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498">/apis/operator.openshift.io/v1/networks/cluster</html:code>
+    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
+    <html:code class="ocp-api-filter" id="filter-35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498">[.spec.defaultNetwork.type]</html:code>
+    and persist it to the local
+    <html:code class="ocp-dump-location" id="dump-35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/operator.openshift.io/v1/networks/cluster#35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498</html:code>
+    file.
+  </html:li></html:ul></xccdf-1.2:warning>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.9</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If the worker kubeconfig file is writable by a group-owner or the
-world the risk of its compromise is increased. The file contains the administration configuration of the
-OpenShift cluster that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83509-0</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000038-CTR-000105</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000039-CTR-000110</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Kubernetes network policies are enforced by the CNI plugin in use. As such
+it is important to ensure that the CNI plugin supports both Ingress and
+Egress network policies.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_worker_kubeconfig:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-configure_network_policies:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_worker_kubeconfig_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-configure_network_policies_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_worker_service" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on the OpenShift Node Service File</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/systemd/system/kubelet.service</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/systemd/system/kubelet.service</html:pre></xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces" severity="high">
+            <xccdf-1.2:title>Ensure that application Namespaces have Network Policies defined.</xccdf-1.2:title>
+            <xccdf-1.2:description>Use network policies to isolate traffic in your cluster network.</xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the following:
+<html:ul><html:li><html:code class="ocp-api-endpoint" id="51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300">/apis/networking.k8s.io/v1/networkpolicies</html:code>
+    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
+    <html:code class="ocp-api-filter" id="filter-51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300">[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default") | .metadata.namespace] | unique</html:code>
+    and persist it to the local
+    <html:code class="ocp-dump-location" id="dump-51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/networking.k8s.io/v1/networkpolicies#51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300</html:code>
+    file.
+  </html:li><html:li><html:code class="ocp-api-endpoint" id="34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d">/api/v1/namespaces</html:code>
+    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
+    <html:code class="ocp-api-filter" id="filter-34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d">[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default")]</html:code>
+    and persist it to the local
+    <html:code class="ocp-dump-location" id="dump-34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/api/v1/namespaces#34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d</html:code>
+    file.
+  </html:li></html:ul></xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.4</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4(21)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(5)</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
             <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(3)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(5)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(8)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(12)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(13)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(18)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(10)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(22)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-1.3.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000038-CTR-000105</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000039-CTR-000110</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000141-CTR-000315</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000141-CTR-000320</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000142-CTR-000325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000142-CTR-000330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
             <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If the <html:code>/etc/systemd/system/kubelet.service</html:code>
-file is writable by a group-owner or the
-world the risk of its compromise is increased. The file contains the service configuration of the
-OpenShift node service that is configured on the system. Protection of this file is
-critical for OpenShift security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ocp4-node"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83455-6</xccdf-1.2:ident>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000645-CTR-001410</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.3.2</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Running different applications on the same Kubernetes cluster creates a risk of one
+compromised application attacking a neighboring application. Network segmentation is
+important to ensure that containers can communicate only with those they are supposed
+to. When a network policy is introduced to a given namespace, all traffic not allowed
+by the policy is denied. However, if there are no network policies in a namespace all
+traffic will be allowed into and out of the pods in that namespace.</xccdf-1.2:rationale>
             <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_worker_service:def:1"/>
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-configure_network_policies_namespaces:def:1"/>
             </xccdf-1.2:check>
             <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_worker_service_ocil:questionnaire:1"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-configure_network_policies_namespaces_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_default_ingress_ca_replaced" severity="medium">
+            <xccdf-1.2:title>Ensure that the default Ingress CA (wildcard issuer) has been replaced</xccdf-1.2:title>
+            <xccdf-1.2:description>Check that the default Ingress CA has been replaced.</xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/config.openshift.io/v1/proxies/cluster</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/config.openshift.io/v1/proxies/cluster</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-17</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>OpenShift auto-generates several PKIs to serve TLS on different
+endpoints of the system. It is possible and necessary to configure a
+custom PKI which allows external clients to trust the endpoints.
+
+The Ingress Operator is the component responsible for enabling external
+access to OpenShift Container Platform cluster services. The aforementioned
+operator creates an internal CA and issues a wildcard certificate that is
+valid for applications under the .apps sub-domain. Both the web console
+and CLI use this certificate as well. The certificate and key would need
+to be replaced since a certificate coming from a trusted provider is
+needed.
+
+
+      <html:a href="https://docs.openshift.com/container-platform/latest/security/certificates/replacing-default-ingress-certificate.html">https://docs.openshift.com/container-platform/latest/security/certificates/replacing-default-ingress-certificate.html</html:a></xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-default_ingress_ca_replaced:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-default_ingress_ca_replaced_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_ingress_controller_certificate" severity="medium">
+            <xccdf-1.2:title>Ensure that the default Ingress certificate has been replaced</xccdf-1.2:title>
+            <xccdf-1.2:description>Check that the default Ingress certificate has been replaced.</xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>OpenShift auto-generates several PKIs to serve TLS on different
+endpoints of the system. It is possible and necessary to configure a
+custom PKI which allows external clients to trust the endpoints.
+
+The Ingress Operator is the component responsible for enabling external
+access to OpenShift Container Platform cluster services. The aforementioned
+operator creates an internal CA and issues a wildcard certificate that is
+valid for applications under the .apps sub-domain. Both the web console
+and CLI use this certificate as well. The certificate and key would need
+to be replaced since a certificate coming from a trusted provider is
+needed.
+
+
+      <html:a href="https://docs.openshift.com/container-platform/latest/security/certificates/replacing-default-ingress-certificate.html">https://docs.openshift.com/container-platform/latest/security/certificates/replacing-default-ingress-certificate.html</html:a></xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-ingress_controller_certificate:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-ingress_controller_certificate_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_route_ip_whitelist" severity="medium">
+            <xccdf-1.2:title>Ensure that all Routes has rate limit enabled</xccdf-1.2:title>
+            <xccdf-1.2:description>OpenShift has an option to set the IP whitelist for Routes [1] when
+creating new Routes. All routes outside the openshift namespaces and 
+the kube namespaces should use the IP whitelist annotations. Requests
+from IP addresses that are not in the whitelist are dropped.
+
+[1] https://docs.openshift.com/container-platform/latest/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration</xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the following:
+<html:ul><html:li><html:code class="ocp-api-endpoint" id="aec152a4446d7917fcbebee892a2ec3fbdef3b71cc0784c9457b2e54fd64dd3b">/apis/route.openshift.io/v1/routes?limit=500</html:code>
+    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
+    <html:code class="ocp-api-filter" id="filter-aec152a4446d7917fcbebee892a2ec3fbdef3b71cc0784c9457b2e54fd64dd3b">[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.annotations["haproxy.router.openshift.io/ip_whitelist"] | not) | .metadata.name]</html:code>
+    and persist it to the local
+    <html:code class="ocp-dump-location" id="dump-aec152a4446d7917fcbebee892a2ec3fbdef3b71cc0784c9457b2e54fd64dd3b"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/route.openshift.io/v1/routes?limit=500#aec152a4446d7917fcbebee892a2ec3fbdef3b71cc0784c9457b2e54fd64dd3b</html:code>
+    file.
+  </html:li></html:ul></xccdf-1.2:warning>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(5)</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The usage of IP whitelist for Routes provides basic protection against unwanted access.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90596-8</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-route_ip_whitelist:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-route_ip_whitelist_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_routes_protected_by_tls" severity="medium">
+            <xccdf-1.2:title>Ensure that all OpenShift Routes prefer TLS</xccdf-1.2:title>
+            <xccdf-1.2:description>OpenShift Container Platform provides methods for communicating from
+outside the cluster with services running in the cluster. TLS must
+be used to protect these communications. OpenShift
+Routes provide the ability to configure the needed TLS settings. With
+these, one is able to configure that any request coming from the outside
+must use TLS. To verify this, ensure that every Route in the system
+has a policy of <html:code>Disable</html:code> or <html:code>Redirect</html:code> to ensure a
+secure endpoint is used. The aforementioned policy will be set in
+a Routes <html:code>.spec.tls.insecureEdgeTerminationPolicy</html:code> setting.</xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/route.openshift.io/v1/routes?limit=500</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/route.openshift.io/v1/routes?limit=500</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R7.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4(21)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(3)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8(2)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-6.5.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000038-CTR-000105</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000039-CTR-000110</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000441-CTR-001090</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000442-CTR-001095</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Using clear-text in communications coming to or from outside
+the cluster's network may leak sensitive information.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84225-2</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-routes_protected_by_tls:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-routes_protected_by_tls_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_routes_rate_limit" severity="medium">
+            <xccdf-1.2:title>Ensure that all Routes has rate limit enabled</xccdf-1.2:title>
+            <xccdf-1.2:description>OpenShift has an option to set the rate limit for Routes [1] when creating new Routes.
+All routes outside the openshift namespaces and the kube namespaces should use the
+rate-limiting annotations.
+
+[1] https://docs.openshift.com/container-platform/4.9/networking/routes/route-configuration.html#nw-route-specific-annotations_route-configuration</xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the following:
+<html:ul><html:li><html:code class="ocp-api-endpoint" id="842fa6716f17342d62e70f2755db709b9d7a161cf0338ea8bfae9b06dab5e6cc">/apis/route.openshift.io/v1/routes?limit=500</html:code>
+    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
+    <html:code class="ocp-api-filter" id="filter-842fa6716f17342d62e70f2755db709b9d7a161cf0338ea8bfae9b06dab5e6cc">[.items[] | select(.metadata.namespace | startswith("kube-") or startswith("openshift-") | not) | select(.metadata.annotations["haproxy.router.openshift.io/rate-limit-connections"] == "true" | not) | .metadata.name]</html:code>
+    and persist it to the local
+    <html:code class="ocp-dump-location" id="dump-842fa6716f17342d62e70f2755db709b9d7a161cf0338ea8bfae9b06dab5e6cc"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/route.openshift.io/v1/routes?limit=500#842fa6716f17342d62e70f2755db709b9d7a161cf0338ea8bfae9b06dab5e6cc</html:code>
+    file.
+  </html:li></html:ul></xccdf-1.2:warning>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000246-CTR-000605</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000435-CTR-001070</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The usage of rate limit for Routes provides basic protection against distributed denial-of-service (DDoS) attacks.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-90779-0</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-routes_rate_limit:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-routes_rate_limit_ocil:questionnaire:1"/>
             </xccdf-1.2:check>
           </xccdf-1.2:Rule>
         </xccdf-1.2:Group>
-      </xccdf-1.2:Group>
-    </xccdf-1.2:Benchmark>
-  </ds:component>
-  <ds:component id="scap_org.open-scap_comp_ssg-ocp4-oval.xml" timestamp="2022-08-11T18:55:00">
-    <oval-def:oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
-      <oval-def:generator>
-        <oval:product_name>combine_ovals.py from SCAP Security Guide</oval:product_name>
-        <oval:product_version>ssg: [0, 1, 64], python: 3.10.6</oval:product_version>
-        <oval:schema_version>5.11</oval:schema_version>
-        <oval:timestamp>2022-08-11T18:54:56</oval:timestamp>
-      </oval-def:generator>
-      <oval-def:definitions>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_api_priority_flowschema_catch_all:def:1" version="1">
+        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_openshift-api-server">
+          <xccdf-1.2:title>OpenShift API Server</xccdf-1.2:title>
+          <xccdf-1.2:description>This section contains recommendations for openshift-apiserver configuration.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_openshift_api_server_audit_log_path" severity="high">
+            <xccdf-1.2:title>Configure the Audit Log Path</xccdf-1.2:title>
+            <xccdf-1.2:description>To enable auditing on the OpenShift API Server, the audit log path must be set.
+Edit the <html:code>openshift-apiserver</html:code> configmap
+and set the <html:code>audit-log-path</html:code> to a suitable path and file
+where audit logs should be written. For example:
+<html:pre>
+"apiServerArguments":{
+  ...
+  "audit-log-path":"/var/log/openshift-apiserver/audit.log",
+  ...
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/api/v1/namespaces/openshift-apiserver/configmaps/config</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/api/v1/namespaces/openshift-apiserver/configmaps/config</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.2.22</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Auditing of the API Server is not enabled by default. Auditing the API Server
+provides a security-relevant chronological set of records documenting the sequence
+of activities that have affected the system by users, administrators, or other
+system components.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83547-0</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-openshift_api_server_audit_log_path:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-openshift_api_server_audit_log_path_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+        </xccdf-1.2:Group>
+        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_rbac">
+          <xccdf-1.2:title>Role-based Acess Control</xccdf-1.2:title>
+          <xccdf-1.2:description>Role-based access control (RBAC) objects determine
+whether a user is allowed to perform a given action
+within a project.
+
+Cluster administrators can use the cluster roles and
+bindings to control who has various access levels to
+the OpenShift Container Platform platform itself
+and all projects.
+
+Developers can use local roles and bindings to control
+who has access to their projects. Note that authorization
+is a separate step from authentication, which is more
+about determining the identity of who is taking the action.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rbac_cluster_roles_defined" severity="medium">
+            <xccdf-1.2:title>Ensure cluster roles are defined in the cluster</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>
+RBAC is a critical feature in terms of security for Kubernetes and
+OpenShift. It enables administrators to segment the privileges
+granted to a service account, and thus allows us to limit the
+access to resources that they get. By defining cluster roles appropriately
+one is able to codify organizational policy. [1]
+</html:p>
+              <html:p>
+[1] 
+      <html:a href="https://docs.openshift.com/container-platform/latest/authentication/using-rbac.html">https://docs.openshift.com/container-platform/latest/authentication/using-rbac.html</html:a>
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/rbac.authorization.k8s.io/v1/clusterroles?limit=1000</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/rbac.authorization.k8s.io/v1/clusterroles?limit=1000</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-7.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>By defining RBAC cluster roles, one is able to limit the permissions
+given to a Service Account, and thus limit the blast radius
+that an account compromise would have.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-86595-6</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-rbac_cluster_roles_defined:def:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rbac_debug_role_protects_pprof" severity="medium">
+            <xccdf-1.2:title>Profiling is protected by RBAC</xccdf-1.2:title>
+            <xccdf-1.2:description>Ensure that the cluster-debugger cluster role includes the /debug/pprof
+resource URL. This demonstrates that profiling is protected by RBAC, with a
+specific cluster role to allow access.</xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.3.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Profiling allows for the identification of specific performance bottlenecks.
+It generates a significant amount of program data that could potentially be
+exploited to uncover system and program details. If you are not experiencing
+any bottlenecks and do not need the profiler for troubleshooting purposes, it
+is recommended to turn it off to reduce the potential attack surface. To
+ensure the collected data is not exploited, profiling endpoints are secured
+via RBAC (see cluster-debugger role). By default, the profiling endpoints are
+accessible only by users bound to cluster-admin or cluster-debugger role.
+Profiling can not be disabled.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84182-5</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-rbac_debug_role_protects_pprof:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-rbac_debug_role_protects_pprof_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rbac_limit_cluster_admin" severity="medium">
+            <xccdf-1.2:title>Ensure that the cluster-admin role is only used where required</xccdf-1.2:title>
+            <xccdf-1.2:description>The RBAC role cluster-admin provides wide-ranging powers over the
+environment and should be used only where and when needed.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-7.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Kubernetes provides a set of default roles where RBAC is used. Some of these
+roles such as cluster-admin provide wide-ranging privileges which should
+only be applied where absolutely necessary. Roles such as cluster-admin
+allow super-user access to perform any action on any resource. When used in
+a ClusterRoleBinding, it gives full control over every resource in the
+cluster and in all namespaces. When used in a RoleBinding, it gives full
+control over every resource in the rolebinding's namespace, including the
+namespace itself.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-rbac_limit_cluster_admin_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rbac_limit_secrets_access" severity="medium">
+            <xccdf-1.2:title>Limit Access to Kubernetes Secrets</xccdf-1.2:title>
+            <xccdf-1.2:description>The Kubernetes API stores secrets, which may be service
+account tokens for the Kubernetes API or credentials used
+by workloads in the cluster. Access to these secrets should
+be restricted to the smallest possible group of users to
+reduce the risk of privilege escalation. To restrict users from
+secrets, remove <html:code>get</html:code>, <html:code>list</html:code>, and <html:code>watch</html:code>
+access to unauthorized users to secret objects in the cluster.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Inappropriate access to secrets stored within the Kubernetes
+cluster can allow for an attacker to gain additional access to
+the Kubernetes cluster or external resources whose credentials
+are stored as secrets.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-rbac_limit_secrets_access_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rbac_pod_creation_access" severity="medium">
+            <xccdf-1.2:title>Minimize Access to Pod Creation</xccdf-1.2:title>
+            <xccdf-1.2:description>The ability to create pods in a namespace can provide a
+number of opportunities for privilege escalation. Where
+applicable, remove <html:code>create</html:code> access to <html:code>pod</html:code>
+objects in the cluster.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The ability to create pods in a cluster opens up the cluster
+for privilege escalation.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-rbac_pod_creation_access_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rbac_roles_defined" severity="medium">
+            <xccdf-1.2:title>Ensure roles are defined in the cluster</xccdf-1.2:title>
+            <xccdf-1.2:description>
+              <html:p>
+RBAC is a critical feature in terms of security for Kubernetes and
+OpenShift. It enables administrators to segment the privileges
+granted to a service account, and thus allows us to limit the
+access to resources that they get. By defining roles appropriately
+one is able to codify organizational policy. [1]
+</html:p>
+              <html:p>
+[1] 
+      <html:a href="https://docs.openshift.com/container-platform/latest/authentication/using-rbac.html">https://docs.openshift.com/container-platform/latest/authentication/using-rbac.html</html:a>
+</html:p>
+            </xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/rbac.authorization.k8s.io/v1/roles?limit=1000</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/rbac.authorization.k8s.io/v1/roles?limit=1000</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-7.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>By defining RBAC roles, one is able to limit the permissions
+given to a Service Account, and thus limit the blast radius
+that an account compromise would have.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-86588-1</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-rbac_roles_defined:def:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rbac_wildcard_use" severity="medium">
+            <xccdf-1.2:title>Minimize Wildcard Usage in Cluster and Local Roles</xccdf-1.2:title>
+            <xccdf-1.2:description>Kubernetes Cluster and Local Roles provide access to resources
+based on sets of objects and actions that can be taken on
+those objects. It is possible to set either of these using a
+wildcard <html:code>*</html:code> which matches all items. This violates the
+principle of least privilege and leaves a cluster in a more
+vulnerable state to privilege abuse.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The principle of least privilege recommends that users are
+provided only the access required for their role and nothing
+more. The use of wildcard rights grants is likely to provide
+excessive rights to the Kubernetes API.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-rbac_wildcard_use_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+        </xccdf-1.2:Group>
+        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_registry">
+          <xccdf-1.2:title>Kubernetes - Registry Security Practices</xccdf-1.2:title>
+          <xccdf-1.2:description>Contains evaluations for Kubernetes registry security practices, and cluster-wide registry configuration.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_ocp_allowed_registries" severity="medium">
+            <xccdf-1.2:title>Allowed registries are configured</xccdf-1.2:title>
+            <xccdf-1.2:description>The configuration <html:code>registrySources.allowedRegistries</html:code> determines the
+permitted registries that the OpenShift container runtime can access for builds
+and pods. This configuration setting ensures that all registries other than
+those specified are blocked.
+
+You can set the allowed repositories by applying the following manifest using
+<html:pre>oc patch</html:pre>, e.g. if you save the following snippet to
+<html:pre>/tmp/allowed-registries-patch.yaml</html:pre>
+<html:pre>
+spec:
+  registrySources:
+    allowedRegistries:
+    - my-trusted-registry.internal.example.com
+</html:pre> you would call
+<html:pre>oc patch image.config.openshift.io cluster --patch="$(cat /tmp/allowed-registries-patch.yaml)" --type=merge</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/config.openshift.io/v1/images/cluster</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/config.openshift.io/v1/images/cluster</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(2)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(5)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000131-CTR-000280</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000131-CTR-000285</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000384-CTR-000915</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Allowed registries should be configured to restrict the registries that the
+OpenShift container runtime can access, and all other registries should be
+blocked.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-ocp_allowed_registries:def:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_ocp_allowed_registries_for_import" severity="medium">
+            <xccdf-1.2:title>Allowed registries for import are configured</xccdf-1.2:title>
+            <xccdf-1.2:description>The configuration <html:code>allowedRegistriesForImport</html:code> limits the container
+image registries from which normal users may import images. This is important
+to control, as a user who can stand up a malicious registry can then import
+content which claims to include the SHAs of legimitate content layers.
+You can set the allowed repositories for import by applying the following
+manifest using <html:pre>oc patch</html:pre>, e.g. if you save the following snippet to
+<html:pre>/tmp/allowed-import-registries-patch.yaml</html:pre>
+<html:pre>
+spec:
+  allowedRegistriesForImport:
+  - domainName: my-trusted-registry.internal.example.com
+    insecure: false
+</html:pre> you would call
+<html:pre>oc patch image.config.openshift.io cluster --patch="$(cat /tmp/allowed-import-registries-patch.yaml)" --type=merge</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/config.openshift.io/v1/images/cluster</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/config.openshift.io/v1/images/cluster</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(2)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(5)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-11</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000131-CTR-000280</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000131-CTR-000285</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000384-CTR-000915</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Allowed registries for import should be specified to limit the registries 
+from which users may import images.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-ocp_allowed_registries_for_import:def:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+        </xccdf-1.2:Group>
+        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_risk-assessment">
+          <xccdf-1.2:title>OpenShift - Risk Assessment Settings</xccdf-1.2:title>
+          <xccdf-1.2:description>Contains evaluations for the cluster's risk assessment configuration settings.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_compliancesuite_exists" severity="medium">
+            <xccdf-1.2:title>Ensure that Compliance Operator is scanning the cluster</xccdf-1.2:title>
+            <xccdf-1.2:description><html:a href="https://docs.openshift.com/container-platform/4.7/security/compliance_operator/compliance-operator-understanding.html#compliance-operator-understanding">The Compliance Operator</html:a>
+scans the hosts and the platform (OCP)
+configurations for software flaws and improper configurations according
+to different compliance benchmarks. It uses OpenSCAP as a backend,
+which is a known and certified tool to do such scans.</xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/compliance.openshift.io/v1alpha1/compliancesuites?limit=5</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/compliance.openshift.io/v1alpha1/compliancesuites?limit=5</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R1.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 4.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 4.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R4.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R3.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R8.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">RA-5</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">RA-5(5)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SA-4(8)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000414-CTR-001010</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Vulnerability scanning and risk management are important detective controls
+for all systems, to detect potential flaws and unauthorised access.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83697-3</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-compliancesuite_exists:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-compliancesuite_exists_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+        </xccdf-1.2:Group>
+        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_scc">
+          <xccdf-1.2:title>Security Context Constraints (SCC)</xccdf-1.2:title>
+          <xccdf-1.2:description>Similar to the way that RBAC resources control user access,
+administrators can use Security Context Constraints (SCCs)
+to control permissions for pods. These permissions include
+actions that a pod, a collection of containers, can perform
+and what resources it can access. You can use SCCs to define
+a set of conditions that a pod must run with in order to be
+accepted into the system.</xccdf-1.2:description>
+          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sccs_with_allowed_capabilities_regex" type="string">
+            <xccdf-1.2:title>Permitted SCCs with allowedCapabilities</xccdf-1.2:title>
+            <xccdf-1.2:description>A regular expression that lists all SCCs that are permitted to set the allowedCapabilities attribute</xccdf-1.2:description>
+            <xccdf-1.2:value>^privileged$|^hostnetwork-v2$|^restricted-v2$|^nonroot-v2$</xccdf-1.2:value>
+          </xccdf-1.2:Value>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scc_drop_container_capabilities" severity="medium">
+            <xccdf-1.2:title>Drop Container Capabilities</xccdf-1.2:title>
+            <xccdf-1.2:description>Containers should not enable more capabilites than needed as this
+opens the door for malicious use. To disable the
+capabilities, the appropriate Security Context Constraints (SCCs)
+should set all capabilities as <html:code>*</html:code> or a list of capabilities in
+<html:code>requiredDropCapabilities</html:code>.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>By default, containers run with a default set of capabilities as assigned
+by the Container Runtime which can include dangerous or highly privileged
+capabilities. Capabilities should be dropped unless absolutely critical for
+the container to run software as added capabilities that are not required
+allow for malicious containers or attackers.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scc_drop_container_capabilities_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scc_limit_container_allowed_capabilities" severity="medium">
+            <xccdf-1.2:title>Limit Container Capabilities</xccdf-1.2:title>
+            <xccdf-1.2:description>Containers should not enable more capabilites than needed as this
+opens the door for malicious use. To enable only the
+required capabilities, the appropriate Security Context Constraints (SCCs)
+should set capabilities as a list in <html:code>allowedCapabilities</html:code>.</xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the following:
+<html:ul><html:li><html:code class="ocp-api-endpoint" id="395df9a25b06bd949effbff7e3071c03493e0dd679ee1c7bfcfcb35647e9328c">/apis/security.openshift.io/v1/securitycontextconstraints</html:code>
+    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
+    <html:code class="ocp-api-filter" id="filter-395df9a25b06bd949effbff7e3071c03493e0dd679ee1c7bfcfcb35647e9328c">[.items[] | select(.metadata.name | test("{{.var_sccs_with_allowed_capabilities_regex}}"; "") | not)] | map(.allowedCapabilities == null)</html:code>
+    and persist it to the local
+    <html:code class="ocp-dump-location" id="dump-395df9a25b06bd949effbff7e3071c03493e0dd679ee1c7bfcfcb35647e9328c"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/security.openshift.io/v1/securitycontextconstraints#395df9a25b06bd949effbff7e3071c03493e0dd679ee1c7bfcfcb35647e9328c</html:code>
+    file.
+  </html:li></html:ul></xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.8</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>By default, containers run with a default set of capabilities as assigned
+by the Container Runtime which can include dangerous or highly privileged
+capabilities. Capabilities should be dropped unless absolutely critical for
+the container to run software as added capabilities that are not required
+allow for malicious containers or attackers.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-scc_limit_container_allowed_capabilities:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scc_limit_container_allowed_capabilities_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace" severity="medium">
+            <xccdf-1.2:title>Limit Access to the Host IPC Namespace</xccdf-1.2:title>
+            <xccdf-1.2:description>Containers should not be allowed access to the host's Interprocess Commication (IPC)
+namespace. To prevent containers from getting access to a host's
+IPC namespace, the appropriate Security Context Constraints (SCCs)
+should set <html:code>allowHostIPC</html:code> to <html:code>false</html:code>.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.3</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>A container running in the host's IPC namespace can use IPC
+to interact with processes outside the container potentially
+allowing an attacker to exploit a host process thereby enabling an
+attacker to exploit other services.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84042-1</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scc_limit_ipc_namespace_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scc_limit_net_raw_capability" severity="medium">
+            <xccdf-1.2:title>Limit Use of the CAP_NET_RAW</xccdf-1.2:title>
+            <xccdf-1.2:description>Containers should not enable more capabilites than needed as this
+opens the door for malicious use. <html:code>CAP_NET_RAW</html:code> enables a container
+to launch a network attack on another container or cluster. To disable the
+<html:code>CAP_NET_RAW</html:code> capability, the appropriate Security Context Constraints (SCCs)
+should set <html:code>NET_RAW</html:code> in <html:code>requiredDropCapabilities</html:code>.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.7</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>By default, containers run with a default set of capabilities as assigned
+by the Container Runtime which can include dangerous or highly privileged
+capabilities. If the CAP_NET_RAW is enabled, it may be misused
+by malicious containers or attackers.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scc_limit_net_raw_capability_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scc_limit_network_namespace" severity="medium">
+            <xccdf-1.2:title>Limit Access to the Host Network Namespace</xccdf-1.2:title>
+            <xccdf-1.2:description>Containers should not be allowed access to the host's network
+namespace. To prevent containers from getting access to a host's
+network namespace, the appropriate Security Context Constraints (SCCs)
+should set <html:code>allowHostNetwork</html:code> to <html:code>false</html:code>.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.4</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>A container running in the host's network namespace could
+access the host network traffic to and from other pods
+potentially allowing an attacker to exploit pods and network
+traffic.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83492-9</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scc_limit_network_namespace_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scc_limit_privilege_escalation" severity="medium">
+            <xccdf-1.2:title>Limit Containers Ability to Escalate Privileges</xccdf-1.2:title>
+            <xccdf-1.2:description>Containers should be limited to only the privileges required
+to run and should not be allowed to escalate their privileges.
+To prevent containers from escalating privileges,
+the appropriate Security Context Constraints (SCCs)
+should set <html:code>allowPrivilegeEscalation</html:code> to <html:code>false</html:code>.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.5</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Privileged containers have access to more of the Linux Kernel
+capabilities and devices. If a privileged container were
+compromised, an attacker would have full access to the container
+and host.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83447-3</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scc_limit_privilege_escalation_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scc_limit_privileged_containers" severity="medium">
+            <xccdf-1.2:title>Limit Privileged Container Use</xccdf-1.2:title>
+            <xccdf-1.2:description>Containers should be limited to only the privileges required
+to run. To prevent containers from running as privileged containers,
+the appropriate Security Context Constraints (SCCs) should set
+<html:code>allowPrivilegedContainer</html:code> to <html:code>false</html:code>.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Privileged containers have access to all Linux Kernel
+capabilities and devices. If a privileged container were
+compromised, an attacker would have full access to the container
+and host.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scc_limit_privileged_containers_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scc_limit_process_id_namespace" severity="medium">
+            <xccdf-1.2:title>Limit Access to the Host Process ID Namespace</xccdf-1.2:title>
+            <xccdf-1.2:description>Containers should not be allowed access to the host's process
+ID namespace. To prevent containers from getting access to a host's
+process ID namespace, the appropriate Security Context Constraints (SCCs)
+should set <html:code>allowHostPID</html:code> to <html:code>false</html:code>.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.2</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>A container running in the host's PID namespace can inspect
+processes running outside the container which can be used to
+escalate privileges outside of the container.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scc_limit_process_id_namespace_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scc_limit_root_containers" severity="medium">
+            <xccdf-1.2:title>Limit Container Running As Root User</xccdf-1.2:title>
+            <xccdf-1.2:description>Containers should be limited to only the privileges required
+to run and should very rarely be run as root user. To prevent
+containers from running as root user,
+the appropriate Security Context Constraints (SCCs) should set
+<html:code>allowPrivilegedContainer</html:code> to <html:code>false</html:code>.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.2.6</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Privileged containers have access to all Linux Kernel
+capabilities and devices. If a privileged container were
+compromised, an attacker would have full access to the container
+and host.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scc_limit_root_containers_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+        </xccdf-1.2:Group>
+        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_scheduler">
+          <xccdf-1.2:title>OpenShift - Kubernetes - Scheduler Settings</xccdf-1.2:title>
+          <xccdf-1.2:description>Contains evaluations for kube-scheduler configuration settings.</xccdf-1.2:description>
+          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_scheduler_argument_filter" type="string">
+            <xccdf-1.2:title>Kube scheduler config filter</xccdf-1.2:title>
+            <xccdf-1.2:description>Kube scheduler filter</xccdf-1.2:description>
+            <xccdf-1.2:value>[.data."pod.yaml"]</xccdf-1.2:value>
+          </xccdf-1.2:Value>
+          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_scheduler_filepath" type="string">
+            <xccdf-1.2:title>Kube scheduler config file path</xccdf-1.2:title>
+            <xccdf-1.2:description>Kube scheduler config file path</xccdf-1.2:description>
+            <xccdf-1.2:value>/api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod</xccdf-1.2:value>
+          </xccdf-1.2:Value>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scheduler_no_bind_address" severity="medium">
+            <xccdf-1.2:title>Ensure that the bind-address parameter is not used</xccdf-1.2:title>
+            <xccdf-1.2:description>The Scheduler API service which runs on port 10251/TCP by default is used for
+health and metrics information and is available without authentication or
+encryption. As such it should only be bound to a localhost interface, to
+minimize the cluster's attack surface.</xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the following:
+<html:ul><html:li><html:code class="ocp-api-endpoint" id="569895645b4f9b87d4e21ab3c6fe4cc03627259826715e5043d5d8889c6c12d3">{{.var_scheduler_filepath}}</html:code>
+    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
+    <html:code class="ocp-api-filter" id="filter-569895645b4f9b87d4e21ab3c6fe4cc03627259826715e5043d5d8889c6c12d3">{{.var_scheduler_argument_filter}}</html:code>
+    and persist it to the local
+    <html:code class="ocp-dump-location" id="dump-569895645b4f9b87d4e21ab3c6fe4cc03627259826715e5043d5d8889c6c12d3"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod#569895645b4f9b87d4e21ab3c6fe4cc03627259826715e5043d5d8889c6c12d3</html:code>
+    file.
+  </html:li></html:ul></xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.4.2</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>In OpenShift 4, The Kubernetes Scheduler operator manages and updates the
+Kubernetes Scheduler deployed on top of OpenShift. By default, the operator
+exposes metrics via metrics service. The metrics are collected from the
+Kubernetes Scheduler operator. Profiling data is sent to healthzPort,
+the port of the localhost healthz endpoint. Changing this value may disrupt
+components that monitor the kubelet health.</xccdf-1.2:rationale>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83674-2</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-scheduler_no_bind_address:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scheduler_no_bind_address_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_scheduler_port_is_zero" severity="medium">
+            <xccdf-1.2:title>Ensure that the port parameter is zero</xccdf-1.2:title>
+            <xccdf-1.2:description>The Scheduler API service which runs on port 10251/TCP by default is used for
+health and metrics information and is available without authentication or
+encryption. As such it should only be bound to a localhost interface, to
+minimize the cluster's attack surface.</xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the following:
+<html:ul><html:li><html:code class="ocp-api-endpoint" id="569895645b4f9b87d4e21ab3c6fe4cc03627259826715e5043d5d8889c6c12d3">{{.var_scheduler_filepath}}</html:code>
+    API endpoint, filter with with the <html:code>jq</html:code> utility using the following filter
+    <html:code class="ocp-api-filter" id="filter-569895645b4f9b87d4e21ab3c6fe4cc03627259826715e5043d5d8889c6c12d3">{{.var_scheduler_argument_filter}}</html:code>
+    and persist it to the local
+    <html:code class="ocp-dump-location" id="dump-569895645b4f9b87d4e21ab3c6fe4cc03627259826715e5043d5d8889c6c12d3"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/api/v1/namespaces/openshift-kube-scheduler/configmaps/kube-scheduler-pod#569895645b4f9b87d4e21ab3c6fe4cc03627259826715e5043d5d8889c6c12d3</html:code>
+    file.
+  </html:li></html:ul></xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">1.4.2</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>In OpenShift 4, The Kubernetes Scheduler operator manages and updates the
+Kubernetes Scheduler deployed on top of OpenShift. By default, the operator
+exposes metrics via metrics service. The metrics are collected from the
+Kubernetes Scheduler operator. Profiling data is sent to healthzPort,
+the port of the localhost healthz endpoint. Changing this value may disrupt
+components that monitor the kubelet health.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-scheduler_port_is_zero:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-scheduler_port_is_zero_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+        </xccdf-1.2:Group>
+        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_secrets">
+          <xccdf-1.2:title>Kubernetes Secrets Management</xccdf-1.2:title>
+          <xccdf-1.2:description>Secrets let you store and manage sensitive information,
+such as passwords, OAuth tokens, and ssh keys.
+Such information might otherwise be put in a Pod
+specification or in an image.		</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_secrets_consider_external_storage" severity="medium">
+            <xccdf-1.2:title>Consider external secret storage</xccdf-1.2:title>
+            <xccdf-1.2:description>Consider the use of an external secrets storage and management system,
+instead of using Kubernetes Secrets directly, if you have more complex
+secret management needs. Ensure the solution requires authentication to
+access secrets, has auditing of access to and use of secrets, and encrypts
+secrets. Some solutions also make it easier to rotate secrets.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.4.2</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Kubernetes supports secrets as first-class objects, but care needs to be
+taken to ensure that access to secrets is carefully limited. Using an
+external secrets provider can ease the management of access to secrets,
+especially where secrets are used across both Kubernetes and non-Kubernetes
+environments.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-secrets_consider_external_storage_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_secrets_no_environment_variables" severity="medium">
+            <xccdf-1.2:title>Do Not Use Environment Variables with Secrets</xccdf-1.2:title>
+            <xccdf-1.2:description>Secrets should be mounted as data volumes instead of environment
+variables.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">5.4.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>Environment variables are subject and very susceptible to
+malicious hijacking methods by an adversary, as such,
+environment variables should never be used for secrets.</xccdf-1.2:rationale>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-secrets_no_environment_variables_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+        </xccdf-1.2:Group>
+        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_worker">
+          <xccdf-1.2:title>Kubernetes - Worker Node Settings</xccdf-1.2:title>
+          <xccdf-1.2:description>Contains evaluations for the worker node configuration settings.</xccdf-1.2:description>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_kubelet_conf" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Kubelet Configuration File</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/kubernetes/kubelet.conf</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/kubernetes/kubelet.conf</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.6</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The kubelet configuration file contains information about the configuration of the
+OpenShift node that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84233-6</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_kubelet_conf:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_kubelet_conf_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_proxy_kubeconfig" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Worker Proxy Kubeconfig File</xccdf-1.2:title>
+            <xccdf-1.2:description>To ensure the Kubernetes ConfigMap is mounted into the sdn daemonset pods with the
+correct ownership, make sure that the <html:code>sdn-config</html:code> ConfigMap is mounted using
+a ConfigMap at the <html:code>/config</html:code> mount point and that the <html:code>sdn</html:code> container
+points to that configuration using the <html:code>--proxy-config</html:code> command line option.
+Run:
+<html:pre> oc get -nopenshift-sdn ds sdn -ojson | jq -r '.spec.template.spec.containers[] | select(.name == "sdn")'</html:pre>
+and ensure the <html:code>--proxy-config</html:code> parameter points to 
+<html:code>/config/kube-proxy-config.yaml</html:code> and that the <html:code>config</html:code> mount point is
+mounted from the <html:code>sdn-config</html:code> ConfigMap.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The kubeconfig file for kube-proxy provides permissions to the kube-proxy service.
+The proxy kubeconfig file contains information about the administrative configuration of the
+OpenShift cluster that is configured on the system. Protection of this file is
+critical for OpenShift security.
+
+The file is provided via a ConfigMap mount, so the kubelet itself makes sure that the
+file permissions are appropriate for the container taking it into use.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-on-sdn"/>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_proxy_kubeconfig_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_worker_ca" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns the Worker Certificate Authority File</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/kubernetes/kubelet-ca.crt</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/kubernetes/kubelet-ca.crt</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.8</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The worker certificate authority file contains the certificate authority
+certificate for an OpenShift node that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83440-8</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_worker_ca:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_worker_ca_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_worker_kubeconfig" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The Worker Kubeconfig File</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the group owner of <html:code>/var/lib/kubelet/kubeconfig</html:code>, run the command: <html:pre>$ sudo chgrp root /var/lib/kubelet/kubeconfig</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.10</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The worker kubeconfig file contains information about the administrative configuration of the
+OpenShift cluster that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83409-3</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_worker_kubeconfig:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_worker_kubeconfig_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_worker_service" severity="medium">
+            <xccdf-1.2:title>Verify Group Who Owns The OpenShift Node Service File</xccdf-1.2:title>
+            <xccdf-1.2:description>'
+  To properly set the group owner of <html:code>/etc/systemd/system/kubelet.service</html:code>, run the command:
+  <html:pre>$ sudo chgrp root /etc/systemd/system/kubelet.service</html:pre>'</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The <html:code>/etc/systemd/system/kubelet.service</html:code>
+file contains information about the configuration of the
+OpenShift node service that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83975-3</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_groupowner_worker_service:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_groupowner_worker_service_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_kubelet" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The Kubelet Configuration File</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the owner of <html:code>/var/lib/kubelet/config.json</html:code>, run the command: <html:pre>$ sudo chown root /var/lib/kubelet/config.json </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.6</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The kubelet configuration file contains information about the configuration of the
+OpenShift node that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85900-9</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_kubelet:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_kubelet_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_kubelet_conf" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The Kubelet Configuration File</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/kubernetes/kubelet.conf</html:code>, run the command: <html:pre>$ sudo chown root /etc/kubernetes/kubelet.conf </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.6</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The kubelet configuration file contains information about the configuration of the
+OpenShift node that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83976-1</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_kubelet_conf:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_kubelet_conf_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_proxy_kubeconfig" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The Worker Proxy Kubeconfig File</xccdf-1.2:title>
+            <xccdf-1.2:description>To ensure the Kubernetes ConfigMap is mounted into the sdn daemonset pods with the
+correct ownership, make sure that the <html:code>sdn-config</html:code> ConfigMap is mounted using
+a ConfigMap at the <html:code>/config</html:code> mount point and that the <html:code>sdn</html:code> container
+points to that configuration using the <html:code>--proxy-config</html:code> command line option.
+Run:
+<html:pre> oc get -nopenshift-sdn ds sdn -ojson | jq -r '.spec.template.spec.containers[] | select(.name == "sdn")'</html:pre>
+and ensure the <html:code>--proxy-config</html:code> parameter points to 
+<html:code>/config/kube-proxy-config.yaml</html:code> and that the <html:code>config</html:code> mount point is
+mounted from the <html:code>sdn-config</html:code> ConfigMap.</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.4</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The kubeconfig file for kube-proxy provides permissions to the kube-proxy service.
+The proxy kubeconfig file contains information about the administrative configuration of the
+OpenShift cluster that is configured on the system. Protection of this file is
+critical for OpenShift security.
+
+The file is provided via a ConfigMap mount, so the kubelet itself makes sure that the
+file permissions are appropriate for the container taking it into use.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-on-sdn"/>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_proxy_kubeconfig_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_worker_ca" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns the Worker Certificate Authority File</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the owner of <html:code>/etc/kubernetes/kubelet-ca.crt</html:code>, run the command: <html:pre>$ sudo chown root /etc/kubernetes/kubelet-ca.crt </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.8</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The worker certificate authority file contains the certificate authority
+certificate for an OpenShift node that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83495-2</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_worker_ca:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_worker_ca_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_worker_kubeconfig" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The Worker Kubeconfig File</xccdf-1.2:title>
+            <xccdf-1.2:description> To properly set the owner of <html:code>/var/lib/kubelet/kubeconfig</html:code>, run the command: <html:pre>$ sudo chown root /var/lib/kubelet/kubeconfig </html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.10</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The worker kubeconfig file contains information about the administrative configuration of the
+OpenShift cluster that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83408-5</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_worker_kubeconfig:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_worker_kubeconfig_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_worker_service" severity="medium">
+            <xccdf-1.2:title>Verify User Who Owns The OpenShift Node Service File</xccdf-1.2:title>
+            <xccdf-1.2:description>'
+  To properly set the owner of <html:code>/etc/systemd/system/kubelet.service</html:code>, run the command:
+  <html:pre>$ sudo chown root /etc/systemd/system/kubelet.service </html:pre>'</xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.2</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The <html:code>/etc/systemd/system/kubelet.service</html:code>
+file contains information about the configuration of the
+OpenShift node service that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84193-2</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_owner_worker_service:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_owner_worker_service_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_kubelet" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on The Kubelet Configuration File</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/var/lib/kubelet/config.json</html:code>, run the command:
+<html:pre>$ sudo chmod 0600 /var/lib/kubelet/config.json</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>If the kubelet configuration file is writable by a group-owner or the
+world the risk of its compromise is increased. The file contains the configuration of
+an OpenShift node that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85896-9</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_kubelet:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_kubelet_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_kubelet_conf" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on The Kubelet Configuration File</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/kubernetes/kubelet.conf</html:code>, run the command:
+<html:pre>$ sudo chmod 0644 /etc/kubernetes/kubelet.conf</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.5</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>If the kubelet configuration file is writable by a group-owner or the
+world the risk of its compromise is increased. The file contains the configuration of
+an OpenShift node that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83470-5</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_kubelet_conf:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_kubelet_conf_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_proxy_kubeconfig" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the Worker Proxy Kubeconfig File</xccdf-1.2:title>
+            <xccdf-1.2:description>To ensure the Kubernetes ConfigMap is mounted into the sdn daemonset pods with the
+correct permissions, make sure that the <html:code>sdn-config</html:code> ConfigMap is mounted using
+restrictive permissions. Check that the <html:code>config</html:code> VolumeMount mounts the
+<html:code>sdn-config</html:code> configMap with permissions set to 420:
+<html:pre>
+{
+"configMap": {
+  "defaultMode": 420,
+  "name": "sdn-config"
+  },
+"name": "config"
+}
+</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:warning category="general">This rule's check operates on the cluster configuration dump.
+Therefore, you need to use a tool that can query the OCP API, retrieve the <html:code class="ocp-api-endpoint">/apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn</html:code> API endpoint to the local <html:code class="ocp-dump-location"><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_ocp_data_root" use="legacy"/>/apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn</html:code> file.</xccdf-1.2:warning>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-2.2</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.3</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>The kube-proxy kubeconfig file controls various parameters of the kube-proxy
+service in the worker node. If used, you should restrict its file permissions
+to maintain the integrity of the file. The file should be writable by only
+the administrators on the system.
+
+The kube-proxy runs with the kubeconfig parameters configured as
+a Kubernetes ConfigMap instead of a file. In this case, there is no proxy
+kubeconfig file. But appropriate permissions still need to be set in the
+ConfigMap mount.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-on-sdn"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84047-0</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-export export-name="oval:ssg-ocp_data_root:var:1" value-id="xccdf_org.ssgproject.content_value_ocp_data_root"/>
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_proxy_kubeconfig:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_proxy_kubeconfig_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_worker_ca" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the Worker Certificate Authority File</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/kubernetes/kubelet-ca.crt</html:code>, run the command:
+<html:pre>$ sudo chmod 0644 /etc/kubernetes/kubelet-ca.crt</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.7</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>If the worker certificate authority file is writable by a group-owner or the
+world the risk of its compromise is increased. The file contains the certificate authority
+certificate for an OpenShift node that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83493-7</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_worker_ca:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_worker_ca_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_worker_kubeconfig" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the Worker Kubeconfig File</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/var/lib/kubelet/kubeconfig</html:code>, run the command:
+<html:pre>$ sudo chmod 0600 /var/lib/kubelet/kubeconfig</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.9</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>If the worker kubeconfig file is writable by a group-owner or the
+world the risk of its compromise is increased. The file contains the administration configuration of the
+OpenShift cluster that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83509-0</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_worker_kubeconfig:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_worker_kubeconfig_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_worker_service" severity="medium">
+            <xccdf-1.2:title>Verify Permissions on the OpenShift Node Service File</xccdf-1.2:title>
+            <xccdf-1.2:description>
+To properly set the permissions of <html:code>/etc/systemd/system/kubelet.service</html:code>, run the command:
+<html:pre>$ sudo chmod 0644 /etc/systemd/system/kubelet.service</html:pre></xccdf-1.2:description>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.1</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(1)</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001325</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001330</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=application-servers">SRG-APP-000516-CTR-001335</xccdf-1.2:reference>
+            <xccdf-1.2:reference href="https://www.cisecurity.org/benchmark/kubernetes/">4.1.1</xccdf-1.2:reference>
+            <xccdf-1.2:rationale>If the <html:code>/etc/systemd/system/kubelet.service</html:code>
+file is writable by a group-owner or the
+world the risk of its compromise is increased. The file contains the service configuration of the
+OpenShift node service that is configured on the system. Protection of this file is
+critical for OpenShift security.</xccdf-1.2:rationale>
+            <xccdf-1.2:platform idref="#ocp4-node"/>
+            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83455-6</xccdf-1.2:ident>
+            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-oval.xml" name="oval:ssg-file_permissions_worker_service:def:1"/>
+            </xccdf-1.2:check>
+            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
+              <xccdf-1.2:check-content-ref href="ssg-ocp4-ocil.xml" name="ocil:ssg-file_permissions_worker_service_ocil:questionnaire:1"/>
+            </xccdf-1.2:check>
+          </xccdf-1.2:Rule>
+        </xccdf-1.2:Group>
+      </xccdf-1.2:Group>
+    </xccdf-1.2:Benchmark>
+  </ds:component>
+  <ds:component id="scap_org.open-scap_comp_ssg-ocp4-oval.xml" timestamp="2022-10-19T15:33:05">
+    <oval-def:oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
+      <oval-def:generator>
+        <oval:product_name>combine_ovals.py from SCAP Security Guide</oval:product_name>
+        <oval:product_version>ssg: [0, 1, 65], python: 3.10.4</oval:product_version>
+        <oval:schema_version>5.11</oval:schema_version>
+        <oval:timestamp>2022-10-19T19:32:58</oval:timestamp>
+      </oval-def:generator>
+      <oval-def:definitions>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_api_priority_flowschema_catch_all:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure catch-all FlowSchema object for API Priority and Fairness Exists</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>One of the flowschema versions should exist, but it doesn't matter which</oval-def:description>
+            <oval-def:reference ref_id="CCE-85891-0" source="CCE"/>
+            <oval-def:reference ref_id="api_server_api_priority_flowschema_catch_all" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria operator="OR">
+            <oval-def:extend_definition comment="flowschema v1alpha1" definition_ref="oval:ssg-api_server_api_priority_v1alpha1_flowschema_catch_all:def:1"/>
+            <oval-def:extend_definition comment="flowschema v1beta1" definition_ref="oval:ssg-api_server_api_priority_v1beta1_flowschema_catch_all:def:1"/>
+            <oval-def:extend_definition comment="flowschema v1beta2" definition_ref="oval:ssg-api_server_api_priority_v1beta2_flowschema_catch_all:def:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-oauth_or_oauthclient_inactivity_timeout:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Configure OAuth tokens to expire after a set period of inactivity</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>The inactivity timeout must be specified either per client or globally</oval-def:description>
+            <oval-def:reference ref_id="CCE-83702-1" source="CCE"/>
+            <oval-def:reference ref_id="oauth_or_oauthclient_inactivity_timeout" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria operator="OR">
+            <oval-def:extend_definition comment="global inactivity timeout" definition_ref="oval:ssg-oauth_inactivity_timeout:def:1"/>
+            <oval-def:extend_definition comment="per client inactivity timeout" definition_ref="oval:ssg-oauthclient_inactivity_timeout:def:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-oauth_or_oauthclient_token_maxage:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Configure OAuth tokens to expire after a set period of inactivity</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>The tokan max age must be specified either per client or globally</oval-def:description>
+            <oval-def:reference ref_id="CCE-84162-7" source="CCE"/>
+            <oval-def:reference ref_id="oauth_or_oauthclient_token_maxage" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria operator="OR">
+            <oval-def:extend_definition comment="global token max age" definition_ref="oval:ssg-oauth_token_maxage:def:1"/>
+            <oval-def:extend_definition comment="per client token max age" definition_ref="oval:ssg-oauthclient_token_maxage:def:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-etcd_unique_ca:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Configure A Unique CA Certificate for etcd</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>The etcd CA should be different from the Kubernetes CA.</oval-def:description>
+            <oval-def:reference ref_id="etcd_unique_ca" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion test_ref="oval:ssg-test_etcd_different_ca_than_k8s:tst:1" comment="Check that etcd uses a different CA than Kubernetes."/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-banner_or_login_template_set:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure that a OpenShift OAuth login template or a classification banner is set</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>A Legal notice must be displayed by some means.</oval-def:description>
+            <oval-def:reference ref_id="CCE-84195-7" source="CCE"/>
+            <oval-def:reference ref_id="banner_or_login_template_set" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria operator="OR">
+            <oval-def:extend_definition comment="classification banner" definition_ref="oval:ssg-classification_banner:def:1"/>
+            <oval-def:extend_definition comment="custom login page" definition_ref="oval:ssg-oauth_login_template_set:def:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-resource_requests_quota:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure workloads use resource requests and limits</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>The sysctl parameter needs to be set before enabling kernel protection</oval-def:description>
+            <oval-def:reference ref_id="CCE-90588-5" source="CCE"/>
+            <oval-def:reference ref_id="resource_requests_quota" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria operator="OR">
+            <oval-def:extend_definition comment="cluster quotas enabled" definition_ref="oval:ssg-resource_requests_quota_cluster:def:1"/>
+            <oval-def:extend_definition comment="resource quota per project" definition_ref="oval:ssg-resource_requests_quota_per_project:def:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-resource_requests_quota_per_project:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure workloads use resource requests and limits per namespace</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>Ensure that application Namespaces have Network Policies defined</oval-def:description>
+            <oval-def:reference ref_id="CCE-90582-8" source="CCE"/>
+            <oval-def:reference ref_id="resource_requests_quota_per_project" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/resourcequotas#2e6fd6a1fa7945ee6d06434fd05e4c27822d577045b3d3a4ca5809580cd57f50 exists." test_ref="oval:ssg-test_file_for_resource_requests_quota_per_project:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces#34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d' exists." test_ref="oval:ssg-test_file_for_resource_requests_quotas_filtered_namespaces:tst:1"/>
+            <oval-def:criterion comment="Make sure that all target elements exists " test_ref="oval:ssg-test_elements_count_for_resource_requests_quota_per_project:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-machine_volume_encrypted:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure that full disk encryption is configured on cluster nodes</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>Full disk encryption should be enabled, either through the cloud provider or using FIPS</oval-def:description>
+            <oval-def:reference ref_id="CCE-85858-9" source="CCE"/>
+            <oval-def:reference ref_id="machine_volume_encrypted" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria operator="OR">
+            <oval-def:extend_definition comment="Azure disk encryption enabled" definition_ref="oval:ssg-azure_disk_encryption_enabled:def:1"/>
+            <oval-def:extend_definition comment="GCP disk encryption enabled" definition_ref="oval:ssg-gcp_disk_encryption_enabled:def:1"/>
+            <oval-def:extend_definition comment="ebs encryption enabled" definition_ref="oval:ssg-ebs_encryption_enabled_on_machinesets:def:1"/>
+            <oval-def:criteria operator="AND">
+              <oval-def:extend_definition comment="fips mode enabled" definition_ref="oval:ssg-fips_mode_enabled_on_all_nodes:def:1"/>
+              <oval-def:extend_definition comment="luks encryption enabled" definition_ref="oval:ssg-luks_enabled_on_all_nodes:def:1"/>
+            </oval-def:criteria>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_sysctl:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>kubelet - Set Up Sysctl to Enable Protect Kernel Defaults</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>The sysctl parameter needs to be set before enabling kernel protection</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_protect_kernel_sysctl" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="sysctl file exist" definition_ref="oval:ssg-kubelet_enable_protect_kernel_sysctl_file_exist:def:1"/>
+            <oval-def:extend_definition comment="sysctl kernel_panic" definition_ref="oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic:def:1"/>
+            <oval-def:extend_definition comment="sysctl kernel_panic_on_oops" definition_ref="oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops:def:1"/>
+            <oval-def:extend_definition comment="sysctl kernel_keys_root_maxbytes" definition_ref="oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes:def:1"/>
+            <oval-def:extend_definition comment="sysctl kernel_keys_root_maxkeys" definition_ref="oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys:def:1"/>
+            <oval-def:extend_definition comment="sysctl vm_overcommit_memory" definition_ref="oval:ssg-kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory:def:1"/>
+            <oval-def:extend_definition comment="sysctl vm_panic_on_oom" definition_ref="oval:ssg-kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom:def:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-directory_access_var_log_kube_audit:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Record Access Events to Kubernetes Audit Log Directory</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>Audit rules about the read events to /var/log/kube-apiserver</oval-def:description>
+            <oval-def:reference ref_id="CCE-83640-3" source="CCE"/>
+            <oval-def:reference ref_id="directory_access_var_log_kube_audit" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria operator="OR">
+            <oval-def:criteria operator="AND">
+              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
+              <oval-def:criterion comment="audit rule to record read access events to /var/log/kube-apiserver" test_ref="oval:ssg-test_directory_acccess_var_log_kube_audit_augenrules:tst:1"/>
+            </oval-def:criteria>
+            <oval-def:criteria operator="AND">
+              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
+              <oval-def:criterion comment="audit rule to record read access events to /var/log/kube-apiserver" test_ref="oval:ssg-test_directory_acccess_var_log_kube_audit_auditctl:tst:1"/>
+            </oval-def:criteria>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-directory_access_var_log_oauth_audit:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Record Access Events to OAuth Audit Log Directory</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>Audit rules about the read events to /var/log/oauth-apiserver</oval-def:description>
+            <oval-def:reference ref_id="CCE-90631-3" source="CCE"/>
+            <oval-def:reference ref_id="directory_access_var_log_oauth_audit" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria operator="OR">
+            <oval-def:criteria operator="AND">
+              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
+              <oval-def:criterion comment="audit rule to record read access events to /var/log/oauth-apiserver" test_ref="oval:ssg-test_directory_acccess_var_log_oauth_audit_augenrules:tst:1"/>
+            </oval-def:criteria>
+            <oval-def:criteria operator="AND">
+              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
+              <oval-def:criterion comment="audit rule to record read access events to /var/log/oauth-apiserver" test_ref="oval:ssg-test_directory_acccess_var_log_oauth_audit_auditctl:tst:1"/>
+            </oval-def:criteria>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-directory_access_var_log_ocp_audit:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Record Access Events to OpenShift Audit Log Directory</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>Audit rules about the read events to /var/log/openshift-apiserver</oval-def:description>
+            <oval-def:reference ref_id="CCE-90632-1" source="CCE"/>
+            <oval-def:reference ref_id="directory_access_var_log_ocp_audit" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria operator="OR">
+            <oval-def:criteria operator="AND">
+              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
+              <oval-def:criterion comment="audit rule to record read access events to /var/log/openshift-apiserver" test_ref="oval:ssg-test_directory_acccess_var_log_ocp_audit_augenrules:tst:1"/>
+            </oval-def:criteria>
+            <oval-def:criteria operator="AND">
+              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
+              <oval-def:criterion comment="audit rule to record read access events to /var/log/openshift-apiserver" test_ref="oval:ssg-test_directory_acccess_var_log_ocp_audit_auditctl:tst:1"/>
+            </oval-def:criteria>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_conf_db:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Verify Group Who Owns The Open vSwitch Configuration Database</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>One of the permission checks must pass</oval-def:description>
+            <oval-def:reference ref_id="CCE-88281-1" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_ovs_conf_db" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria operator="OR">
+            <oval-def:extend_definition comment="ovs conf db outside s390x" definition_ref="oval:ssg-file_groupowner_ovs_conf_db_not_s390x:def:1"/>
+            <oval-def:extend_definition comment="ovs conf db on s390x" definition_ref="oval:ssg-file_groupowner_ovs_conf_db_s390x:def:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_conf_db_lock:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Verify Group Who Owns The Open vSwitch Configuration Database Lock</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>One of the permission checks must pass</oval-def:description>
+            <oval-def:reference ref_id="CCE-90793-1" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_ovs_conf_db_lock" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria operator="OR">
+            <oval-def:extend_definition comment="ovs conf db lock outside s390x" definition_ref="oval:ssg-file_groupowner_ovs_conf_db_lock_not_s390x:def:1"/>
+            <oval-def:extend_definition comment="ovs conf db lock on s390x" definition_ref="oval:ssg-file_groupowner_ovs_conf_db_lock_s390x:def:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_pid:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Verify Group Who Owns The Open vSwitch Process ID File</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>This test makes sure that /run/openvswitch/ovs-vswitchd.pid is group owned by 800 or 801.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83630-4" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_ovs_pid" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria operator="OR">
+            <oval-def:criterion comment="Check file group ownership of /run/openvswitch/ovs-vswitchd.pid belongs to group 800" test_ref="oval:ssg-test_file_groupowner_run_ovs_vswitchd_pid_800:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of /run/openvswitch/ovs-vswitchd.pid belongs to group 801" test_ref="oval:ssg-test_file_groupowner_run_ovs_vswitchd_pid_801:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_sys_id_conf:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Verify Group Who Owns The Open vSwitch Persistent System ID</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>One of the permission checks must pass</oval-def:description>
+            <oval-def:reference ref_id="CCE-85892-8" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_ovs_sys_id_conf" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria operator="OR">
+            <oval-def:extend_definition comment="ovs conf db outside s390x" definition_ref="oval:ssg-file_groupowner_ovs_sys_id_conf_not_s390x:def:1"/>
+            <oval-def:extend_definition comment="ovs conf db on s390x" definition_ref="oval:ssg-file_groupowner_ovs_sys_id_conf_s390x:def:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_vswitchd_pid:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Verify Group Who Owns The Open vSwitch Daemon PID File</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>This test makes sure that /var/run/openvswitch/ovs-vswitchd.pid is group owned by 800 or 801.</oval-def:description>
+            <oval-def:reference ref_id="CCE-84129-6" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_ovs_vswitchd_pid" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria operator="OR">
+            <oval-def:criterion comment="Check file group ownership of /var/run/openvswitch/ovs-vswitchd.pid belongs to group 800" test_ref="oval:ssg-test_file_groupowner_var_run_ovs_vswitchd_pid_800:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of /var/run/openvswitch/ovs-vswitchd.pid belongs to group 801" test_ref="oval:ssg-test_file_groupowner_var_run_ovs_vswitchd_pid_801:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovsdb_server_pid:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Verify Group Who Owns The Open vSwitch Database Server PID</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>This test makes sure that /run/openvswitch/ovsdb-server.pid is group owned by 800 or 801.</oval-def:description>
+            <oval-def:reference ref_id="CCE-84166-8" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_ovsdb_server_pid" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria operator="OR">
+            <oval-def:criterion comment="Check file group ownership of /run/openvswitch/ovsdb-server.pid belongs to group 800" test_ref="oval:ssg-test_file_groupowner_ovsdb_server_pid_800:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of /run/openvswitch/ovsdb-server.pid belongs to group 801" test_ref="oval:ssg-test_file_groupowner_ovsdb_server_pid_801:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-configure_network_policies_namespaces:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure that application Namespaces have Network Policies defined.</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>Ensure that application Namespaces have Network Policies defined</oval-def:description>
+            <oval-def:reference ref_id="configure_network_policies_namespaces" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="Make sure that the file '/apis/networking.k8s.io/v1/networkpolicies#51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300 exists." test_ref="oval:ssg-test_file_for_configure_network_policies_namespaces:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces#34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d' exists." test_ref="oval:ssg-test_file_for_configure_network_policies_filtered_namespaces:tst:1"/>
+            <oval-def:criterion comment="Make sure that all target elements exists for elements at path '.items[:].spec.host'" test_ref="oval:ssg-test_elements_count_for_configure_network_policies_namespaces:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_admission_control_plugin_AlwaysAdmit:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Disable the AlwaysAdmit Admission Control Plugin</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments["enable-admission-plugins"][:]' all: value equals '^AlwaysAdmit$'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84148-6" source="CCE"/>
+            <oval-def:reference ref_id="api_server_admission_control_plugin_AlwaysAdmit" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments[&quot;enable-admission-plugins&quot;][:]' all" test_ref="oval:ssg-test_api_server_admission_control_plugin_AlwaysAdmit:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' exists." test_ref="oval:ssg-test_file_for_api_server_admission_control_plugin_AlwaysAdmit:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_admission_control_plugin_AlwaysPullImages:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure that the Admission Control Plugin AlwaysPullImages is not set</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments["enable-admission-plugins"][:]' all: value equals '^AlwaysPullImages$'</oval-def:description>
+            <oval-def:reference ref_id="api_server_admission_control_plugin_AlwaysPullImages" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments[&quot;enable-admission-plugins&quot;][:]' all" test_ref="oval:ssg-test_api_server_admission_control_plugin_AlwaysPullImages:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' exists." test_ref="oval:ssg-test_file_for_api_server_admission_control_plugin_AlwaysPullImages:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_admission_control_plugin_NamespaceLifecycle:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Enable the NamespaceLifecycle Admission Control Plugin</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["enable-admission-plugins"][:]' at least one: value equals '^NamespaceLifecycle$'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83854-0" source="CCE"/>
+            <oval-def:reference ref_id="api_server_admission_control_plugin_NamespaceLifecycle" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;enable-admission-plugins&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_admission_control_plugin_NamespaceLifecycle:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_admission_control_plugin_NamespaceLifecycle:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_admission_control_plugin_NodeRestriction:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Enable the NodeRestriction Admission Control Plugin</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["enable-admission-plugins"][:]' at least one: value equals '^NodeRestriction$'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83753-4" source="CCE"/>
+            <oval-def:reference ref_id="api_server_admission_control_plugin_NodeRestriction" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;enable-admission-plugins&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_admission_control_plugin_NodeRestriction:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_admission_control_plugin_NodeRestriction:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_admission_control_plugin_Scc:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Enable the SecurityContextConstraint Admission Control Plugin</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["enable-admission-plugins"][:]' at least one: value equals '^security.openshift.io/SecurityContextConstraint$'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83602-3" source="CCE"/>
+            <oval-def:reference ref_id="api_server_admission_control_plugin_Scc" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;enable-admission-plugins&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_admission_control_plugin_Scc:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_admission_control_plugin_Scc:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_admission_control_plugin_SecurityContextDeny:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments["enable-admission-plugins"][:]' all: value equals '^SecurityContextDeny$'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83586-8" source="CCE"/>
+            <oval-def:reference ref_id="api_server_admission_control_plugin_SecurityContextDeny" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments[&quot;enable-admission-plugins&quot;][:]' all" test_ref="oval:ssg-test_api_server_admission_control_plugin_SecurityContextDeny:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' exists." test_ref="oval:ssg-test_file_for_api_server_admission_control_plugin_SecurityContextDeny:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_admission_control_plugin_ServiceAccount:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Enable the ServiceAccount Admission Control Plugin</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["enable-admission-plugins"][:]' at least one: value equals '^ServiceAccount$'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83791-4" source="CCE"/>
+            <oval-def:reference ref_id="api_server_admission_control_plugin_ServiceAccount" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;enable-admission-plugins&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_admission_control_plugin_ServiceAccount:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_admission_control_plugin_ServiceAccount:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_anonymous_auth:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure that anonymous requests to the API Server are authorized</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/apis/rbac.authorization.k8s.io/v1/clusterrolebindings' at path '.items[:]['subjects'][:].name' at least one: value equals 'system:unauthenticated'</oval-def:description>
+            <oval-def:reference ref_id="api_server_anonymous_auth" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/rbac.authorization.k8s.io/v1/clusterrolebindings' at path '.items[:]['subjects'][:].name' at least one" test_ref="oval:ssg-test_api_server_anonymous_auth:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/rbac.authorization.k8s.io/v1/clusterrolebindings' exists." test_ref="oval:ssg-test_file_for_api_server_anonymous_auth:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_api_priority_gate_enabled:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Enable the APIPriorityAndFairness feature gate</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/apis/operator.openshift.io/v1/kubeapiservers/cluster' at path '.spec.observedConfig.apiServerArguments["feature-gates"][:]' all: value equals '^APIPriorityAndFairness=true$'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83656-9" source="CCE"/>
+            <oval-def:reference ref_id="api_server_api_priority_gate_enabled" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/operator.openshift.io/v1/kubeapiservers/cluster' at path '.spec.observedConfig.apiServerArguments[&quot;feature-gates&quot;][:]' all" test_ref="oval:ssg-test_api_server_api_priority_gate_enabled:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/operator.openshift.io/v1/kubeapiservers/cluster' exists." test_ref="oval:ssg-test_file_for_api_server_api_priority_gate_enabled:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_api_priority_v1alpha1_flowschema_catch_all:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure catch-all FlowSchema object for API Priority and Fairness Exists (v1alpha1)</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all' at path '.spec.rules[0].subjects[:].group["name"]' at least one: value equals 'system:authenticated'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84002-5" source="CCE"/>
+            <oval-def:reference ref_id="api_server_api_priority_v1alpha1_flowschema_catch_all" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all' at path '.spec.rules[0].subjects[:].group[&quot;name&quot;]' at least one" test_ref="oval:ssg-test_api_server_api_priority_v1alpha1_flowschema_catch_all:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all' exists." test_ref="oval:ssg-test_file_for_api_server_api_priority_v1alpha1_flowschema_catch_all:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_api_priority_v1beta1_flowschema_catch_all:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure catch-all FlowSchema object for API Priority and Fairness Exists</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/catch-all' at path '.spec.rules[0].subjects[:].group["name"]' at least one: value equals 'system:authenticated'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83522-3" source="CCE"/>
+            <oval-def:reference ref_id="api_server_api_priority_v1beta1_flowschema_catch_all" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/catch-all' at path '.spec.rules[0].subjects[:].group[&quot;name&quot;]' at least one" test_ref="oval:ssg-test_api_server_api_priority_v1beta1_flowschema_catch_all:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/catch-all' exists." test_ref="oval:ssg-test_file_for_api_server_api_priority_v1beta1_flowschema_catch_all:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_api_priority_v1beta2_flowschema_catch_all:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure catch-all FlowSchema object for API Priority and Fairness Exists</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all' at path '.spec.rules[0].subjects[:].group["name"]' at least one: value equals 'system:authenticated'</oval-def:description>
+            <oval-def:reference ref_id="CCE-86390-2" source="CCE"/>
+            <oval-def:reference ref_id="api_server_api_priority_v1beta2_flowschema_catch_all" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all' at path '.spec.rules[0].subjects[:].group[&quot;name&quot;]' at least one" test_ref="oval:ssg-test_api_server_api_priority_v1beta2_flowschema_catch_all:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all' exists." test_ref="oval:ssg-test_file_for_api_server_api_priority_v1beta2_flowschema_catch_all:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_audit_log_maxbackup:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Configure the Kubernetes API Server Maximum Retained Audit Logs</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["audit-log-maxbackup"][:]' at least one: value equals '10'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83739-3" source="CCE"/>
+            <oval-def:reference ref_id="api_server_audit_log_maxbackup" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;audit-log-maxbackup&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_audit_log_maxbackup:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_audit_log_maxbackup:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_audit_log_maxsize:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Configure Kubernetes API Server Maximum Audit Log Size</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["audit-log-maxsize"][:]' at least one: value equals '100'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83607-2" source="CCE"/>
+            <oval-def:reference ref_id="api_server_audit_log_maxsize" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;audit-log-maxsize&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_audit_log_maxsize:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_audit_log_maxsize:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_audit_log_path:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Configure the Audit Log Path</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["audit-log-path"][:]' at least one: value equals '.+'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84020-7" source="CCE"/>
+            <oval-def:reference ref_id="api_server_audit_log_path" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;audit-log-path&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_audit_log_path:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_audit_log_path:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_auth_mode_no_aa:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>The authorization-mode cannot be AlwaysAllow</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments["authorization-mode"][:]' all: value equals 'AlwaysAllow'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84207-0" source="CCE"/>
+            <oval-def:reference ref_id="api_server_auth_mode_no_aa" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments[&quot;authorization-mode&quot;][:]' all" test_ref="oval:ssg-test_api_server_auth_mode_no_aa:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' exists." test_ref="oval:ssg-test_file_for_api_server_auth_mode_no_aa:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_auth_mode_node:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure authorization-mode Node is configured</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["authorization-mode"][:]' at least one: value equals 'Node'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83889-6" source="CCE"/>
+            <oval-def:reference ref_id="api_server_auth_mode_node" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;authorization-mode&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_auth_mode_node:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_auth_mode_node:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_auth_mode_rbac:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure authorization-mode RBAC is configured</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["authorization-mode"][:]' at least one: value equals 'RBAC'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84102-3" source="CCE"/>
+            <oval-def:reference ref_id="api_server_auth_mode_rbac" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;authorization-mode&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_auth_mode_rbac:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_auth_mode_rbac:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_basic_auth:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Disable basic-auth-file for the API Server</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[:]' all: key 'basic-auth-file' value equals ''</oval-def:description>
+            <oval-def:reference ref_id="CCE-83936-5" source="CCE"/>
+            <oval-def:reference ref_id="api_server_basic_auth" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[:]' all" test_ref="oval:ssg-test_api_server_basic_auth:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_basic_auth:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_bind_address:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure that the bindAddress is set to a relevant secure port</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.servingInfo["bindAddress"]' all: value equals '(.+)'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83646-0" source="CCE"/>
+            <oval-def:reference ref_id="api_server_bind_address" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.servingInfo[&quot;bindAddress&quot;]' all" test_ref="oval:ssg-test_api_server_bind_address:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_bind_address:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_client_ca:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Configure the Client Certificate Authority for the API Server</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["client-ca-file"]' all: value equals '(.+)'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84284-9" source="CCE"/>
+            <oval-def:reference ref_id="api_server_client_ca" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;client-ca-file&quot;]' all" test_ref="oval:ssg-test_api_server_client_ca:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_client_ca:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_encryption_provider_cipher:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Configure the Encryption Provider Cipher</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/apis/config.openshift.io/v1/apiservers/cluster' at path '.spec.encryption.type' at least one: value equals 'aescbc'</oval-def:description>
+            <oval-def:reference ref_id="api_server_encryption_provider_cipher" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/config.openshift.io/v1/apiservers/cluster' at path '.spec.encryption.type' at least one" test_ref="oval:ssg-test_api_server_encryption_provider_cipher:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/config.openshift.io/v1/apiservers/cluster' exists." test_ref="oval:ssg-test_file_for_api_server_encryption_provider_cipher:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_encryption_provider_config:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Configure the Encryption Provider</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/apis/config.openshift.io/v1/apiservers/cluster' at path '.spec.encryption.type' at least one: value equals 'aescbc'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83585-0" source="CCE"/>
+            <oval-def:reference ref_id="api_server_encryption_provider_config" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/config.openshift.io/v1/apiservers/cluster' at path '.spec.encryption.type' at least one" test_ref="oval:ssg-test_api_server_encryption_provider_config:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/config.openshift.io/v1/apiservers/cluster' exists." test_ref="oval:ssg-test_file_for_api_server_encryption_provider_config:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_etcd_ca:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Configure the etcd Certificate Authority for the API Server</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["etcd-cafile"][:]' all: value equals '(.+)'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84216-1" source="CCE"/>
+            <oval-def:reference ref_id="api_server_etcd_ca" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;etcd-cafile&quot;][:]' all" test_ref="oval:ssg-test_api_server_etcd_ca:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_etcd_ca:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_etcd_cert:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Configure the etcd Certificate for the API Server</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["etcd-certfile"][:]' all: value equals '.*\.crt'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83876-3" source="CCE"/>
+            <oval-def:reference ref_id="api_server_etcd_cert" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;etcd-certfile&quot;][:]' all" test_ref="oval:ssg-test_api_server_etcd_cert:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_etcd_cert:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_etcd_key:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Configure the etcd Certificate Key for the API Server</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["etcd-keyfile"][:]' all: value equals '.*\.key'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83546-2" source="CCE"/>
+            <oval-def:reference ref_id="api_server_etcd_key" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;etcd-keyfile&quot;][:]' all" test_ref="oval:ssg-test_api_server_etcd_key:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_etcd_key:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_https_for_kubelet_conn:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure that the --kubelet-https argument is set to true</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[:]' all: key 'kubelet-https' value equals ''</oval-def:description>
+            <oval-def:reference ref_id="api_server_https_for_kubelet_conn" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[:]' all" test_ref="oval:ssg-test_api_server_https_for_kubelet_conn:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_https_for_kubelet_conn:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_insecure_bind_address:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Disable Use of the Insecure Bind Address</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#95b5b27bb6ea2b122e810c99c17c2430c4845596942804847dd677557cfed88e' at path '.apiServerArguments[:]' all: value equals 'insecure-bind-address'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83955-5" source="CCE"/>
+            <oval-def:reference ref_id="api_server_insecure_bind_address" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#95b5b27bb6ea2b122e810c99c17c2430c4845596942804847dd677557cfed88e' at path '.apiServerArguments[:]' all" test_ref="oval:ssg-test_api_server_insecure_bind_address:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#95b5b27bb6ea2b122e810c99c17c2430c4845596942804847dd677557cfed88e' exists." test_ref="oval:ssg-test_file_for_api_server_insecure_bind_address:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_insecure_port:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Prevent Insecure Port Access</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["insecure-port"][:]' all: value equals '0'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83813-6" source="CCE"/>
+            <oval-def:reference ref_id="api_server_insecure_port" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;insecure-port&quot;][:]' all" test_ref="oval:ssg-test_api_server_insecure_port:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_insecure_port:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_kubelet_certificate_authority:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Configure the kubelet Certificate Authority for the API Server</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["kubelet-certificate-authority"][:]' all: value equals '(.+)'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84196-5" source="CCE"/>
+            <oval-def:reference ref_id="api_server_kubelet_certificate_authority" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;kubelet-certificate-authority&quot;][:]' all" test_ref="oval:ssg-test_api_server_kubelet_certificate_authority:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_kubelet_certificate_authority:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_kubelet_client_cert:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Configure the kubelet Certificate File for the API Server</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["kubelet-client-certificate"][:]' all: value equals '(.+)'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84080-1" source="CCE"/>
+            <oval-def:reference ref_id="api_server_kubelet_client_cert" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;kubelet-client-certificate&quot;][:]' all" test_ref="oval:ssg-test_api_server_kubelet_client_cert:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_kubelet_client_cert:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_kubelet_client_cert_pre_4_9:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Configure the kubelet Certificate File for the API Server</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' at path '.data["config.yaml"]' all: value equals '"kubelet-client-certificate":\["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"\]'</oval-def:description>
+            <oval-def:reference ref_id="CCE-85890-2" source="CCE"/>
+            <oval-def:reference ref_id="api_server_kubelet_client_cert_pre_4_9" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' at path '.data[&quot;config.yaml&quot;]' all" test_ref="oval:ssg-test_api_server_kubelet_client_cert_pre_4_9:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' exists." test_ref="oval:ssg-test_file_for_api_server_kubelet_client_cert_pre_4_9:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_kubelet_client_key:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Configure the kubelet Certificate Key for the API Server</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["kubelet-client-key"][:]' all: value equals '(.+)'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83591-8" source="CCE"/>
+            <oval-def:reference ref_id="api_server_kubelet_client_key" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;kubelet-client-key&quot;][:]' all" test_ref="oval:ssg-test_api_server_kubelet_client_key:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_kubelet_client_key:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_kubelet_client_key_pre_4_9:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Configure the kubelet Certificate Key for the API Server</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' at path '.data["config.yaml"]' all: value equals '"kubelet-client-key":\["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"\]'</oval-def:description>
+            <oval-def:reference ref_id="CCE-90794-9" source="CCE"/>
+            <oval-def:reference ref_id="api_server_kubelet_client_key_pre_4_9" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' at path '.data[&quot;config.yaml&quot;]' all" test_ref="oval:ssg-test_api_server_kubelet_client_key_pre_4_9:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' exists." test_ref="oval:ssg-test_file_for_api_server_kubelet_client_key_pre_4_9:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_no_adm_ctrl_plugins_disabled:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure all admission control plugins are enabled</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#8c02c853df9307960712da853d79f916a091fe8bce6312720d7c17de03c2017b' at path '[:]' all: value equals '(.*?)'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83799-7" source="CCE"/>
+            <oval-def:reference ref_id="api_server_no_adm_ctrl_plugins_disabled" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#8c02c853df9307960712da853d79f916a091fe8bce6312720d7c17de03c2017b' at path '[:]' all" test_ref="oval:ssg-test_api_server_no_adm_ctrl_plugins_disabled:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#8c02c853df9307960712da853d79f916a091fe8bce6312720d7c17de03c2017b' exists." test_ref="oval:ssg-test_file_for_api_server_no_adm_ctrl_plugins_disabled:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_profiling_protected_by_rbac:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Profiling is protected by RBAC</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger' at path '.rules[0].nonResourceURLs[:]' at least one: value equals '\/metrics'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84212-0" source="CCE"/>
+            <oval-def:reference ref_id="api_server_profiling_protected_by_rbac" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger' at path '.rules[0].nonResourceURLs[:]' at least one" test_ref="oval:ssg-test_api_server_profiling_protected_by_rbac:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger' exists." test_ref="oval:ssg-test_file_for_api_server_profiling_protected_by_rbac:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_request_timeout:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Configure the API Server Minimum Request Timeout</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["min-request-timeout"][:]' at least one: value equals '(\d*)'</oval-def:description>
+            <oval-def:reference ref_id="api_server_request_timeout" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;min-request-timeout&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_request_timeout:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_request_timeout:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_service_account_lookup:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure catch-all FlowSchema object for API Priority and Fairness Exists</oval-def:title>
+            <oval-def:title>Ensure that the service-account-lookup argument is set to true</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>One of the flowschema versions should exist, but it doesn't matter which</oval-def:description>
-            <oval-def:reference ref_id="CCE-85891-0" source="CCE"/>
-            <oval-def:reference ref_id="api_server_api_priority_flowschema_catch_all" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["service-account-lookup"][:]' at least one: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83370-7" source="CCE"/>
+            <oval-def:reference ref_id="api_server_service_account_lookup" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="flowschema v1alpha1" definition_ref="oval:ssg-api_server_api_priority_v1alpha1_flowschema_catch_all:def:1"/>
-            <oval-def:extend_definition comment="flowschema v1beta1" definition_ref="oval:ssg-api_server_api_priority_v1beta1_flowschema_catch_all:def:1"/>
-            <oval-def:extend_definition comment="flowschema v1beta2" definition_ref="oval:ssg-api_server_api_priority_v1beta2_flowschema_catch_all:def:1"/>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;service-account-lookup&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_service_account_lookup:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_service_account_lookup:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-oauth_or_oauthclient_inactivity_timeout:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_service_account_public_key:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure OAuth tokens to expire after a set period of inactivity</oval-def:title>
+            <oval-def:title>Configure the Service Account Public Key for the API Server</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>The inactivity timeout must be specified either per client or globally</oval-def:description>
-            <oval-def:reference ref_id="CCE-83702-1" source="CCE"/>
-            <oval-def:reference ref_id="oauth_or_oauthclient_inactivity_timeout" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.serviceAccountPublicKeyFiles[:]' at least one: value equals '.+'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83350-9" source="CCE"/>
+            <oval-def:reference ref_id="api_server_service_account_public_key" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="global inactivity timeout" definition_ref="oval:ssg-oauth_inactivity_timeout:def:1"/>
-            <oval-def:extend_definition comment="per client inactivity timeout" definition_ref="oval:ssg-oauthclient_inactivity_timeout:def:1"/>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.serviceAccountPublicKeyFiles[:]' at least one" test_ref="oval:ssg-test_api_server_service_account_public_key:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_service_account_public_key:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-oauth_or_oauthclient_token_maxage:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_tls_cert:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure OAuth tokens to expire after a set period of inactivity</oval-def:title>
+            <oval-def:title>Configure the Certificate for the API Server</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>The tokan max age must be specified either per client or globally</oval-def:description>
-            <oval-def:reference ref_id="CCE-84162-7" source="CCE"/>
-            <oval-def:reference ref_id="oauth_or_oauthclient_token_maxage" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["tls-cert-file"][:]' all: value equals '(.+)'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83779-9" source="CCE"/>
+            <oval-def:reference ref_id="api_server_tls_cert" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="global token max age" definition_ref="oval:ssg-oauth_token_maxage:def:1"/>
-            <oval-def:extend_definition comment="per client token max age" definition_ref="oval:ssg-oauthclient_token_maxage:def:1"/>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;tls-cert-file&quot;][:]' all" test_ref="oval:ssg-test_api_server_tls_cert:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_tls_cert:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-etcd_unique_ca:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_tls_cipher_suites:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure A Unique CA Certificate for etcd</oval-def:title>
+            <oval-def:title>Use Strong Cryptographic Ciphers on the API Server</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>The etcd CA should be different from the Kubernetes CA.</oval-def:description>
-            <oval-def:reference ref_id="etcd_unique_ca" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.servingInfo.cipherSuites[:]' all: value equals 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'</oval-def:description>
+            <oval-def:reference ref_id="api_server_tls_cipher_suites" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_etcd_different_ca_than_k8s:tst:1" comment="Check that etcd uses a different CA than Kubernetes."/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.servingInfo.cipherSuites[:]' all" test_ref="oval:ssg-test_api_server_tls_cipher_suites:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_tls_cipher_suites:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-banner_or_login_template_set:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_tls_private_key:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that a OpenShift OAuth login template or a classification banner is set</oval-def:title>
+            <oval-def:title>Configure the Certificate Key for the API Server</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>A Legal notice must be displayed by some means.</oval-def:description>
-            <oval-def:reference ref_id="CCE-84195-7" source="CCE"/>
-            <oval-def:reference ref_id="banner_or_login_template_set" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["tls-private-key-file"][:]' all: value equals '(.+)'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84282-3" source="CCE"/>
+            <oval-def:reference ref_id="api_server_tls_private_key" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="classification banner" definition_ref="oval:ssg-classification_banner:def:1"/>
-            <oval-def:extend_definition comment="custom login page" definition_ref="oval:ssg-oauth_login_template_set:def:1"/>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;tls-private-key-file&quot;][:]' all" test_ref="oval:ssg-test_api_server_tls_private_key:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_tls_private_key:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-resource_requests_quota:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-api_server_token_auth:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure workloads use resource requests and limits</oval-def:title>
+            <oval-def:title>Disable Token-based Authentication</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>The sysctl parameter needs to be set before enabling kernel protection</oval-def:description>
-            <oval-def:reference ref_id="CCE-90588-5" source="CCE"/>
-            <oval-def:reference ref_id="resource_requests_quota" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments["enable-admission-plugins"][:]' all: value equals '^token-auth-file$'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83481-2" source="CCE"/>
+            <oval-def:reference ref_id="api_server_token_auth" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="cluster quotas enabled" definition_ref="oval:ssg-resource_requests_quota_cluster:def:1"/>
-            <oval-def:extend_definition comment="resource quota per project" definition_ref="oval:ssg-resource_requests_quota_per_project:def:1"/>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments[&quot;enable-admission-plugins&quot;][:]' all" test_ref="oval:ssg-test_api_server_token_auth:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' exists." test_ref="oval:ssg-test_file_for_api_server_token_auth:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-resource_requests_quota_per_project:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-audit_error_alert_exists:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure workloads use resource requests and limits per namespace</oval-def:title>
+            <oval-def:title>Ensure that Audit Log Errors Emit Alerts</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>Ensure that application Namespaces have Network Policies defined</oval-def:description>
-            <oval-def:reference ref_id="CCE-90582-8" source="CCE"/>
-            <oval-def:reference ref_id="resource_requests_quota_per_project" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#72e9ad360bb6bdf4ad9e43217cd0ec9cb90e7c3b08d4fbe0edf087ad899e05a6' at path '[:]' all: value equals '^.*apiserver_audit_error_total.*apiserver_audit_event_total.*$'</oval-def:description>
+            <oval-def:reference ref_id="CCE-90744-4" source="CCE"/>
+            <oval-def:reference ref_id="audit_error_alert_exists" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/resourcequotas#2e6fd6a1fa7945ee6d06434fd05e4c27822d577045b3d3a4ca5809580cd57f50 exists." test_ref="oval:ssg-test_file_for_resource_requests_quota_per_project:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces#34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d' exists." test_ref="oval:ssg-test_file_for_resource_requests_quotas_filtered_namespaces:tst:1"/>
-            <oval-def:criterion comment="Make sure that all target elements exists " test_ref="oval:ssg-test_elements_count_for_resource_requests_quota_per_project:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#72e9ad360bb6bdf4ad9e43217cd0ec9cb90e7c3b08d4fbe0edf087ad899e05a6' at path '[:]' all" test_ref="oval:ssg-test_audit_error_alert_exists:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#72e9ad360bb6bdf4ad9e43217cd0ec9cb90e7c3b08d4fbe0edf087ad899e05a6' exists." test_ref="oval:ssg-test_file_for_audit_error_alert_exists:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-machine_volume_encrypted:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-audit_log_forwarding_enabled:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that full disk encryption is configured on cluster nodes</oval-def:title>
+            <oval-def:title>Ensure that Audit Log Forwarding Is Enabled</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>Full disk encryption should be enabled, either through the cloud provider or using FIPS</oval-def:description>
-            <oval-def:reference ref_id="CCE-85858-9" source="CCE"/>
-            <oval-def:reference ref_id="machine_volume_encrypted" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance' at path 'spec.pipelines[:].inputRefs[:]' at least one: value equals 'audit'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84076-9" source="CCE"/>
+            <oval-def:reference ref_id="audit_log_forwarding_enabled" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="Azure disk encryption enabled" definition_ref="oval:ssg-azure_disk_encryption_enabled:def:1"/>
-            <oval-def:extend_definition comment="GCP disk encryption enabled" definition_ref="oval:ssg-gcp_disk_encryption_enabled:def:1"/>
-            <oval-def:extend_definition comment="ebs encryption enabled" definition_ref="oval:ssg-ebs_encryption_enabled_on_machinesets:def:1"/>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="fips mode enabled" definition_ref="oval:ssg-fips_mode_enabled_on_all_nodes:def:1"/>
-              <oval-def:extend_definition comment="luks encryption enabled" definition_ref="oval:ssg-luks_enabled_on_all_nodes:def:1"/>
-            </oval-def:criteria>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance' at path 'spec.pipelines[:].inputRefs[:]' at least one" test_ref="oval:ssg-test_audit_log_forwarding_enabled:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance' exists." test_ref="oval:ssg-test_file_for_audit_log_forwarding_enabled:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_sysctl:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-audit_log_forwarding_uses_tls:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>kubelet - Set Up Sysctl to Enable Protect Kernel Defaults</oval-def:title>
+            <oval-def:title>Ensure that Audit Log Forwarding Uses TLS</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>The sysctl parameter needs to be set before enabling kernel protection</oval-def:description>
-            <oval-def:reference ref_id="kubelet_enable_protect_kernel_sysctl" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance#71786452ba18c51ba8ad51472a078619e2e8b52a86cd75087af5aab42400f6c0' at path '[:]' all: value equals '^(https|tls)://.*$'</oval-def:description>
+            <oval-def:reference ref_id="CCE-90688-3" source="CCE"/>
+            <oval-def:reference ref_id="audit_log_forwarding_uses_tls" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="sysctl file exist" definition_ref="oval:ssg-kubelet_enable_protect_kernel_sysctl_file_exist:def:1"/>
-            <oval-def:extend_definition comment="sysctl kernel_panic" definition_ref="oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic:def:1"/>
-            <oval-def:extend_definition comment="sysctl kernel_panic_on_oops" definition_ref="oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops:def:1"/>
-            <oval-def:extend_definition comment="sysctl kernel_keys_root_maxbytes" definition_ref="oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes:def:1"/>
-            <oval-def:extend_definition comment="sysctl kernel_keys_root_maxkeys" definition_ref="oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys:def:1"/>
-            <oval-def:extend_definition comment="sysctl vm_overcommit_memory" definition_ref="oval:ssg-kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory:def:1"/>
-            <oval-def:extend_definition comment="sysctl vm_panic_on_oom" definition_ref="oval:ssg-kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom:def:1"/>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance#71786452ba18c51ba8ad51472a078619e2e8b52a86cd75087af5aab42400f6c0' at path '[:]' all" test_ref="oval:ssg-test_audit_log_forwarding_uses_tls:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance#71786452ba18c51ba8ad51472a078619e2e8b52a86cd75087af5aab42400f6c0' exists." test_ref="oval:ssg-test_file_for_audit_log_forwarding_uses_tls:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-directory_access_var_log_kube_audit:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-audit_profile_set:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Record Access Events to Kubernetes Audit Log Directory</oval-def:title>
+            <oval-def:title>Ensure that the cluster's audit profile is properly set</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>Audit rules about the read events to /var/log/kube-apiserver</oval-def:description>
-            <oval-def:reference ref_id="CCE-83640-3" source="CCE"/>
-            <oval-def:reference ref_id="directory_access_var_log_kube_audit" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/config.openshift.io/v1/apiservers/cluster' at path 'spec.audit.profile' all: </oval-def:description>
+            <oval-def:reference ref_id="CCE-83577-7" source="CCE"/>
+            <oval-def:reference ref_id="audit_profile_set" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit rule to record read access events to /var/log/kube-apiserver" test_ref="oval:ssg-test_directory_acccess_var_log_kube_audit_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit rule to record read access events to /var/log/kube-apiserver" test_ref="oval:ssg-test_directory_acccess_var_log_kube_audit_auditctl:tst:1"/>
-            </oval-def:criteria>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/config.openshift.io/v1/apiservers/cluster' at path 'spec.audit.profile' all" test_ref="oval:ssg-test_audit_profile_set:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/config.openshift.io/v1/apiservers/cluster' exists." test_ref="oval:ssg-test_file_for_audit_profile_set:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-directory_access_var_log_oauth_audit:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-azure_disk_encryption_enabled:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Record Access Events to OAuth Audit Log Directory</oval-def:title>
+            <oval-def:title>Ensure that the MachineSets provisioned by Azure have disk encryption enabled</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>Audit rules about the read events to /var/log/oauth-apiserver</oval-def:description>
-            <oval-def:reference ref_id="CCE-90631-3" source="CCE"/>
-            <oval-def:reference ref_id="directory_access_var_log_oauth_audit" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#b9dfb8d8585cff7f72cd7403be3b5790ff7716fbe23facf6e251712ade7d60c1' at path '[:]' all: value equals '^.+$'</oval-def:description>
+            <oval-def:reference ref_id="CCE-90322-9" source="CCE"/>
+            <oval-def:reference ref_id="azure_disk_encryption_enabled" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit rule to record read access events to /var/log/oauth-apiserver" test_ref="oval:ssg-test_directory_acccess_var_log_oauth_audit_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit rule to record read access events to /var/log/oauth-apiserver" test_ref="oval:ssg-test_directory_acccess_var_log_oauth_audit_auditctl:tst:1"/>
-            </oval-def:criteria>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#b9dfb8d8585cff7f72cd7403be3b5790ff7716fbe23facf6e251712ade7d60c1' at path '[:]' all" test_ref="oval:ssg-test_azure_disk_encryption_enabled:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#b9dfb8d8585cff7f72cd7403be3b5790ff7716fbe23facf6e251712ade7d60c1' exists." test_ref="oval:ssg-test_file_for_azure_disk_encryption_enabled:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-directory_access_var_log_ocp_audit:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-classification_banner:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Record Access Events to OpenShift Audit Log Directory</oval-def:title>
+            <oval-def:title>Enable Classification Banner on OpenShift Console</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>Audit rules about the read events to /var/log/openshift-apiserver</oval-def:description>
-            <oval-def:reference ref_id="CCE-90632-1" source="CCE"/>
-            <oval-def:reference ref_id="directory_access_var_log_ocp_audit" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/console.openshift.io/v1/consolenotifications/classification-banner' at path '.spec.text' at least one: value equals '.*'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84197-3" source="CCE"/>
+            <oval-def:reference ref_id="classification_banner" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit rule to record read access events to /var/log/openshift-apiserver" test_ref="oval:ssg-test_directory_acccess_var_log_ocp_audit_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit rule to record read access events to /var/log/openshift-apiserver" test_ref="oval:ssg-test_directory_acccess_var_log_ocp_audit_auditctl:tst:1"/>
-            </oval-def:criteria>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/console.openshift.io/v1/consolenotifications/classification-banner' at path '.spec.text' at least one" test_ref="oval:ssg-test_classification_banner:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/console.openshift.io/v1/consolenotifications/classification-banner' exists." test_ref="oval:ssg-test_file_for_classification_banner:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_conf_db:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-cluster_logging_operator_exist:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Open vSwitch Configuration Database</oval-def:title>
+            <oval-def:title>Ensure that OpenShift Logging Operator is scanning the cluster</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>One of the permission checks must pass</oval-def:description>
-            <oval-def:reference ref_id="CCE-88281-1" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_ovs_conf_db" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance' at path 'metadata.name' at least one: value equals '.*'</oval-def:description>
+            <oval-def:reference ref_id="CCE-85918-1" source="CCE"/>
+            <oval-def:reference ref_id="cluster_logging_operator_exist" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="ovs conf db outside s390x" definition_ref="oval:ssg-file_groupowner_ovs_conf_db_not_s390x:def:1"/>
-            <oval-def:extend_definition comment="ovs conf db on s390x" definition_ref="oval:ssg-file_groupowner_ovs_conf_db_s390x:def:1"/>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance' at path 'metadata.name' at least one" test_ref="oval:ssg-test_cluster_logging_operator_exist:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance' exists." test_ref="oval:ssg-test_file_for_cluster_logging_operator_exist:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_conf_db_lock:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-cluster_version_operator_exists:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Open vSwitch Configuration Database Lock</oval-def:title>
+            <oval-def:title>Ensure that Cluster Version Operator is deployed</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>One of the permission checks must pass</oval-def:description>
-            <oval-def:reference ref_id="CCE-90793-1" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_ovs_conf_db_lock" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/config.openshift.io/v1/clusterversions/version#588c29ac9d4c67b1444308c5ba310271832895fee54701f7d0cb6cbced390443' at path '[:]' all: value equals 'True'</oval-def:description>
+            <oval-def:reference ref_id="CCE-90670-1" source="CCE"/>
+            <oval-def:reference ref_id="cluster_version_operator_exists" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="ovs conf db lock outside s390x" definition_ref="oval:ssg-file_groupowner_ovs_conf_db_lock_not_s390x:def:1"/>
-            <oval-def:extend_definition comment="ovs conf db lock on s390x" definition_ref="oval:ssg-file_groupowner_ovs_conf_db_lock_s390x:def:1"/>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/config.openshift.io/v1/clusterversions/version#588c29ac9d4c67b1444308c5ba310271832895fee54701f7d0cb6cbced390443' at path '[:]' all" test_ref="oval:ssg-test_cluster_version_operator_exists:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/config.openshift.io/v1/clusterversions/version#588c29ac9d4c67b1444308c5ba310271832895fee54701f7d0cb6cbced390443' exists." test_ref="oval:ssg-test_file_for_cluster_version_operator_exists:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_pid:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-cluster_version_operator_verify_integrity:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Open vSwitch Process ID File</oval-def:title>
+            <oval-def:title>Ensure that Cluster Version Operator verifies integrity</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /run/openvswitch/ovs-vswitchd.pid is group owned by 800 or 801.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83630-4" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_ovs_pid" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/config.openshift.io/v1/clusterversions/version#69adcfd65c8b8d723e4a7118c170f634cebbb349e9b554dd15001e6551a586f8' at path '[:]' all: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="CCE-90671-9" source="CCE"/>
+            <oval-def:reference ref_id="cluster_version_operator_verify_integrity" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="Check file group ownership of /run/openvswitch/ovs-vswitchd.pid belongs to group 800" test_ref="oval:ssg-test_file_groupowner_run_ovs_vswitchd_pid_800:tst:1"/>
-            <oval-def:criterion comment="Check file group ownership of /run/openvswitch/ovs-vswitchd.pid belongs to group 801" test_ref="oval:ssg-test_file_groupowner_run_ovs_vswitchd_pid_801:tst:1"/>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/config.openshift.io/v1/clusterversions/version#69adcfd65c8b8d723e4a7118c170f634cebbb349e9b554dd15001e6551a586f8' at path '[:]' all" test_ref="oval:ssg-test_cluster_version_operator_verify_integrity:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/config.openshift.io/v1/clusterversions/version#69adcfd65c8b8d723e4a7118c170f634cebbb349e9b554dd15001e6551a586f8' exists." test_ref="oval:ssg-test_file_for_cluster_version_operator_verify_integrity:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_sys_id_conf:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-cluster_wide_proxy_set:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Open vSwitch Persistent System ID</oval-def:title>
+            <oval-def:title>Ensure that cluster-wide proxy is set</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>One of the permission checks must pass</oval-def:description>
-            <oval-def:reference ref_id="CCE-85892-8" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_ovs_sys_id_conf" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/config.openshift.io/v1/proxies/cluster' at path '.spec.httpsProxy' all: value equals '.+'</oval-def:description>
+            <oval-def:reference ref_id="CCE-90765-9" source="CCE"/>
+            <oval-def:reference ref_id="cluster_wide_proxy_set" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="ovs conf db outside s390x" definition_ref="oval:ssg-file_groupowner_ovs_sys_id_conf_not_s390x:def:1"/>
-            <oval-def:extend_definition comment="ovs conf db on s390x" definition_ref="oval:ssg-file_groupowner_ovs_sys_id_conf_s390x:def:1"/>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/config.openshift.io/v1/proxies/cluster' at path '.spec.httpsProxy' all" test_ref="oval:ssg-test_cluster_wide_proxy_set:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/config.openshift.io/v1/proxies/cluster' exists." test_ref="oval:ssg-test_file_for_cluster_wide_proxy_set:tst:1"/>
+            <oval-def:criterion comment="Make sure that all target elements exists for elements at path '.metadata.name'" test_ref="oval:ssg-test_elements_count_for_cluster_wide_proxy_set:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_vswitchd_pid:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-compliance_notification_enabled:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Open vSwitch Daemon PID File</oval-def:title>
+            <oval-def:title>Ensure the notification is enabled for Compliance Operator</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/run/openvswitch/ovs-vswitchd.pid is group owned by 800 or 801.</oval-def:description>
-            <oval-def:reference ref_id="CCE-84129-6" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_ovs_vswitchd_pid" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#235ac8b4e63854fbdc11eefc4f8fcf6a20f55f7991b08618e698f2ead111925a' at path '[:]' at least one: value equals '.*'</oval-def:description>
+            <oval-def:reference ref_id="CCE-86032-0" source="CCE"/>
+            <oval-def:reference ref_id="compliance_notification_enabled" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="Check file group ownership of /var/run/openvswitch/ovs-vswitchd.pid belongs to group 800" test_ref="oval:ssg-test_file_groupowner_var_run_ovs_vswitchd_pid_800:tst:1"/>
-            <oval-def:criterion comment="Check file group ownership of /var/run/openvswitch/ovs-vswitchd.pid belongs to group 801" test_ref="oval:ssg-test_file_groupowner_var_run_ovs_vswitchd_pid_801:tst:1"/>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#235ac8b4e63854fbdc11eefc4f8fcf6a20f55f7991b08618e698f2ead111925a' at path '[:]' at least one" test_ref="oval:ssg-test_compliance_notification_enabled:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#235ac8b4e63854fbdc11eefc4f8fcf6a20f55f7991b08618e698f2ead111925a' exists." test_ref="oval:ssg-test_file_for_compliance_notification_enabled:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovsdb_server_pid:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-compliancesuite_exists:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Open vSwitch Database Server PID</oval-def:title>
+            <oval-def:title>Ensure that Compliance Operator is scanning the cluster</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /run/openvswitch/ovsdb-server.pid is group owned by 800 or 801.</oval-def:description>
-            <oval-def:reference ref_id="CCE-84166-8" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_ovsdb_server_pid" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/compliance.openshift.io/v1alpha1/compliancesuites?limit=5' at path '.items[:].metadata.name' at least one: value equals '.*'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83697-3" source="CCE"/>
+            <oval-def:reference ref_id="compliancesuite_exists" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="Check file group ownership of /run/openvswitch/ovsdb-server.pid belongs to group 800" test_ref="oval:ssg-test_file_groupowner_ovsdb_server_pid_800:tst:1"/>
-            <oval-def:criterion comment="Check file group ownership of /run/openvswitch/ovsdb-server.pid belongs to group 801" test_ref="oval:ssg-test_file_groupowner_ovsdb_server_pid_801:tst:1"/>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/compliance.openshift.io/v1alpha1/compliancesuites?limit=5' at path '.items[:].metadata.name' at least one" test_ref="oval:ssg-test_compliancesuite_exists:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/compliance.openshift.io/v1alpha1/compliancesuites?limit=5' exists." test_ref="oval:ssg-test_file_for_compliancesuite_exists:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-configure_network_policies_namespaces:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-configure_network_policies:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that application Namespaces have Network Policies defined.</oval-def:title>
+            <oval-def:title>Ensure that the CNI in use supports Network Policies</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>Ensure that application Namespaces have Network Policies defined</oval-def:description>
-            <oval-def:reference ref_id="configure_network_policies_namespaces" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/operator.openshift.io/v1/networks/cluster#35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498' at path '[:]' all: value equals 'OpenShiftSDN|OVN|Calico'</oval-def:description>
+            <oval-def:reference ref_id="configure_network_policies" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Make sure that the file '/apis/networking.k8s.io/v1/networkpolicies#51742b3e87275db9eb7fc6c0286a9e536178a2a83e3670b615ceaf545e7fd300 exists." test_ref="oval:ssg-test_file_for_configure_network_policies_namespaces:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces#34d4beecc95c65d815d9d48fd4fdcb0c521631852ad088ef74e36d012b0e1e0d' exists." test_ref="oval:ssg-test_file_for_configure_network_policies_filtered_namespaces:tst:1"/>
-            <oval-def:criterion comment="Make sure that all target elements exists for elements at path '.items[:].spec.host'" test_ref="oval:ssg-test_elements_count_for_configure_network_policies_namespaces:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/operator.openshift.io/v1/networks/cluster#35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498' at path '[:]' all" test_ref="oval:ssg-test_configure_network_policies:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/operator.openshift.io/v1/networks/cluster#35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498' exists." test_ref="oval:ssg-test_file_for_configure_network_policies:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_admission_control_plugin_AlwaysAdmit:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-controller_insecure_port_disabled:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Disable the AlwaysAdmit Admission Control Plugin</oval-def:title>
+            <oval-def:title>Ensure Controller insecure port argument is unset</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments["enable-admission-plugins"][:]' all: value equals '^AlwaysAdmit$'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84148-6" source="CCE"/>
-            <oval-def:reference ref_id="api_server_admission_control_plugin_AlwaysAdmit" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#9f09cca56dc1e9f9605eb5a94aed74de554fd209513a9222e4fe9c0ed669aeee' at path '[:]' all: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83578-5" source="CCE"/>
+            <oval-def:reference ref_id="controller_insecure_port_disabled" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments[&quot;enable-admission-plugins&quot;][:]' all" test_ref="oval:ssg-test_api_server_admission_control_plugin_AlwaysAdmit:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' exists." test_ref="oval:ssg-test_file_for_api_server_admission_control_plugin_AlwaysAdmit:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#9f09cca56dc1e9f9605eb5a94aed74de554fd209513a9222e4fe9c0ed669aeee' at path '[:]' all" test_ref="oval:ssg-test_controller_insecure_port_disabled:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#9f09cca56dc1e9f9605eb5a94aed74de554fd209513a9222e4fe9c0ed669aeee' exists." test_ref="oval:ssg-test_file_for_controller_insecure_port_disabled:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_admission_control_plugin_AlwaysPullImages:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-controller_rotate_kubelet_server_certs:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that the Admission Control Plugin AlwaysPullImages is not set</oval-def:title>
+            <oval-def:title>Ensure that the RotateKubeletServerCertificate argument is set</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments["enable-admission-plugins"][:]' all: value equals '^AlwaysPullImages$'</oval-def:description>
-            <oval-def:reference ref_id="api_server_admission_control_plugin_AlwaysPullImages" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#4cbbbf49b93400715e43dc698f6484799805c502ad3aeb8285de579753b54d31' at path '[:]' at least one: value equals 'RotateKubeletServerCertificate=true'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83730-2" source="CCE"/>
+            <oval-def:reference ref_id="controller_rotate_kubelet_server_certs" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments[&quot;enable-admission-plugins&quot;][:]' all" test_ref="oval:ssg-test_api_server_admission_control_plugin_AlwaysPullImages:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' exists." test_ref="oval:ssg-test_file_for_api_server_admission_control_plugin_AlwaysPullImages:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#4cbbbf49b93400715e43dc698f6484799805c502ad3aeb8285de579753b54d31' at path '[:]' at least one" test_ref="oval:ssg-test_controller_rotate_kubelet_server_certs:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#4cbbbf49b93400715e43dc698f6484799805c502ad3aeb8285de579753b54d31' exists." test_ref="oval:ssg-test_file_for_controller_rotate_kubelet_server_certs:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_admission_control_plugin_NamespaceLifecycle:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-controller_secure_port:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Enable the NamespaceLifecycle Admission Control Plugin</oval-def:title>
+            <oval-def:title>Ensure Controller secure-port argument is set</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["enable-admission-plugins"][:]' at least one: value equals '^NamespaceLifecycle$'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83854-0" source="CCE"/>
-            <oval-def:reference ref_id="api_server_admission_control_plugin_NamespaceLifecycle" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#8241ce1009dc5dd166436d0311b60b96aa3a2f591ba43a26e2b9d0bfc9071414' at path '[:]' at least one: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83861-5" source="CCE"/>
+            <oval-def:reference ref_id="controller_secure_port" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;enable-admission-plugins&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_admission_control_plugin_NamespaceLifecycle:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_admission_control_plugin_NamespaceLifecycle:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#8241ce1009dc5dd166436d0311b60b96aa3a2f591ba43a26e2b9d0bfc9071414' at path '[:]' at least one" test_ref="oval:ssg-test_controller_secure_port:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#8241ce1009dc5dd166436d0311b60b96aa3a2f591ba43a26e2b9d0bfc9071414' exists." test_ref="oval:ssg-test_file_for_controller_secure_port:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_admission_control_plugin_NodeRestriction:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-controller_service_account_ca:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Enable the NodeRestriction Admission Control Plugin</oval-def:title>
+            <oval-def:title>Configure the Service Account Certificate Authority Key for the Controller Manager</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["enable-admission-plugins"][:]' at least one: value equals '^NodeRestriction$'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83753-4" source="CCE"/>
-            <oval-def:reference ref_id="api_server_admission_control_plugin_NodeRestriction" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#e27218fb5fb7cd68a9911eb2db6bf715ca959f639e56cb60f90be782ddd7fcf8' at path '[:]' at least one: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84244-3" source="CCE"/>
+            <oval-def:reference ref_id="controller_service_account_ca" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;enable-admission-plugins&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_admission_control_plugin_NodeRestriction:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_admission_control_plugin_NodeRestriction:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#e27218fb5fb7cd68a9911eb2db6bf715ca959f639e56cb60f90be782ddd7fcf8' at path '[:]' at least one" test_ref="oval:ssg-test_controller_service_account_ca:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#e27218fb5fb7cd68a9911eb2db6bf715ca959f639e56cb60f90be782ddd7fcf8' exists." test_ref="oval:ssg-test_file_for_controller_service_account_ca:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_admission_control_plugin_Scc:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-controller_service_account_private_key:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Enable the SecurityContextConstraint Admission Control Plugin</oval-def:title>
+            <oval-def:title>Configure the Service Account Private Key for the Controller Manager</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["enable-admission-plugins"][:]' at least one: value equals '^security.openshift.io/SecurityContextConstraint$'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83602-3" source="CCE"/>
-            <oval-def:reference ref_id="api_server_admission_control_plugin_Scc" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#407a17f0f401ae8c92955bc382bc80ee34a9afd51ab787e405bf524d03ebf3c8' at path '[:]' at least one: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83526-4" source="CCE"/>
+            <oval-def:reference ref_id="controller_service_account_private_key" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;enable-admission-plugins&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_admission_control_plugin_Scc:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_admission_control_plugin_Scc:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#407a17f0f401ae8c92955bc382bc80ee34a9afd51ab787e405bf524d03ebf3c8' at path '[:]' at least one" test_ref="oval:ssg-test_controller_service_account_private_key:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#407a17f0f401ae8c92955bc382bc80ee34a9afd51ab787e405bf524d03ebf3c8' exists." test_ref="oval:ssg-test_file_for_controller_service_account_private_key:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_admission_control_plugin_SecurityContextDeny:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-controller_use_service_account:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used</oval-def:title>
+            <oval-def:title>Ensure that use-service-account-credentials is enabled</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments["enable-admission-plugins"][:]' all: value equals '^SecurityContextDeny$'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83586-8" source="CCE"/>
-            <oval-def:reference ref_id="api_server_admission_control_plugin_SecurityContextDeny" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#be4ff4c2d3e706eb3b2f17921e5163bca81082bd313ff067ef625af9e6cb61ff' at path '[:]' at least one: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84208-8" source="CCE"/>
+            <oval-def:reference ref_id="controller_use_service_account" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments[&quot;enable-admission-plugins&quot;][:]' all" test_ref="oval:ssg-test_api_server_admission_control_plugin_SecurityContextDeny:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' exists." test_ref="oval:ssg-test_file_for_api_server_admission_control_plugin_SecurityContextDeny:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#be4ff4c2d3e706eb3b2f17921e5163bca81082bd313ff067ef625af9e6cb61ff' at path '[:]' at least one" test_ref="oval:ssg-test_controller_use_service_account:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#be4ff4c2d3e706eb3b2f17921e5163bca81082bd313ff067ef625af9e6cb61ff' exists." test_ref="oval:ssg-test_file_for_controller_use_service_account:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_admission_control_plugin_ServiceAccount:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-default_ingress_ca_replaced:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Enable the ServiceAccount Admission Control Plugin</oval-def:title>
+            <oval-def:title>Ensure that the default Ingress CA (wildcard issuer) has been replaced</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["enable-admission-plugins"][:]' at least one: value equals '^ServiceAccount$'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83791-4" source="CCE"/>
-            <oval-def:reference ref_id="api_server_admission_control_plugin_ServiceAccount" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/config.openshift.io/v1/proxies/cluster' at path '.spec.trustedCA.name' all: value equals '.+'</oval-def:description>
+            <oval-def:reference ref_id="default_ingress_ca_replaced" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;enable-admission-plugins&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_admission_control_plugin_ServiceAccount:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_admission_control_plugin_ServiceAccount:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/config.openshift.io/v1/proxies/cluster' at path '.spec.trustedCA.name' all" test_ref="oval:ssg-test_default_ingress_ca_replaced:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/config.openshift.io/v1/proxies/cluster' exists." test_ref="oval:ssg-test_file_for_default_ingress_ca_replaced:tst:1"/>
+            <oval-def:criterion comment="Make sure that all target elements exists for elements at path '.metadata.name'" test_ref="oval:ssg-test_elements_count_for_default_ingress_ca_replaced:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_anonymous_auth:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-directory_permissions_var_log_kube_audit:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that anonymous requests to the API Server are authorized</oval-def:title>
+            <oval-def:title>The Kubernetes Audit Logs Directory Must Have Mode 0700</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/rbac.authorization.k8s.io/v1/clusterrolebindings' at path '.items[:]['subjects'][:].name' at least one: value equals 'system:unauthenticated'</oval-def:description>
-            <oval-def:reference ref_id="api_server_anonymous_auth" source="ssg"/>
+            <oval-def:description>This test makes sure that /var/log/kube-apiserver/ has mode 0700.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83645-2" source="CCE"/>
+            <oval-def:reference ref_id="directory_permissions_var_log_kube_audit" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="Check file mode of /var/log/kube-apiserver/" test_ref="oval:ssg-test_file_permissionsdirectory_permissions_var_log_kube_audit_0:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-directory_permissions_var_log_oauth_audit:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>The OAuth Audit Logs Directory Must Have Mode 0700</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>This test makes sure that /var/log/oauth-apiserver/ has mode 0700.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-90633-9" source="CCE"/>
+            <oval-def:reference ref_id="directory_permissions_var_log_oauth_audit" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="Check file mode of /var/log/oauth-apiserver/" test_ref="oval:ssg-test_file_permissionsdirectory_permissions_var_log_oauth_audit_0:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-directory_permissions_var_log_ocp_audit:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>The OpenShift Audit Logs Directory Must Have Mode 0700</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>This test makes sure that /var/log/openshift-apiserver/ has mode 0700.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-90634-7" source="CCE"/>
+            <oval-def:reference ref_id="directory_permissions_var_log_ocp_audit" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="Check file mode of /var/log/openshift-apiserver/" test_ref="oval:ssg-test_file_permissionsdirectory_permissions_var_log_ocp_audit_0:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-ebs_encryption_enabled_on_machinesets:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure that EBS volumes use by cluster nodes are encrypted</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#06ea2adfb5429a7351e7bd78b7ec378225e0d3256c4c9e4e3b2ce59900959267' at path '[:]' all: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="CCE-85859-7" source="CCE"/>
+            <oval-def:reference ref_id="ebs_encryption_enabled_on_machinesets" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#06ea2adfb5429a7351e7bd78b7ec378225e0d3256c4c9e4e3b2ce59900959267' at path '[:]' all" test_ref="oval:ssg-test_ebs_encryption_enabled_on_machinesets:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#06ea2adfb5429a7351e7bd78b7ec378225e0d3256c4c9e4e3b2ce59900959267' exists." test_ref="oval:ssg-test_file_for_ebs_encryption_enabled_on_machinesets:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-etcd_auto_tls:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Disable etcd Self-Signed Certificates</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' none satisfy: value equals '.*auto-tls[= ]true.*'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84199-9" source="CCE"/>
+            <oval-def:reference ref_id="etcd_auto_tls" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' none satisfy" test_ref="oval:ssg-test_etcd_auto_tls:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' exists." test_ref="oval:ssg-test_file_for_etcd_auto_tls:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-etcd_cert_file:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure That The etcd Client Certificate Is Correctly Set</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all: value equals '--cert-file='</oval-def:description>
+            <oval-def:reference ref_id="CCE-83553-8" source="CCE"/>
+            <oval-def:reference ref_id="etcd_cert_file" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/rbac.authorization.k8s.io/v1/clusterrolebindings' at path '.items[:]['subjects'][:].name' at least one" test_ref="oval:ssg-test_api_server_anonymous_auth:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/rbac.authorization.k8s.io/v1/clusterrolebindings' exists." test_ref="oval:ssg-test_file_for_api_server_anonymous_auth:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all" test_ref="oval:ssg-test_etcd_cert_file:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' exists." test_ref="oval:ssg-test_file_for_etcd_cert_file:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_api_priority_gate_enabled:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-etcd_check_cipher_suite:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Enable the APIPriorityAndFairness feature gate</oval-def:title>
+            <oval-def:title>Ensure ETCD has correct cipher suite</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/operator.openshift.io/v1/kubeapiservers/cluster' at path '.spec.observedConfig.apiServerArguments["feature-gates"][:]' all: value equals '^APIPriorityAndFairness=true$'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83656-9" source="CCE"/>
-            <oval-def:reference ref_id="api_server_api_priority_gate_enabled" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' at path '.data['pod.yaml']' all: value equals 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'</oval-def:description>
+            <oval-def:reference ref_id="CCE-85866-2" source="CCE"/>
+            <oval-def:reference ref_id="etcd_check_cipher_suite" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/operator.openshift.io/v1/kubeapiservers/cluster' at path '.spec.observedConfig.apiServerArguments[&quot;feature-gates&quot;][:]' all" test_ref="oval:ssg-test_api_server_api_priority_gate_enabled:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/operator.openshift.io/v1/kubeapiservers/cluster' exists." test_ref="oval:ssg-test_file_for_api_server_api_priority_gate_enabled:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' at path '.data['pod.yaml']' all" test_ref="oval:ssg-test_etcd_check_cipher_suite:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' exists." test_ref="oval:ssg-test_file_for_etcd_check_cipher_suite:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_api_priority_v1alpha1_flowschema_catch_all:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-etcd_client_cert_auth:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure catch-all FlowSchema object for API Priority and Fairness Exists (v1alpha1)</oval-def:title>
+            <oval-def:title>Enable The Client Certificate Authentication</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all' at path '.spec.rules[0].subjects[:].group["name"]' at least one: value equals 'system:authenticated'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84002-5" source="CCE"/>
-            <oval-def:reference ref_id="api_server_api_priority_v1alpha1_flowschema_catch_all" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all: value equals '.*--client-cert-auth=true \.*'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84077-7" source="CCE"/>
+            <oval-def:reference ref_id="etcd_client_cert_auth" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all' at path '.spec.rules[0].subjects[:].group[&quot;name&quot;]' at least one" test_ref="oval:ssg-test_api_server_api_priority_v1alpha1_flowschema_catch_all:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all' exists." test_ref="oval:ssg-test_file_for_api_server_api_priority_v1alpha1_flowschema_catch_all:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all" test_ref="oval:ssg-test_etcd_client_cert_auth:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' exists." test_ref="oval:ssg-test_file_for_etcd_client_cert_auth:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_api_priority_v1beta1_flowschema_catch_all:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-etcd_key_file:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure catch-all FlowSchema object for API Priority and Fairness Exists</oval-def:title>
+            <oval-def:title>Ensure That The etcd Key File Is Correctly Set</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/catch-all' at path '.spec.rules[0].subjects[:].group["name"]' at least one: value equals 'system:authenticated'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83522-3" source="CCE"/>
-            <oval-def:reference ref_id="api_server_api_priority_v1beta1_flowschema_catch_all" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all: value equals '--key-file='</oval-def:description>
+            <oval-def:reference ref_id="CCE-83745-0" source="CCE"/>
+            <oval-def:reference ref_id="etcd_key_file" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/catch-all' at path '.spec.rules[0].subjects[:].group[&quot;name&quot;]' at least one" test_ref="oval:ssg-test_api_server_api_priority_v1beta1_flowschema_catch_all:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/flowcontrol.apiserver.k8s.io/v1beta1/flowschemas/catch-all' exists." test_ref="oval:ssg-test_file_for_api_server_api_priority_v1beta1_flowschema_catch_all:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all" test_ref="oval:ssg-test_etcd_key_file:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' exists." test_ref="oval:ssg-test_file_for_etcd_key_file:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_api_priority_v1beta2_flowschema_catch_all:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-etcd_peer_auto_tls:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure catch-all FlowSchema object for API Priority and Fairness Exists</oval-def:title>
+            <oval-def:title>Disable etcd Peer Self-Signed Certificates</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all' at path '.spec.rules[0].subjects[:].group["name"]' at least one: value equals 'system:authenticated'</oval-def:description>
-            <oval-def:reference ref_id="CCE-86390-2" source="CCE"/>
-            <oval-def:reference ref_id="api_server_api_priority_v1beta2_flowschema_catch_all" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' none satisfy: value equals '.*peer-auto-tls[= ]true.*'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84184-1" source="CCE"/>
+            <oval-def:reference ref_id="etcd_peer_auto_tls" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all' at path '.spec.rules[0].subjects[:].group[&quot;name&quot;]' at least one" test_ref="oval:ssg-test_api_server_api_priority_v1beta2_flowschema_catch_all:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas/catch-all' exists." test_ref="oval:ssg-test_file_for_api_server_api_priority_v1beta2_flowschema_catch_all:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' none satisfy" test_ref="oval:ssg-test_etcd_peer_auto_tls:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' exists." test_ref="oval:ssg-test_file_for_etcd_peer_auto_tls:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_audit_log_maxbackup:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-etcd_peer_cert_file:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the Kubernetes API Server Maximum Retained Audit Logs</oval-def:title>
+            <oval-def:title>Ensure That The etcd Peer Client Certificate Is Correctly Set</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["audit-log-maxbackup"][:]' at least one: value equals '10'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83739-3" source="CCE"/>
-            <oval-def:reference ref_id="api_server_audit_log_maxbackup" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all: value equals '--peer-cert-file='</oval-def:description>
+            <oval-def:reference ref_id="CCE-83847-4" source="CCE"/>
+            <oval-def:reference ref_id="etcd_peer_cert_file" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;audit-log-maxbackup&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_audit_log_maxbackup:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_audit_log_maxbackup:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all" test_ref="oval:ssg-test_etcd_peer_cert_file:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' exists." test_ref="oval:ssg-test_file_for_etcd_peer_cert_file:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_audit_log_maxsize:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-etcd_peer_client_cert_auth:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure Kubernetes API Server Maximum Audit Log Size</oval-def:title>
+            <oval-def:title>Enable The Peer Client Certificate Authentication</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["audit-log-maxsize"][:]' at least one: value equals '100'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83607-2" source="CCE"/>
-            <oval-def:reference ref_id="api_server_audit_log_maxsize" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all: value equals '--peer-client-cert-auth=true'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83465-5" source="CCE"/>
+            <oval-def:reference ref_id="etcd_peer_client_cert_auth" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;audit-log-maxsize&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_audit_log_maxsize:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_audit_log_maxsize:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all" test_ref="oval:ssg-test_etcd_peer_client_cert_auth:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' exists." test_ref="oval:ssg-test_file_for_etcd_peer_client_cert_auth:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_audit_log_path:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-etcd_peer_key_file:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the Audit Log Path</oval-def:title>
+            <oval-def:title>Ensure That The etcd Peer Key File Is Correctly Set</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["audit-log-path"][:]' at least one: value equals '.+'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84020-7" source="CCE"/>
-            <oval-def:reference ref_id="api_server_audit_log_path" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all: value equals '--peer-key-file='</oval-def:description>
+            <oval-def:reference ref_id="CCE-83711-2" source="CCE"/>
+            <oval-def:reference ref_id="etcd_peer_key_file" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;audit-log-path&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_audit_log_path:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_audit_log_path:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all" test_ref="oval:ssg-test_etcd_peer_key_file:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' exists." test_ref="oval:ssg-test_file_for_etcd_peer_key_file:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_auth_mode_no_aa:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_cni_conf:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>The authorization-mode cannot be AlwaysAllow</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The OpenShift Container Network Interface Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments["authorization-mode"][:]' all: value equals 'AlwaysAllow'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84207-0" source="CCE"/>
-            <oval-def:reference ref_id="api_server_auth_mode_no_aa" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/cni/net.d/.*$ is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-84025-6" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_cni_conf" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments[&quot;authorization-mode&quot;][:]' all" test_ref="oval:ssg-test_api_server_auth_mode_no_aa:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' exists." test_ref="oval:ssg-test_file_for_api_server_auth_mode_no_aa:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of ^/etc/cni/net.d/.*$" test_ref="oval:ssg-test_file_groupowner_cni_conf_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_auth_mode_node:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_controller_manager_kubeconfig:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure authorization-mode Node is configured</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The OpenShift Controller Manager Kubeconfig File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["authorization-mode"][:]' at least one: value equals 'Node'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83889-6" source="CCE"/>
-            <oval-def:reference ref_id="api_server_auth_mode_node" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$ is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-84095-9" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_controller_manager_kubeconfig" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;authorization-mode&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_auth_mode_node:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_auth_mode_node:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$" test_ref="oval:ssg-test_file_groupowner_controller_manager_kubeconfig_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_auth_mode_rbac:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_etcd_data_dir:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure authorization-mode RBAC is configured</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The Etcd Database Directory</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["authorization-mode"][:]' at least one: value equals 'RBAC'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84102-3" source="CCE"/>
-            <oval-def:reference ref_id="api_server_auth_mode_rbac" source="ssg"/>
+            <oval-def:description>This test makes sure that /var/lib/etcd/member/ is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83354-1" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_etcd_data_dir" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;authorization-mode&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_auth_mode_rbac:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_auth_mode_rbac:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of /var/lib/etcd/member/" test_ref="oval:ssg-test_file_groupowner_etcd_data_dir_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_basic_auth:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_etcd_data_files:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Disable basic-auth-file for the API Server</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The Etcd Write-Ahead-Log Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[:]' all: key 'basic-auth-file' value equals ''</oval-def:description>
-            <oval-def:reference ref_id="CCE-83936-5" source="CCE"/>
-            <oval-def:reference ref_id="api_server_basic_auth" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/var/lib/etcd/member/wal/.*$ is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83816-9" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_etcd_data_files" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[:]' all" test_ref="oval:ssg-test_api_server_basic_auth:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_basic_auth:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of ^/var/lib/etcd/member/wal/.*$" test_ref="oval:ssg-test_file_groupowner_etcd_data_files_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_bind_address:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_etcd_member:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that the bindAddress is set to a relevant secure port</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The etcd Member Pod Specification File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.servingInfo["bindAddress"]' all: value equals '(.+)'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83646-0" source="CCE"/>
-            <oval-def:reference ref_id="api_server_bind_address" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/etcd-pod-.*/etcd-pod.yaml$ is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83664-3" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_etcd_member" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.servingInfo[&quot;bindAddress&quot;]' all" test_ref="oval:ssg-test_api_server_bind_address:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_bind_address:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/etcd-pod-.*/etcd-pod.yaml$" test_ref="oval:ssg-test_file_groupowner_etcd_member_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_client_ca:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_etcd_pki_cert_files:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the Client Certificate Authority for the API Server</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The Etcd PKI Certificate Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["client-ca-file"]' all: value equals '(.+)'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84284-9" source="CCE"/>
-            <oval-def:reference ref_id="api_server_client_ca" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.crt$ is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83890-4" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_etcd_pki_cert_files" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;client-ca-file&quot;]' all" test_ref="oval:ssg-test_api_server_client_ca:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_client_ca:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.crt$" test_ref="oval:ssg-test_file_groupowner_etcd_pki_cert_files_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_encryption_provider_cipher:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ip_allocations:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the Encryption Provider Cipher</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/config.openshift.io/v1/apiservers/cluster' at path '.spec.encryption.type' at least one: value equals 'aescbc'</oval-def:description>
-            <oval-def:reference ref_id="api_server_encryption_provider_cipher" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/var/lib/cni/networks/openshift-sdn/.*$ is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-84211-2" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_ip_allocations" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/config.openshift.io/v1/apiservers/cluster' at path '.spec.encryption.type' at least one" test_ref="oval:ssg-test_api_server_encryption_provider_cipher:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/config.openshift.io/v1/apiservers/cluster' exists." test_ref="oval:ssg-test_file_for_api_server_encryption_provider_cipher:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of ^/var/lib/cni/networks/openshift-sdn/.*$" test_ref="oval:ssg-test_file_groupowner_ip_allocations_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_encryption_provider_config:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_kube_apiserver:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the Encryption Provider</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The Kubernetes API Server Pod Specification File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/config.openshift.io/v1/apiservers/cluster' at path '.spec.encryption.type' at least one: value equals 'aescbc'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83585-0" source="CCE"/>
-            <oval-def:reference ref_id="api_server_encryption_provider_config" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-apiserver-pod-.*/kube-apiserver-pod.yaml$ is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83530-6" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_kube_apiserver" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/config.openshift.io/v1/apiservers/cluster' at path '.spec.encryption.type' at least one" test_ref="oval:ssg-test_api_server_encryption_provider_config:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/config.openshift.io/v1/apiservers/cluster' exists." test_ref="oval:ssg-test_file_for_api_server_encryption_provider_config:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/kube-apiserver-pod-.*/kube-apiserver-pod.yaml$" test_ref="oval:ssg-test_file_groupowner_kube_apiserver_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_etcd_ca:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_kube_controller_manager:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the etcd Certificate Authority for the API Server</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The Kubernetes Controller Manager Pod Specification File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["etcd-cafile"][:]' all: value equals '(.+)'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84216-1" source="CCE"/>
-            <oval-def:reference ref_id="api_server_etcd_ca" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$ is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83953-0" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_kube_controller_manager" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;etcd-cafile&quot;][:]' all" test_ref="oval:ssg-test_api_server_etcd_ca:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_etcd_ca:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$" test_ref="oval:ssg-test_file_groupowner_kube_controller_manager_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_etcd_cert:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_kube_scheduler:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the etcd Certificate for the API Server</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The Kubernetes Scheduler Pod Specification File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["etcd-certfile"][:]' all: value equals '.*\.crt'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83876-3" source="CCE"/>
-            <oval-def:reference ref_id="api_server_etcd_cert" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/kube-scheduler-pod.yaml$ is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83614-8" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_kube_scheduler" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;etcd-certfile&quot;][:]' all" test_ref="oval:ssg-test_api_server_etcd_cert:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_etcd_cert:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/kube-scheduler-pod.yaml$" test_ref="oval:ssg-test_file_groupowner_kube_scheduler_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_etcd_key:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_kubelet_conf:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the etcd Certificate Key for the API Server</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The Kubelet Configuration File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["etcd-keyfile"][:]' all: value equals '.*\.key'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83546-2" source="CCE"/>
-            <oval-def:reference ref_id="api_server_etcd_key" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/kubernetes/kubelet.conf is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-84233-6" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_kubelet_conf" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;etcd-keyfile&quot;][:]' all" test_ref="oval:ssg-test_api_server_etcd_key:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_etcd_key:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of /etc/kubernetes/kubelet.conf" test_ref="oval:ssg-test_file_groupowner_kubelet_conf_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_https_for_kubelet_conn:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_master_admin_kubeconfigs:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that the --kubelet-https argument is set to true</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The OpenShift Admin Kubeconfig Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[:]' all: key 'kubelet-https' value equals ''</oval-def:description>
-            <oval-def:reference ref_id="api_server_https_for_kubelet_conn" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/.*\.kubeconfig$ is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-84204-7" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_master_admin_kubeconfigs" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[:]' all" test_ref="oval:ssg-test_api_server_https_for_kubelet_conn:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_https_for_kubelet_conn:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/.*\.kubeconfig$" test_ref="oval:ssg-test_file_groupowner_master_admin_kubeconfigs_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_insecure_bind_address:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_multus_conf:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Disable Use of the Insecure Bind Address</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The OpenShift Multus Container Network Interface Plugin Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#95b5b27bb6ea2b122e810c99c17c2430c4845596942804847dd677557cfed88e' at path '.apiServerArguments[:]' all: value equals 'insecure-bind-address'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83955-5" source="CCE"/>
-            <oval-def:reference ref_id="api_server_insecure_bind_address" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/var/run/multus/cni/net.d/.*$ is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83818-5" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_multus_conf" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#95b5b27bb6ea2b122e810c99c17c2430c4845596942804847dd677557cfed88e' at path '.apiServerArguments[:]' all" test_ref="oval:ssg-test_api_server_insecure_bind_address:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#95b5b27bb6ea2b122e810c99c17c2430c4845596942804847dd677557cfed88e' exists." test_ref="oval:ssg-test_file_for_api_server_insecure_bind_address:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of ^/var/run/multus/cni/net.d/.*$" test_ref="oval:ssg-test_file_groupowner_multus_conf_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_insecure_port:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_openshift_pki_cert_files:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Prevent Insecure Port Access</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The OpenShift PKI Certificate Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["insecure-port"][:]' all: value equals '0'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83813-6" source="CCE"/>
-            <oval-def:reference ref_id="api_server_insecure_port" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/.*/.*/.*/tls\.crt$ is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83922-5" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_openshift_pki_cert_files" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;insecure-port&quot;][:]' all" test_ref="oval:ssg-test_api_server_insecure_port:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_insecure_port:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/tls\.crt$" test_ref="oval:ssg-test_file_groupowner_openshift_pki_cert_files_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_kubelet_certificate_authority:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_openshift_pki_key_files:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the kubelet Certificate Authority for the API Server</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The OpenShift PKI Private Key Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["kubelet-certificate-authority"][:]' all: value equals '(.+)'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84196-5" source="CCE"/>
-            <oval-def:reference ref_id="api_server_kubelet_certificate_authority" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.key$ is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-84172-6" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_openshift_pki_key_files" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;kubelet-certificate-authority&quot;][:]' all" test_ref="oval:ssg-test_api_server_kubelet_certificate_authority:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_kubelet_certificate_authority:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.key$" test_ref="oval:ssg-test_file_groupowner_openshift_pki_key_files_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_kubelet_client_cert:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_openshift_sdn_cniserver_config:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the kubelet Certificate File for the API Server</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The OpenShift SDN CNI Server Config</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["kubelet-client-certificate"][:]' all: value equals '(.+)'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84080-1" source="CCE"/>
-            <oval-def:reference ref_id="api_server_kubelet_client_cert" source="ssg"/>
+            <oval-def:description>This test makes sure that /var/run/openshift-sdn/cniserver/config.json is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83605-6" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_openshift_sdn_cniserver_config" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;kubelet-client-certificate&quot;][:]' all" test_ref="oval:ssg-test_api_server_kubelet_client_cert:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_kubelet_client_cert:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of /var/run/openshift-sdn/cniserver/config.json" test_ref="oval:ssg-test_file_groupowner_openshift_sdn_cniserver_config_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_kubelet_client_cert_pre_4_9:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_openvswitch:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the kubelet Certificate File for the API Server</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The OpenShift Open vSwitch Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' at path '.data["config.yaml"]' all: value equals '"kubelet-client-certificate":\["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"\]'</oval-def:description>
-            <oval-def:reference ref_id="CCE-85890-2" source="CCE"/>
-            <oval-def:reference ref_id="api_server_kubelet_client_cert_pre_4_9" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/openvswitch/ is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="file_groupowner_openvswitch" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' at path '.data[&quot;config.yaml&quot;]' all" test_ref="oval:ssg-test_api_server_kubelet_client_cert_pre_4_9:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' exists." test_ref="oval:ssg-test_file_for_api_server_kubelet_client_cert_pre_4_9:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of /etc/openvswitch/" test_ref="oval:ssg-test_file_groupowner_openvswitch_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_kubelet_client_key:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_conf_db_lock_not_s390x:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the kubelet Certificate Key for the API Server</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The Open vSwitch Configuration Database Lock</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["kubelet-client-key"][:]' all: value equals '(.+)'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83591-8" source="CCE"/>
-            <oval-def:reference ref_id="api_server_kubelet_client_key" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/openvswitch/.conf.db.~lock~ is group owned by 801.</oval-def:description>
+            <oval-def:reference ref_id="CCE-84219-5" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_ovs_conf_db_lock_not_s390x" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;kubelet-client-key&quot;][:]' all" test_ref="oval:ssg-test_api_server_kubelet_client_key:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_kubelet_client_key:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of /etc/openvswitch/.conf.db.~lock~" test_ref="oval:ssg-test_file_groupowner_ovs_conf_db_lock_not_s390x_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_kubelet_client_key_pre_4_9:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_conf_db_lock_s390x:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the kubelet Certificate Key for the API Server</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The Open vSwitch Configuration Database Lock</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' at path '.data["config.yaml"]' all: value equals '"kubelet-client-key":\["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"\]'</oval-def:description>
-            <oval-def:reference ref_id="CCE-90794-9" source="CCE"/>
-            <oval-def:reference ref_id="api_server_kubelet_client_key_pre_4_9" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/openvswitch/.conf.db.~lock~ is group owned by 800.</oval-def:description>
+            <oval-def:reference ref_id="CCE-85936-3" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_ovs_conf_db_lock_s390x" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' at path '.data[&quot;config.yaml&quot;]' all" test_ref="oval:ssg-test_api_server_kubelet_client_key_pre_4_9:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' exists." test_ref="oval:ssg-test_file_for_api_server_kubelet_client_key_pre_4_9:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of /etc/openvswitch/.conf.db.~lock~" test_ref="oval:ssg-test_file_groupowner_ovs_conf_db_lock_s390x_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_no_adm_ctrl_plugins_disabled:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_conf_db_not_s390x:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure all admission control plugins are enabled</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The Open vSwitch Configuration Database</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#8c02c853df9307960712da853d79f916a091fe8bce6312720d7c17de03c2017b' at path '[:]' all: value equals '(.*?)'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83799-7" source="CCE"/>
-            <oval-def:reference ref_id="api_server_no_adm_ctrl_plugins_disabled" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/openvswitch/conf.db is group owned by 801.</oval-def:description>
+            <oval-def:reference ref_id="CCE-84226-0" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_ovs_conf_db_not_s390x" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#8c02c853df9307960712da853d79f916a091fe8bce6312720d7c17de03c2017b' at path '[:]' all" test_ref="oval:ssg-test_api_server_no_adm_ctrl_plugins_disabled:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#8c02c853df9307960712da853d79f916a091fe8bce6312720d7c17de03c2017b' exists." test_ref="oval:ssg-test_file_for_api_server_no_adm_ctrl_plugins_disabled:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of /etc/openvswitch/conf.db" test_ref="oval:ssg-test_file_groupowner_ovs_conf_db_not_s390x_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_profiling_protected_by_rbac:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_conf_db_s390x:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Profiling is protected by RBAC</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The Open vSwitch Configuration Database</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger' at path '.rules[0].nonResourceURLs[:]' at least one: value equals '\/metrics'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84212-0" source="CCE"/>
-            <oval-def:reference ref_id="api_server_profiling_protected_by_rbac" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/openvswitch/conf.db is group owned by 800.</oval-def:description>
+            <oval-def:reference ref_id="CCE-85927-2" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_ovs_conf_db_s390x" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger' at path '.rules[0].nonResourceURLs[:]' at least one" test_ref="oval:ssg-test_api_server_profiling_protected_by_rbac:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger' exists." test_ref="oval:ssg-test_file_for_api_server_profiling_protected_by_rbac:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of /etc/openvswitch/conf.db" test_ref="oval:ssg-test_file_groupowner_ovs_conf_db_s390x_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_request_timeout:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_sys_id_conf_not_s390x:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the API Server Minimum Request Timeout</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The Open vSwitch Persistent System ID</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["min-request-timeout"][:]' at least one: value equals '(\d*)'</oval-def:description>
-            <oval-def:reference ref_id="api_server_request_timeout" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/openvswitch/system-id.conf is group owned by 801.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83677-5" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_ovs_sys_id_conf_not_s390x" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;min-request-timeout&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_request_timeout:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_request_timeout:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of /etc/openvswitch/system-id.conf" test_ref="oval:ssg-test_file_groupowner_ovs_sys_id_conf_not_s390x_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_service_account_lookup:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_sys_id_conf_s390x:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that the service-account-lookup argument is set to true</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The Open vSwitch Persistent System ID</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["service-account-lookup"][:]' at least one: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83370-7" source="CCE"/>
-            <oval-def:reference ref_id="api_server_service_account_lookup" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/openvswitch/system-id.conf is group owned by 800.</oval-def:description>
+            <oval-def:reference ref_id="CCE-85928-0" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_ovs_sys_id_conf_s390x" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;service-account-lookup&quot;][:]' at least one" test_ref="oval:ssg-test_api_server_service_account_lookup:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_service_account_lookup:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of /etc/openvswitch/system-id.conf" test_ref="oval:ssg-test_file_groupowner_ovs_sys_id_conf_s390x_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_service_account_public_key:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_scheduler_kubeconfig:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the Service Account Public Key for the API Server</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The Kubernetes Scheduler Kubeconfig File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.serviceAccountPublicKeyFiles[:]' at least one: value equals '.+'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83350-9" source="CCE"/>
-            <oval-def:reference ref_id="api_server_service_account_public_key" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/configmaps/scheduler-kubeconfig/kubeconfig$ is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83471-3" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_scheduler_kubeconfig" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.serviceAccountPublicKeyFiles[:]' at least one" test_ref="oval:ssg-test_api_server_service_account_public_key:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_service_account_public_key:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/configmaps/scheduler-kubeconfig/kubeconfig$" test_ref="oval:ssg-test_file_groupowner_scheduler_kubeconfig_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_tls_cert:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_worker_ca:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the Certificate for the API Server</oval-def:title>
+            <oval-def:title>Verify Group Who Owns the Worker Certificate Authority File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["tls-cert-file"][:]' all: value equals '(.+)'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83779-9" source="CCE"/>
-            <oval-def:reference ref_id="api_server_tls_cert" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/kubernetes/kubelet-ca.crt is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83440-8" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_worker_ca" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;tls-cert-file&quot;][:]' all" test_ref="oval:ssg-test_api_server_tls_cert:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_tls_cert:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of /etc/kubernetes/kubelet-ca.crt" test_ref="oval:ssg-test_file_groupowner_worker_ca_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_tls_cipher_suites:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_worker_kubeconfig:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Use Strong Cryptographic Ciphers on the API Server</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The Worker Kubeconfig File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.servingInfo.cipherSuites[:]' all: value equals 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'</oval-def:description>
-            <oval-def:reference ref_id="api_server_tls_cipher_suites" source="ssg"/>
+            <oval-def:description>This test makes sure that /var/lib/kubelet/kubeconfig is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83409-3" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_worker_kubeconfig" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.servingInfo.cipherSuites[:]' all" test_ref="oval:ssg-test_api_server_tls_cipher_suites:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_tls_cipher_suites:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of /var/lib/kubelet/kubeconfig" test_ref="oval:ssg-test_file_groupowner_worker_kubeconfig_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_tls_private_key:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_worker_service:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the Certificate Key for the API Server</oval-def:title>
+            <oval-def:title>Verify Group Who Owns The OpenShift Node Service File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["tls-private-key-file"][:]' all: value equals '(.+)'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84282-3" source="CCE"/>
-            <oval-def:reference ref_id="api_server_tls_private_key" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/systemd/system/kubelet.service is group owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83975-3" source="CCE"/>
+            <oval-def:reference ref_id="file_groupowner_worker_service" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;tls-private-key-file&quot;][:]' all" test_ref="oval:ssg-test_api_server_tls_private_key:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_api_server_tls_private_key:tst:1"/>
+            <oval-def:criterion comment="Check file group ownership of /etc/systemd/system/kubelet.service" test_ref="oval:ssg-test_file_groupowner_worker_service_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-api_server_token_auth:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_integrity_exists:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Disable Token-based Authentication</oval-def:title>
+            <oval-def:title>Ensure that File Integrity Operator is scanning the cluster</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments["enable-admission-plugins"][:]' all: value equals '^token-auth-file$'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83481-2" source="CCE"/>
-            <oval-def:reference ref_id="api_server_token_auth" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/fileintegrity.openshift.io/v1alpha1/fileintegrities?limit=5' at path '.items[:].metadata.name' at least one: value equals '.*'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83657-7" source="CCE"/>
+            <oval-def:reference ref_id="file_integrity_exists" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' at path '.apiServerArguments[&quot;enable-admission-plugins&quot;][:]' all" test_ref="oval:ssg-test_api_server_token_auth:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#ffe65d9fac11909686e59349c6a0111aaf57caa26bd2db3e7dcb1a0a22899145' exists." test_ref="oval:ssg-test_file_for_api_server_token_auth:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/fileintegrity.openshift.io/v1alpha1/fileintegrities?limit=5' at path '.items[:].metadata.name' at least one" test_ref="oval:ssg-test_file_integrity_exists:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/fileintegrity.openshift.io/v1alpha1/fileintegrities?limit=5' exists." test_ref="oval:ssg-test_file_for_file_integrity_exists:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_error_alert_exists:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_integrity_notification_enabled:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that Audit Log Errors Emit Alerts</oval-def:title>
+            <oval-def:title>Ensure the notification is enabled for file integrity operator</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#72e9ad360bb6bdf4ad9e43217cd0ec9cb90e7c3b08d4fbe0edf087ad899e05a6' at path '[:]' all: value equals '^.*apiserver_audit_error_total.*apiserver_audit_event_total.*$'</oval-def:description>
-            <oval-def:reference ref_id="CCE-90744-4" source="CCE"/>
-            <oval-def:reference ref_id="audit_error_alert_exists" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#1af9e378f0bc0282076028afdb43f9d17f4cfb2f631c4d73ce65d9d0f3b10a08' at path '[:]' at least one: value equals '.*'</oval-def:description>
+            <oval-def:reference ref_id="CCE-90572-9" source="CCE"/>
+            <oval-def:reference ref_id="file_integrity_notification_enabled" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#72e9ad360bb6bdf4ad9e43217cd0ec9cb90e7c3b08d4fbe0edf087ad899e05a6' at path '[:]' all" test_ref="oval:ssg-test_audit_error_alert_exists:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#72e9ad360bb6bdf4ad9e43217cd0ec9cb90e7c3b08d4fbe0edf087ad899e05a6' exists." test_ref="oval:ssg-test_file_for_audit_error_alert_exists:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#1af9e378f0bc0282076028afdb43f9d17f4cfb2f631c4d73ce65d9d0f3b10a08' at path '[:]' at least one" test_ref="oval:ssg-test_file_integrity_notification_enabled:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#1af9e378f0bc0282076028afdb43f9d17f4cfb2f631c4d73ce65d9d0f3b10a08' exists." test_ref="oval:ssg-test_file_for_file_integrity_notification_enabled:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_log_forwarding_enabled:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_cni_conf:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that Audit Log Forwarding Is Enabled</oval-def:title>
+            <oval-def:title>Verify User Who Owns The OpenShift Container Network Interface Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance' at path 'spec.pipelines[:].inputRefs[:]' at least one: value equals 'audit'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84076-9" source="CCE"/>
-            <oval-def:reference ref_id="audit_log_forwarding_enabled" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/cni/net.d/.*$ is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83460-6" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_cni_conf" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance' at path 'spec.pipelines[:].inputRefs[:]' at least one" test_ref="oval:ssg-test_audit_log_forwarding_enabled:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance' exists." test_ref="oval:ssg-test_file_for_audit_log_forwarding_enabled:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of ^/etc/cni/net.d/.*$" test_ref="oval:ssg-test_file_owner_cni_conf_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_log_forwarding_uses_tls:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_controller_manager_kubeconfig:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that Audit Log Forwarding Uses TLS</oval-def:title>
+            <oval-def:title>Verify User Who Owns The OpenShift Controller Manager Kubeconfig File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance#71786452ba18c51ba8ad51472a078619e2e8b52a86cd75087af5aab42400f6c0' at path '[:]' all: value equals '^(https|tls)://.*$'</oval-def:description>
-            <oval-def:reference ref_id="CCE-90688-3" source="CCE"/>
-            <oval-def:reference ref_id="audit_log_forwarding_uses_tls" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$ is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83904-3" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_controller_manager_kubeconfig" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance#71786452ba18c51ba8ad51472a078619e2e8b52a86cd75087af5aab42400f6c0' at path '[:]' all" test_ref="oval:ssg-test_audit_log_forwarding_uses_tls:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterlogforwarders/instance#71786452ba18c51ba8ad51472a078619e2e8b52a86cd75087af5aab42400f6c0' exists." test_ref="oval:ssg-test_file_for_audit_log_forwarding_uses_tls:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$" test_ref="oval:ssg-test_file_owner_controller_manager_kubeconfig_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_profile_set:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_etcd_data_dir:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that the cluster's audit profile is properly set</oval-def:title>
+            <oval-def:title>Verify User Who Owns The Etcd Database Directory</oval-def:title>
             <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/config.openshift.io/v1/apiservers/cluster' at path 'spec.audit.profile' all: </oval-def:description>
-            <oval-def:reference ref_id="CCE-83577-7" source="CCE"/>
-            <oval-def:reference ref_id="audit_profile_set" source="ssg"/>
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>This test makes sure that /var/lib/etcd/member/ is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83905-0" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_etcd_data_dir" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/config.openshift.io/v1/apiservers/cluster' at path 'spec.audit.profile' all" test_ref="oval:ssg-test_audit_profile_set:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/config.openshift.io/v1/apiservers/cluster' exists." test_ref="oval:ssg-test_file_for_audit_profile_set:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of /var/lib/etcd/member/" test_ref="oval:ssg-test_file_owner_etcd_data_dir_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-azure_disk_encryption_enabled:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_etcd_data_files:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that the MachineSets provisioned by Azure have disk encryption enabled</oval-def:title>
+            <oval-def:title>Verify User Who Owns The Etcd Write-Ahead-Log Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#b9dfb8d8585cff7f72cd7403be3b5790ff7716fbe23facf6e251712ade7d60c1' at path '[:]' all: value equals '^.+$'</oval-def:description>
-            <oval-def:reference ref_id="CCE-90322-9" source="CCE"/>
-            <oval-def:reference ref_id="azure_disk_encryption_enabled" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/var/lib/etcd/member/wal/.*$ is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-84010-8" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_etcd_data_files" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#b9dfb8d8585cff7f72cd7403be3b5790ff7716fbe23facf6e251712ade7d60c1' at path '[:]' all" test_ref="oval:ssg-test_azure_disk_encryption_enabled:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#b9dfb8d8585cff7f72cd7403be3b5790ff7716fbe23facf6e251712ade7d60c1' exists." test_ref="oval:ssg-test_file_for_azure_disk_encryption_enabled:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of ^/var/lib/etcd/member/wal/.*$" test_ref="oval:ssg-test_file_owner_etcd_data_files_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-classification_banner:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_etcd_member:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Enable Classification Banner on OpenShift Console</oval-def:title>
+            <oval-def:title>Verify User Who Owns The Etcd Member Pod Specification File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/console.openshift.io/v1/consolenotifications/classification-banner' at path '.spec.text' at least one: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84197-3" source="CCE"/>
-            <oval-def:reference ref_id="classification_banner" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/etcd-pod-.*/etcd-pod.yaml$ is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83988-6" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_etcd_member" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/console.openshift.io/v1/consolenotifications/classification-banner' at path '.spec.text' at least one" test_ref="oval:ssg-test_classification_banner:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/console.openshift.io/v1/consolenotifications/classification-banner' exists." test_ref="oval:ssg-test_file_for_classification_banner:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/etcd-pod-.*/etcd-pod.yaml$" test_ref="oval:ssg-test_file_owner_etcd_member_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-cluster_logging_operator_exist:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_etcd_pki_cert_files:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that OpenShift Logging Operator is scanning the cluster</oval-def:title>
+            <oval-def:title>Verify User Who Owns The Etcd PKI Certificate Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance' at path 'metadata.name' at least one: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-85918-1" source="CCE"/>
-            <oval-def:reference ref_id="cluster_logging_operator_exist" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.crt$ is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83898-7" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_etcd_pki_cert_files" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance' at path 'metadata.name' at least one" test_ref="oval:ssg-test_cluster_logging_operator_exist:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/logging.openshift.io/v1/namespaces/openshift-logging/clusterloggings/instance' exists." test_ref="oval:ssg-test_file_for_cluster_logging_operator_exist:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.crt$" test_ref="oval:ssg-test_file_owner_etcd_pki_cert_files_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-cluster_version_operator_exists:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_ip_allocations:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that Cluster Version Operator is deployed</oval-def:title>
+            <oval-def:title>Verify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/config.openshift.io/v1/clusterversions/version#588c29ac9d4c67b1444308c5ba310271832895fee54701f7d0cb6cbced390443' at path '[:]' all: value equals 'True'</oval-def:description>
-            <oval-def:reference ref_id="CCE-90670-1" source="CCE"/>
-            <oval-def:reference ref_id="cluster_version_operator_exists" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/var/lib/cni/networks/openshift-sdn/.*$ is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-84248-4" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_ip_allocations" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/config.openshift.io/v1/clusterversions/version#588c29ac9d4c67b1444308c5ba310271832895fee54701f7d0cb6cbced390443' at path '[:]' all" test_ref="oval:ssg-test_cluster_version_operator_exists:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/config.openshift.io/v1/clusterversions/version#588c29ac9d4c67b1444308c5ba310271832895fee54701f7d0cb6cbced390443' exists." test_ref="oval:ssg-test_file_for_cluster_version_operator_exists:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of ^/var/lib/cni/networks/openshift-sdn/.*$" test_ref="oval:ssg-test_file_owner_ip_allocations_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-cluster_version_operator_verify_integrity:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_kube_apiserver:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that Cluster Version Operator verifies integrity</oval-def:title>
+            <oval-def:title>Verify User Who Owns The Kubernetes API Server Pod Specification File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/config.openshift.io/v1/clusterversions/version#69adcfd65c8b8d723e4a7118c170f634cebbb349e9b554dd15001e6551a586f8' at path '[:]' all: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="CCE-90671-9" source="CCE"/>
-            <oval-def:reference ref_id="cluster_version_operator_verify_integrity" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-apiserver-pod-.*/kube-apiserver-pod.yaml$ is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83372-3" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_kube_apiserver" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/config.openshift.io/v1/clusterversions/version#69adcfd65c8b8d723e4a7118c170f634cebbb349e9b554dd15001e6551a586f8' at path '[:]' all" test_ref="oval:ssg-test_cluster_version_operator_verify_integrity:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/config.openshift.io/v1/clusterversions/version#69adcfd65c8b8d723e4a7118c170f634cebbb349e9b554dd15001e6551a586f8' exists." test_ref="oval:ssg-test_file_for_cluster_version_operator_verify_integrity:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/kube-apiserver-pod-.*/kube-apiserver-pod.yaml$" test_ref="oval:ssg-test_file_owner_kube_apiserver_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-cluster_wide_proxy_set:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_kube_controller_manager:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that cluster-wide proxy is set</oval-def:title>
+            <oval-def:title>Verify User Who Owns The Kubernetes Controller Manager Pod Specificiation File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/config.openshift.io/v1/proxies/cluster' at path '.spec.httpsProxy' all: value equals '.+'</oval-def:description>
-            <oval-def:reference ref_id="CCE-90765-9" source="CCE"/>
-            <oval-def:reference ref_id="cluster_wide_proxy_set" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$ is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83795-5" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_kube_controller_manager" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/config.openshift.io/v1/proxies/cluster' at path '.spec.httpsProxy' all" test_ref="oval:ssg-test_cluster_wide_proxy_set:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/config.openshift.io/v1/proxies/cluster' exists." test_ref="oval:ssg-test_file_for_cluster_wide_proxy_set:tst:1"/>
-            <oval-def:criterion comment="Make sure that all target elements exists for elements at path '.metadata.name'" test_ref="oval:ssg-test_elements_count_for_cluster_wide_proxy_set:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$" test_ref="oval:ssg-test_file_owner_kube_controller_manager_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-compliance_notification_enabled:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_kube_scheduler:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure the notification is enabled for Compliance Operator</oval-def:title>
+            <oval-def:title>Verify User Who Owns The Kubernetes Scheduler Pod Specification File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#235ac8b4e63854fbdc11eefc4f8fcf6a20f55f7991b08618e698f2ead111925a' at path '[:]' at least one: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-86032-0" source="CCE"/>
-            <oval-def:reference ref_id="compliance_notification_enabled" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/kube-scheduler-pod.yaml$ is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83393-9" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_kube_scheduler" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#235ac8b4e63854fbdc11eefc4f8fcf6a20f55f7991b08618e698f2ead111925a' at path '[:]' at least one" test_ref="oval:ssg-test_compliance_notification_enabled:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#235ac8b4e63854fbdc11eefc4f8fcf6a20f55f7991b08618e698f2ead111925a' exists." test_ref="oval:ssg-test_file_for_compliance_notification_enabled:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/kube-scheduler-pod.yaml$" test_ref="oval:ssg-test_file_owner_kube_scheduler_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-compliancesuite_exists:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_kubelet:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that Compliance Operator is scanning the cluster</oval-def:title>
+            <oval-def:title>Verify User Who Owns The Kubelet Configuration File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/compliance.openshift.io/v1alpha1/compliancesuites?limit=5' at path '.items[:].metadata.name' at least one: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83697-3" source="CCE"/>
-            <oval-def:reference ref_id="compliancesuite_exists" source="ssg"/>
+            <oval-def:description>This test makes sure that /var/lib/kubelet/config.json is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-85900-9" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_kubelet" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/compliance.openshift.io/v1alpha1/compliancesuites?limit=5' at path '.items[:].metadata.name' at least one" test_ref="oval:ssg-test_compliancesuite_exists:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/compliance.openshift.io/v1alpha1/compliancesuites?limit=5' exists." test_ref="oval:ssg-test_file_for_compliancesuite_exists:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of /var/lib/kubelet/config.json" test_ref="oval:ssg-test_file_owner_kubelet_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-configure_network_policies:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_kubelet_conf:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that the CNI in use supports Network Policies</oval-def:title>
+            <oval-def:title>Verify User Who Owns The Kubelet Configuration File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/operator.openshift.io/v1/networks/cluster#35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498' at path '[:]' all: value equals 'OpenShiftSDN|OVN|Calico'</oval-def:description>
-            <oval-def:reference ref_id="configure_network_policies" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/kubernetes/kubelet.conf is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83976-1" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_kubelet_conf" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/operator.openshift.io/v1/networks/cluster#35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498' at path '[:]' all" test_ref="oval:ssg-test_configure_network_policies:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/operator.openshift.io/v1/networks/cluster#35e33d6dc1252a03495b35bd1751cac70041a511fa4d282c300a8b83b83e3498' exists." test_ref="oval:ssg-test_file_for_configure_network_policies:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of /etc/kubernetes/kubelet.conf" test_ref="oval:ssg-test_file_owner_kubelet_conf_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-controller_insecure_port_disabled:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_master_admin_kubeconfigs:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure Controller insecure port argument is unset</oval-def:title>
+            <oval-def:title>Verify User Who Owns The OpenShift Admin Kubeconfig Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#9f09cca56dc1e9f9605eb5a94aed74de554fd209513a9222e4fe9c0ed669aeee' at path '[:]' all: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83578-5" source="CCE"/>
-            <oval-def:reference ref_id="controller_insecure_port_disabled" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/.*\.kubeconfig$ is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83719-5" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_master_admin_kubeconfigs" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#9f09cca56dc1e9f9605eb5a94aed74de554fd209513a9222e4fe9c0ed669aeee' at path '[:]' all" test_ref="oval:ssg-test_controller_insecure_port_disabled:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#9f09cca56dc1e9f9605eb5a94aed74de554fd209513a9222e4fe9c0ed669aeee' exists." test_ref="oval:ssg-test_file_for_controller_insecure_port_disabled:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/.*\.kubeconfig$" test_ref="oval:ssg-test_file_owner_master_admin_kubeconfigs_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-controller_rotate_kubelet_server_certs:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_multus_conf:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that the RotateKubeletServerCertificate argument is set</oval-def:title>
+            <oval-def:title>Verify User Who Owns The OpenShift Multus Container Network Interface Plugin Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#4cbbbf49b93400715e43dc698f6484799805c502ad3aeb8285de579753b54d31' at path '[:]' at least one: value equals 'RotateKubeletServerCertificate=true'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83730-2" source="CCE"/>
-            <oval-def:reference ref_id="controller_rotate_kubelet_server_certs" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/var/run/multus/cni/net.d/.*$ is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83603-1" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_multus_conf" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#4cbbbf49b93400715e43dc698f6484799805c502ad3aeb8285de579753b54d31' at path '[:]' at least one" test_ref="oval:ssg-test_controller_rotate_kubelet_server_certs:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#4cbbbf49b93400715e43dc698f6484799805c502ad3aeb8285de579753b54d31' exists." test_ref="oval:ssg-test_file_for_controller_rotate_kubelet_server_certs:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of ^/var/run/multus/cni/net.d/.*$" test_ref="oval:ssg-test_file_owner_multus_conf_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-controller_secure_port:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_openshift_pki_cert_files:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure Controller secure-port argument is set</oval-def:title>
+            <oval-def:title>Verify User Who Owns The OpenShift PKI Certificate Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#8241ce1009dc5dd166436d0311b60b96aa3a2f591ba43a26e2b9d0bfc9071414' at path '[:]' at least one: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83861-5" source="CCE"/>
-            <oval-def:reference ref_id="controller_secure_port" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/.*/.*/.*/tls\.crt$ is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83558-7" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_openshift_pki_cert_files" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#8241ce1009dc5dd166436d0311b60b96aa3a2f591ba43a26e2b9d0bfc9071414' at path '[:]' at least one" test_ref="oval:ssg-test_controller_secure_port:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#8241ce1009dc5dd166436d0311b60b96aa3a2f591ba43a26e2b9d0bfc9071414' exists." test_ref="oval:ssg-test_file_for_controller_secure_port:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/tls\.crt$" test_ref="oval:ssg-test_file_owner_openshift_pki_cert_files_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-controller_service_account_ca:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_openshift_pki_key_files:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the Service Account Certificate Authority Key for the Controller Manager</oval-def:title>
+            <oval-def:title>Verify User Who Owns The OpenShift PKI Private Key Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#e27218fb5fb7cd68a9911eb2db6bf715ca959f639e56cb60f90be782ddd7fcf8' at path '[:]' at least one: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84244-3" source="CCE"/>
-            <oval-def:reference ref_id="controller_service_account_ca" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.key$ is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83435-8" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_openshift_pki_key_files" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#e27218fb5fb7cd68a9911eb2db6bf715ca959f639e56cb60f90be782ddd7fcf8' at path '[:]' at least one" test_ref="oval:ssg-test_controller_service_account_ca:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#e27218fb5fb7cd68a9911eb2db6bf715ca959f639e56cb60f90be782ddd7fcf8' exists." test_ref="oval:ssg-test_file_for_controller_service_account_ca:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.key$" test_ref="oval:ssg-test_file_owner_openshift_pki_key_files_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-controller_service_account_private_key:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_openshift_sdn_cniserver_config:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure the Service Account Private Key for the Controller Manager</oval-def:title>
+            <oval-def:title>Verify User Who Owns The OpenShift SDN CNI Server Config</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#407a17f0f401ae8c92955bc382bc80ee34a9afd51ab787e405bf524d03ebf3c8' at path '[:]' at least one: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83526-4" source="CCE"/>
-            <oval-def:reference ref_id="controller_service_account_private_key" source="ssg"/>
+            <oval-def:description>This test makes sure that /var/run/openshift-sdn/cniserver/config.json is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83932-4" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_openshift_sdn_cniserver_config" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#407a17f0f401ae8c92955bc382bc80ee34a9afd51ab787e405bf524d03ebf3c8' at path '[:]' at least one" test_ref="oval:ssg-test_controller_service_account_private_key:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#407a17f0f401ae8c92955bc382bc80ee34a9afd51ab787e405bf524d03ebf3c8' exists." test_ref="oval:ssg-test_file_for_controller_service_account_private_key:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of /var/run/openshift-sdn/cniserver/config.json" test_ref="oval:ssg-test_file_owner_openshift_sdn_cniserver_config_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-controller_use_service_account:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_openvswitch:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that use-service-account-credentials is enabled</oval-def:title>
+            <oval-def:title>Verify User Who Owns The OpenShift Open vSwitch Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#be4ff4c2d3e706eb3b2f17921e5163bca81082bd313ff067ef625af9e6cb61ff' at path '[:]' at least one: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84208-8" source="CCE"/>
-            <oval-def:reference ref_id="controller_use_service_account" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/openvswitch/ is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="file_owner_openvswitch" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#be4ff4c2d3e706eb3b2f17921e5163bca81082bd313ff067ef625af9e6cb61ff' at path '[:]' at least one" test_ref="oval:ssg-test_controller_use_service_account:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-controller-manager/configmaps/config#be4ff4c2d3e706eb3b2f17921e5163bca81082bd313ff067ef625af9e6cb61ff' exists." test_ref="oval:ssg-test_file_for_controller_use_service_account:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of /etc/openvswitch/" test_ref="oval:ssg-test_file_owner_openvswitch_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-default_ingress_ca_replaced:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_ovs_conf_db:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that the default Ingress CA (wildcard issuer) has been replaced</oval-def:title>
+            <oval-def:title>Verify User Who Owns The Open vSwitch Configuration Database</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/config.openshift.io/v1/proxies/cluster' at path '.spec.trustedCA.name' all: value equals '.+'</oval-def:description>
-            <oval-def:reference ref_id="default_ingress_ca_replaced" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/openvswitch/conf.db is owned by 800.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83489-5" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_ovs_conf_db" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/config.openshift.io/v1/proxies/cluster' at path '.spec.trustedCA.name' all" test_ref="oval:ssg-test_default_ingress_ca_replaced:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/config.openshift.io/v1/proxies/cluster' exists." test_ref="oval:ssg-test_file_for_default_ingress_ca_replaced:tst:1"/>
-            <oval-def:criterion comment="Make sure that all target elements exists for elements at path '.metadata.name'" test_ref="oval:ssg-test_elements_count_for_default_ingress_ca_replaced:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of /etc/openvswitch/conf.db" test_ref="oval:ssg-test_file_owner_ovs_conf_db_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-directory_permissions_var_log_kube_audit:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_ovs_conf_db_lock:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>The Kubernetes Audit Logs Directory Must Have Mode 0700</oval-def:title>
+            <oval-def:title>Verify User Who Owns The Open vSwitch Configuration Database Lock</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/log/kube-apiserver/ has mode 0700.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83645-2" source="CCE"/>
-            <oval-def:reference ref_id="directory_permissions_var_log_kube_audit" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/openvswitch/.conf.db.~lock~ is owned by 800.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83462-2" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_ovs_conf_db_lock" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /var/log/kube-apiserver/" test_ref="oval:ssg-test_file_permissionsdirectory_permissions_var_log_kube_audit_0:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of /etc/openvswitch/.conf.db.~lock~" test_ref="oval:ssg-test_file_owner_ovs_conf_db_lock_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-directory_permissions_var_log_oauth_audit:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_ovs_pid:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>The OAuth Audit Logs Directory Must Have Mode 0700</oval-def:title>
+            <oval-def:title>Verify User Who Owns The Open vSwitch Process ID File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/log/oauth-apiserver/ has mode 0700.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-90633-9" source="CCE"/>
-            <oval-def:reference ref_id="directory_permissions_var_log_oauth_audit" source="ssg"/>
+            <oval-def:description>This test makes sure that /var/run/openvswitch/ovs-vswitchd.pid is owned by 800.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83937-3" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_ovs_pid" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /var/log/oauth-apiserver/" test_ref="oval:ssg-test_file_permissionsdirectory_permissions_var_log_oauth_audit_0:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of /var/run/openvswitch/ovs-vswitchd.pid" test_ref="oval:ssg-test_file_owner_ovs_pid_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-directory_permissions_var_log_ocp_audit:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_ovs_sys_id_conf:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>The OpenShift Audit Logs Directory Must Have Mode 0700</oval-def:title>
+            <oval-def:title>Verify User Who Owns The Open vSwitch Persistent System ID</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/log/openshift-apiserver/ has mode 0700.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-90634-7" source="CCE"/>
-            <oval-def:reference ref_id="directory_permissions_var_log_ocp_audit" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/openvswitch/system-id.conf is owned by 800.</oval-def:description>
+            <oval-def:reference ref_id="CCE-84085-0" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_ovs_sys_id_conf" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /var/log/openshift-apiserver/" test_ref="oval:ssg-test_file_permissionsdirectory_permissions_var_log_ocp_audit_0:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of /etc/openvswitch/system-id.conf" test_ref="oval:ssg-test_file_owner_ovs_sys_id_conf_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-ebs_encryption_enabled_on_machinesets:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_ovs_vswitchd_pid:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that EBS volumes use by cluster nodes are encrypted</oval-def:title>
+            <oval-def:title>Verify User Who Owns The Open vSwitch Daemon PID File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#06ea2adfb5429a7351e7bd78b7ec378225e0d3256c4c9e4e3b2ce59900959267' at path '[:]' all: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="CCE-85859-7" source="CCE"/>
-            <oval-def:reference ref_id="ebs_encryption_enabled_on_machinesets" source="ssg"/>
+            <oval-def:description>This test makes sure that /run/openvswitch/ovs-vswitchd.pid is owned by 800.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83888-8" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_ovs_vswitchd_pid" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#06ea2adfb5429a7351e7bd78b7ec378225e0d3256c4c9e4e3b2ce59900959267' at path '[:]' all" test_ref="oval:ssg-test_ebs_encryption_enabled_on_machinesets:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#06ea2adfb5429a7351e7bd78b7ec378225e0d3256c4c9e4e3b2ce59900959267' exists." test_ref="oval:ssg-test_file_for_ebs_encryption_enabled_on_machinesets:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of /run/openvswitch/ovs-vswitchd.pid" test_ref="oval:ssg-test_file_owner_ovs_vswitchd_pid_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-etcd_auto_tls:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_ovsdb_server_pid:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Disable etcd Self-Signed Certificates</oval-def:title>
+            <oval-def:title>Verify User Who Owns The Open vSwitch Database Server PID</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' none satisfy: value equals '.*auto-tls[= ]true.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84199-9" source="CCE"/>
-            <oval-def:reference ref_id="etcd_auto_tls" source="ssg"/>
+            <oval-def:description>This test makes sure that /run/openvswitch/ovsdb-server.pid is owned by 800.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83806-0" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_ovsdb_server_pid" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' none satisfy" test_ref="oval:ssg-test_etcd_auto_tls:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' exists." test_ref="oval:ssg-test_file_for_etcd_auto_tls:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of /run/openvswitch/ovsdb-server.pid" test_ref="oval:ssg-test_file_owner_ovsdb_server_pid_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-etcd_cert_file:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_scheduler_kubeconfig:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure That The etcd Client Certificate Is Correctly Set</oval-def:title>
+            <oval-def:title>Verify User Who Owns The Kubernetes Scheduler Kubeconfig File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all: value equals '--cert-file='</oval-def:description>
-            <oval-def:reference ref_id="CCE-83553-8" source="CCE"/>
-            <oval-def:reference ref_id="etcd_cert_file" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/configmaps/scheduler-kubeconfig/kubeconfig$ is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-84017-3" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_scheduler_kubeconfig" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all" test_ref="oval:ssg-test_etcd_cert_file:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' exists." test_ref="oval:ssg-test_file_for_etcd_cert_file:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/configmaps/scheduler-kubeconfig/kubeconfig$" test_ref="oval:ssg-test_file_owner_scheduler_kubeconfig_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-etcd_check_cipher_suite:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_var_lib_etcd:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure ETCD has correct cipher suite</oval-def:title>
+            <oval-def:title>Verify User Who Owns The OpenShift etcd Data Directory</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' at path '.data['pod.yaml']' all: value equals 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256'</oval-def:description>
-            <oval-def:reference ref_id="CCE-85866-2" source="CCE"/>
-            <oval-def:reference ref_id="etcd_check_cipher_suite" source="ssg"/>
+            <oval-def:description>This test makes sure that /var/lib/etcd/ is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="file_owner_var_lib_etcd" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' at path '.data['pod.yaml']' all" test_ref="oval:ssg-test_etcd_check_cipher_suite:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod' exists." test_ref="oval:ssg-test_file_for_etcd_check_cipher_suite:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of /var/lib/etcd/" test_ref="oval:ssg-test_file_owner_var_lib_etcd_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-etcd_client_cert_auth:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_worker_ca:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Enable The Client Certificate Authentication</oval-def:title>
+            <oval-def:title>Verify User Who Owns the Worker Certificate Authority File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all: value equals '.*--client-cert-auth=true \.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84077-7" source="CCE"/>
-            <oval-def:reference ref_id="etcd_client_cert_auth" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/kubernetes/kubelet-ca.crt is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83495-2" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_worker_ca" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all" test_ref="oval:ssg-test_etcd_client_cert_auth:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' exists." test_ref="oval:ssg-test_file_for_etcd_client_cert_auth:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of /etc/kubernetes/kubelet-ca.crt" test_ref="oval:ssg-test_file_owner_worker_ca_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-etcd_key_file:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_worker_kubeconfig:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure That The etcd Key File Is Correctly Set</oval-def:title>
+            <oval-def:title>Verify User Who Owns The Worker Kubeconfig File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all: value equals '--key-file='</oval-def:description>
-            <oval-def:reference ref_id="CCE-83745-0" source="CCE"/>
-            <oval-def:reference ref_id="etcd_key_file" source="ssg"/>
+            <oval-def:description>This test makes sure that /var/lib/kubelet/kubeconfig is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83408-5" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_worker_kubeconfig" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all" test_ref="oval:ssg-test_etcd_key_file:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' exists." test_ref="oval:ssg-test_file_for_etcd_key_file:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of /var/lib/kubelet/kubeconfig" test_ref="oval:ssg-test_file_owner_worker_kubeconfig_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-etcd_peer_auto_tls:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_owner_worker_service:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Disable etcd Peer Self-Signed Certificates</oval-def:title>
+            <oval-def:title>Verify User Who Owns The OpenShift Node Service File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' none satisfy: value equals '.*peer-auto-tls[= ]true.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84184-1" source="CCE"/>
-            <oval-def:reference ref_id="etcd_peer_auto_tls" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/systemd/system/kubelet.service is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-84193-2" source="CCE"/>
+            <oval-def:reference ref_id="file_owner_worker_service" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' none satisfy" test_ref="oval:ssg-test_etcd_peer_auto_tls:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' exists." test_ref="oval:ssg-test_file_for_etcd_peer_auto_tls:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of /etc/systemd/system/kubelet.service" test_ref="oval:ssg-test_file_owner_worker_service_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-etcd_peer_cert_file:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_ownership_var_log_kube_audit:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure That The etcd Peer Client Certificate Is Correctly Set</oval-def:title>
+            <oval-def:title>Kubernetes Audit Logs Must Be Owned By Root</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all: value equals '--peer-cert-file='</oval-def:description>
-            <oval-def:reference ref_id="CCE-83847-4" source="CCE"/>
-            <oval-def:reference ref_id="etcd_peer_cert_file" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/var/log/kube-apiserver($|/.*$) is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-83650-2" source="CCE"/>
+            <oval-def:reference ref_id="file_ownership_var_log_kube_audit" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all" test_ref="oval:ssg-test_etcd_peer_cert_file:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' exists." test_ref="oval:ssg-test_file_for_etcd_peer_cert_file:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of ^/var/log/kube-apiserver($|/.*$)" test_ref="oval:ssg-test_file_ownership_var_log_kube_audit_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-etcd_peer_client_cert_auth:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_ownership_var_log_oauth_audit:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Enable The Peer Client Certificate Authentication</oval-def:title>
+            <oval-def:title>OAuth Audit Logs Must Be Owned By Root</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all: value equals '--peer-client-cert-auth=true'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83465-5" source="CCE"/>
-            <oval-def:reference ref_id="etcd_peer_client_cert_auth" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/var/log/oauth-apiserver($|/.*$) is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-90635-4" source="CCE"/>
+            <oval-def:reference ref_id="file_ownership_var_log_oauth_audit" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all" test_ref="oval:ssg-test_etcd_peer_client_cert_auth:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' exists." test_ref="oval:ssg-test_file_for_etcd_peer_client_cert_auth:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of ^/var/log/oauth-apiserver($|/.*$)" test_ref="oval:ssg-test_file_ownership_var_log_oauth_audit_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-etcd_peer_key_file:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_ownership_var_log_ocp_audit:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure That The etcd Peer Key File Is Correctly Set</oval-def:title>
+            <oval-def:title>OpenShift Audit Logs Must Be Owned By Root</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all: value equals '--peer-key-file='</oval-def:description>
-            <oval-def:reference ref_id="CCE-83711-2" source="CCE"/>
-            <oval-def:reference ref_id="etcd_peer_key_file" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/var/log/openshift-apiserver($|/.*$) is owned by 0.</oval-def:description>
+            <oval-def:reference ref_id="CCE-90636-2" source="CCE"/>
+            <oval-def:reference ref_id="file_ownership_var_log_ocp_audit" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' at path '[:]' all" test_ref="oval:ssg-test_etcd_peer_key_file:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-etcd/configmaps/etcd-pod#72b7530e9fb0f39686f598b00d791485841e98be902ba16431a5629726dd7027' exists." test_ref="oval:ssg-test_file_for_etcd_peer_key_file:tst:1"/>
+            <oval-def:criterion comment="Check file ownership of ^/var/log/openshift-apiserver($|/.*$)" test_ref="oval:ssg-test_file_ownership_var_log_ocp_audit_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_cni_conf:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_cni_conf:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The OpenShift Container Network Interface Files</oval-def:title>
+            <oval-def:title>Verify Permissions on the OpenShift Container Network Interface Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/cni/net.d/.*$ is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-84025-6" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_cni_conf" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/cni/net.d/.*$ has mode 0644.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83379-8" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_cni_conf" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of ^/etc/cni/net.d/.*$" test_ref="oval:ssg-test_file_groupowner_cni_conf_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of ^/etc/cni/net.d/.*$" test_ref="oval:ssg-test_file_permissions_cni_conf_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_controller_manager_kubeconfig:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_controller_manager_kubeconfig:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The OpenShift Controller Manager Kubeconfig File</oval-def:title>
+            <oval-def:title>Verify Permissions on the OpenShift Controller Manager Kubeconfig File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$ is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-84095-9" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_controller_manager_kubeconfig" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$ has mode 0644.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83604-9" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_controller_manager_kubeconfig" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$" test_ref="oval:ssg-test_file_groupowner_controller_manager_kubeconfig_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$" test_ref="oval:ssg-test_file_permissions_controller_manager_kubeconfig_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_etcd_data_dir:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_etcd_data_dir:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Etcd Database Directory</oval-def:title>
+            <oval-def:title>Verify Permissions on the Etcd Database Directory</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/lib/etcd/member/ is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83354-1" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_etcd_data_dir" source="ssg"/>
+            <oval-def:description>This test makes sure that /var/lib/etcd/member/ has mode 0700.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-84013-2" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_etcd_data_dir" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /var/lib/etcd/member/" test_ref="oval:ssg-test_file_groupowner_etcd_data_dir_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of /var/lib/etcd/member/" test_ref="oval:ssg-test_file_permissions_etcd_data_dir_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_etcd_data_files:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_etcd_data_files:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Etcd Write-Ahead-Log Files</oval-def:title>
+            <oval-def:title>Verify Permissions on the Etcd Write-Ahead-Log Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/var/lib/etcd/member/wal/.*$ is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83816-9" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_etcd_data_files" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/var/lib/etcd/member/wal/.*$ has mode 0600.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83382-2" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_etcd_data_files" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of ^/var/lib/etcd/member/wal/.*$" test_ref="oval:ssg-test_file_groupowner_etcd_data_files_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of ^/var/lib/etcd/member/wal/.*$" test_ref="oval:ssg-test_file_permissions_etcd_data_files_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_etcd_member:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_etcd_member:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The etcd Member Pod Specification File</oval-def:title>
+            <oval-def:title>Verify Permissions on the Etcd Member Pod Specification File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/etcd-pod-.*/etcd-pod.yaml$ is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83664-3" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_etcd_member" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/etcd-pod-.*/etcd-pod.yaml$ has mode 0644.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83973-8" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_etcd_member" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/etcd-pod-.*/etcd-pod.yaml$" test_ref="oval:ssg-test_file_groupowner_etcd_member_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/etcd-pod-.*/etcd-pod.yaml$" test_ref="oval:ssg-test_file_permissions_etcd_member_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_etcd_pki_cert_files:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_etcd_pki_cert_files:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Etcd PKI Certificate Files</oval-def:title>
+            <oval-def:title>Verify Permissions on the Etcd PKI Certificate Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.crt$ is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83890-4" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_etcd_pki_cert_files" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/etcd-.*/secrets/.*/.*\.crt$ has mode 0600.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83362-4" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_etcd_pki_cert_files" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.crt$" test_ref="oval:ssg-test_file_groupowner_etcd_pki_cert_files_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/etcd-.*/secrets/.*/.*\.crt$" test_ref="oval:ssg-test_file_permissions_etcd_pki_cert_files_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ip_allocations:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_ip_allocations:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations</oval-def:title>
+            <oval-def:title>Verify Permissions on the OpenShift SDN Container Network Interface Plugin IP Address Allocations</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/var/lib/cni/networks/openshift-sdn/.*$ is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-84211-2" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_ip_allocations" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/var/lib/cni/networks/openshift-sdn/.*$ has mode 0644.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83469-7" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_ip_allocations" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of ^/var/lib/cni/networks/openshift-sdn/.*$" test_ref="oval:ssg-test_file_groupowner_ip_allocations_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of ^/var/lib/cni/networks/openshift-sdn/.*$" test_ref="oval:ssg-test_file_permissions_ip_allocations_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_kube_apiserver:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_kube_apiserver:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Kubernetes API Server Pod Specification File</oval-def:title>
+            <oval-def:title>Verify Permissions on the Kubernetes API Server Pod Specification File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-apiserver-pod-.*/kube-apiserver-pod.yaml$ is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83530-6" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_kube_apiserver" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-apiserver-pod-.*/kube-apiserver-pod.yaml$ has mode 0644.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83983-7" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_kube_apiserver" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/kube-apiserver-pod-.*/kube-apiserver-pod.yaml$" test_ref="oval:ssg-test_file_groupowner_kube_apiserver_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/kube-apiserver-pod-.*/kube-apiserver-pod.yaml$" test_ref="oval:ssg-test_file_permissions_kube_apiserver_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_kube_controller_manager:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_kube_controller_manager:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Kubernetes Controller Manager Pod Specification File</oval-def:title>
+            <oval-def:title>Verify Permissions on the Kubernetes Controller Manager Pod Specificiation File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$ is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83953-0" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_kube_controller_manager" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$ has mode 0644.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-84161-9" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_kube_controller_manager" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$" test_ref="oval:ssg-test_file_groupowner_kube_controller_manager_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$" test_ref="oval:ssg-test_file_permissions_kube_controller_manager_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_kube_scheduler:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_kubelet:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Kubernetes Scheduler Pod Specification File</oval-def:title>
+            <oval-def:title>Verify Permissions on The Kubelet Configuration File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/kube-scheduler-pod.yaml$ is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83614-8" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_kube_scheduler" source="ssg"/>
+            <oval-def:description>This test makes sure that /var/lib/kubelet/config.json has mode 0600.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-85896-9" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_kubelet" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/kube-scheduler-pod.yaml$" test_ref="oval:ssg-test_file_groupowner_kube_scheduler_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of /var/lib/kubelet/config.json" test_ref="oval:ssg-test_file_permissions_kubelet_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_kubelet_conf:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_kubelet_conf:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Kubelet Configuration File</oval-def:title>
+            <oval-def:title>Verify Permissions on The Kubelet Configuration File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/kubernetes/kubelet.conf is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-84233-6" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_kubelet_conf" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/kubernetes/kubelet.conf has mode 0644.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83470-5" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_kubelet_conf" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/kubernetes/kubelet.conf" test_ref="oval:ssg-test_file_groupowner_kubelet_conf_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of /etc/kubernetes/kubelet.conf" test_ref="oval:ssg-test_file_permissions_kubelet_conf_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_master_admin_kubeconfigs:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_master_admin_kubeconfigs:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The OpenShift Admin Kubeconfig Files</oval-def:title>
+            <oval-def:title>Verify Permissions on the OpenShift Admin Kubeconfig Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/.*\.kubeconfig$ is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-84204-7" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_master_admin_kubeconfigs" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/.*\.kubeconfig$ has mode 0600.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-84278-1" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_master_admin_kubeconfigs" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/.*\.kubeconfig$" test_ref="oval:ssg-test_file_groupowner_master_admin_kubeconfigs_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/.*\.kubeconfig$" test_ref="oval:ssg-test_file_permissions_master_admin_kubeconfigs_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_multus_conf:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_multus_conf:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The OpenShift Multus Container Network Interface Plugin Files</oval-def:title>
+            <oval-def:title>Verify Permissions on the OpenShift Multus Container Network Interface Plugin Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/var/run/multus/cni/net.d/.*$ is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83818-5" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_multus_conf" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/var/run/multus/cni/net.d/.*$ has mode 0644.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83467-1" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_multus_conf" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of ^/var/run/multus/cni/net.d/.*$" test_ref="oval:ssg-test_file_groupowner_multus_conf_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of ^/var/run/multus/cni/net.d/.*$" test_ref="oval:ssg-test_file_permissions_multus_conf_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_openshift_pki_cert_files:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_openshift_pki_cert_files:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The OpenShift PKI Certificate Files</oval-def:title>
+            <oval-def:title>Verify Permissions on the OpenShift PKI Certificate Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/.*/.*/.*/tls\.crt$ is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83922-5" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_openshift_pki_cert_files" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-.*/secrets/.*/tls\.crt$ has mode 0600.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83552-0" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_openshift_pki_cert_files" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/tls\.crt$" test_ref="oval:ssg-test_file_groupowner_openshift_pki_cert_files_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/kube-.*/secrets/.*/tls\.crt$" test_ref="oval:ssg-test_file_permissions_openshift_pki_cert_files_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_openshift_pki_key_files:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_openshift_pki_key_files:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The OpenShift PKI Private Key Files</oval-def:title>
+            <oval-def:title>Verify Permissions on the OpenShift PKI Private Key Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.key$ is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-84172-6" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_openshift_pki_key_files" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.key$ has mode 0600.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83580-1" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_openshift_pki_key_files" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.key$" test_ref="oval:ssg-test_file_groupowner_openshift_pki_key_files_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.key$" test_ref="oval:ssg-test_file_permissions_openshift_pki_key_files_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_openshift_sdn_cniserver_config:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_openvswitch:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The OpenShift SDN CNI Server Config</oval-def:title>
+            <oval-def:title>Verify Permissions on the OpenShift Open vSwitch Files</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/run/openshift-sdn/cniserver/config.json is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83605-6" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_openshift_sdn_cniserver_config" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/openvswitch/ has mode 0644.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="file_permissions_openvswitch" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /var/run/openshift-sdn/cniserver/config.json" test_ref="oval:ssg-test_file_groupowner_openshift_sdn_cniserver_config_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of /etc/openvswitch/" test_ref="oval:ssg-test_file_permissions_openvswitch_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_openvswitch:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_ovs_conf_db:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The OpenShift Open vSwitch Files</oval-def:title>
+            <oval-def:title>Verify Permissions on the Open vSwitch Configuration Database</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/openvswitch/ is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_groupowner_openvswitch" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/openvswitch/conf.db has mode 0640.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83788-0" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_ovs_conf_db" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/openvswitch/" test_ref="oval:ssg-test_file_groupowner_openvswitch_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of /etc/openvswitch/conf.db" test_ref="oval:ssg-test_file_permissions_ovs_conf_db_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_conf_db_lock_not_s390x:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_ovs_conf_db_lock:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Open vSwitch Configuration Database Lock</oval-def:title>
+            <oval-def:title>Verify Permissions on the Open vSwitch Configuration Database Lock</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/openvswitch/.conf.db.~lock~ is group owned by 801.</oval-def:description>
-            <oval-def:reference ref_id="CCE-84219-5" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_ovs_conf_db_lock_not_s390x" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/openvswitch/.conf.db.~lock~ has mode 0600.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-84202-1" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_ovs_conf_db_lock" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/openvswitch/.conf.db.~lock~" test_ref="oval:ssg-test_file_groupowner_ovs_conf_db_lock_not_s390x_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of /etc/openvswitch/.conf.db.~lock~" test_ref="oval:ssg-test_file_permissions_ovs_conf_db_lock_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_conf_db_lock_s390x:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_ovs_pid:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Open vSwitch Configuration Database Lock</oval-def:title>
+            <oval-def:title>Verify Permissions on the Open vSwitch Process ID File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/openvswitch/.conf.db.~lock~ is group owned by 800.</oval-def:description>
-            <oval-def:reference ref_id="CCE-85936-3" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_ovs_conf_db_lock_s390x" source="ssg"/>
+            <oval-def:description>This test makes sure that /var/run/openvswitch/ovs-vswitchd.pid has mode 0644.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83666-8" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_ovs_pid" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/openvswitch/.conf.db.~lock~" test_ref="oval:ssg-test_file_groupowner_ovs_conf_db_lock_s390x_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of /var/run/openvswitch/ovs-vswitchd.pid" test_ref="oval:ssg-test_file_permissions_ovs_pid_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_conf_db_not_s390x:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_ovs_sys_id_conf:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Open vSwitch Configuration Database</oval-def:title>
+            <oval-def:title>Verify Permissions on the Open vSwitch Persistent System ID</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/openvswitch/conf.db is group owned by 801.</oval-def:description>
-            <oval-def:reference ref_id="CCE-84226-0" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_ovs_conf_db_not_s390x" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/openvswitch/system-id.conf has mode 0644.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83400-2" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_ovs_sys_id_conf" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/openvswitch/conf.db" test_ref="oval:ssg-test_file_groupowner_ovs_conf_db_not_s390x_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of /etc/openvswitch/system-id.conf" test_ref="oval:ssg-test_file_permissions_ovs_sys_id_conf_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_conf_db_s390x:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_ovs_vswitchd_pid:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Open vSwitch Configuration Database</oval-def:title>
+            <oval-def:title>Verify Permissions on the Open vSwitch Daemon PID File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/openvswitch/conf.db is group owned by 800.</oval-def:description>
-            <oval-def:reference ref_id="CCE-85927-2" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_ovs_conf_db_s390x" source="ssg"/>
+            <oval-def:description>This test makes sure that /run/openvswitch/ovs-vswitchd.pid has mode 0644.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83710-4" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_ovs_vswitchd_pid" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/openvswitch/conf.db" test_ref="oval:ssg-test_file_groupowner_ovs_conf_db_s390x_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of /run/openvswitch/ovs-vswitchd.pid" test_ref="oval:ssg-test_file_permissions_ovs_vswitchd_pid_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_sys_id_conf_not_s390x:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_ovsdb_server_pid:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Open vSwitch Persistent System ID</oval-def:title>
+            <oval-def:title>Verify Permissions on the Open vSwitch Database Server PID</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/openvswitch/system-id.conf is group owned by 801.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83677-5" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_ovs_sys_id_conf_not_s390x" source="ssg"/>
+            <oval-def:description>This test makes sure that /run/openvswitch/ovsdb-server.pid has mode 0644.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83679-1" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_ovsdb_server_pid" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/openvswitch/system-id.conf" test_ref="oval:ssg-test_file_groupowner_ovs_sys_id_conf_not_s390x_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of /run/openvswitch/ovsdb-server.pid" test_ref="oval:ssg-test_file_permissions_ovsdb_server_pid_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_ovs_sys_id_conf_s390x:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_proxy_kubeconfig:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Open vSwitch Persistent System ID</oval-def:title>
+            <oval-def:title>Verify Permissions on the Worker Proxy Kubeconfig File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/openvswitch/system-id.conf is group owned by 800.</oval-def:description>
-            <oval-def:reference ref_id="CCE-85928-0" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_ovs_sys_id_conf_s390x" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn' at path 'spec.template.spec.volumes[:].configMap['defaultMode','name']' at least one: key 'name' value equals 'sdn-config' and key 'defaultMode' value equals '420'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84047-0" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_proxy_kubeconfig" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/openvswitch/system-id.conf" test_ref="oval:ssg-test_file_groupowner_ovs_sys_id_conf_s390x_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn' at path 'spec.template.spec.volumes[:].configMap['defaultMode','name']' at least one" test_ref="oval:ssg-test_file_permissions_proxy_kubeconfig:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn' exists." test_ref="oval:ssg-test_file_for_file_permissions_proxy_kubeconfig:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_scheduler_kubeconfig:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_scheduler:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Kubernetes Scheduler Kubeconfig File</oval-def:title>
+            <oval-def:title>Verify Permissions on the Kubernetes Scheduler Pod Specification File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/configmaps/scheduler-kubeconfig/kubeconfig$ is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83471-3" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_scheduler_kubeconfig" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/kube-scheduler-pod.yaml$ has mode 0644.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-84057-9" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_scheduler" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/configmaps/scheduler-kubeconfig/kubeconfig$" test_ref="oval:ssg-test_file_groupowner_scheduler_kubeconfig_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/kube-scheduler-pod.yaml$" test_ref="oval:ssg-test_file_permissions_scheduler_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_worker_ca:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_scheduler_kubeconfig:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns the Worker Certificate Authority File</oval-def:title>
+            <oval-def:title>Verify Permissions on the Kubernetes Scheduler Kubeconfig File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/kubernetes/kubelet-ca.crt is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83440-8" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_worker_ca" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/configmaps/scheduler-kubeconfig/kubeconfig$ has mode 0644.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83772-4" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_scheduler_kubeconfig" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/kubernetes/kubelet-ca.crt" test_ref="oval:ssg-test_file_groupowner_worker_ca_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/configmaps/scheduler-kubeconfig/kubeconfig$" test_ref="oval:ssg-test_file_permissions_scheduler_kubeconfig_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_worker_kubeconfig:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_var_lib_etcd:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The Worker Kubeconfig File</oval-def:title>
+            <oval-def:title>The OpenShift etcd Data Directory Must Have Mode 0700</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/lib/kubelet/kubeconfig is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83409-3" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_worker_kubeconfig" source="ssg"/>
+            <oval-def:description>This test makes sure that /var/lib/etcd/ has mode 0700.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="file_permissions_var_lib_etcd" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /var/lib/kubelet/kubeconfig" test_ref="oval:ssg-test_file_groupowner_worker_kubeconfig_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of /var/lib/etcd/" test_ref="oval:ssg-test_file_permissions_var_lib_etcd_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_worker_service:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_var_log_kube_audit:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns The OpenShift Node Service File</oval-def:title>
+            <oval-def:title>Kubernetes Audit Logs Must Have Mode 0600</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/systemd/system/kubelet.service is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83975-3" source="CCE"/>
-            <oval-def:reference ref_id="file_groupowner_worker_service" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/var/log/kube-apiserver/.+\.log$ has mode 0600.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83654-4" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_var_log_kube_audit" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/systemd/system/kubelet.service" test_ref="oval:ssg-test_file_groupowner_worker_service_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of ^/var/log/kube-apiserver/.+\.log$" test_ref="oval:ssg-test_file_permissions_var_log_kube_audit_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_integrity_exists:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_var_log_oauth_audit:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that File Integrity Operator is scanning the cluster</oval-def:title>
+            <oval-def:title>OAuth Audit Logs Must Have Mode 0600</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/fileintegrity.openshift.io/v1alpha1/fileintegrities?limit=5' at path '.items[:].metadata.name' at least one: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83657-7" source="CCE"/>
-            <oval-def:reference ref_id="file_integrity_exists" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/var/log/oauth-apiserver/.+\.log$ has mode 0600.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-90637-0" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_var_log_oauth_audit" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/fileintegrity.openshift.io/v1alpha1/fileintegrities?limit=5' at path '.items[:].metadata.name' at least one" test_ref="oval:ssg-test_file_integrity_exists:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/fileintegrity.openshift.io/v1alpha1/fileintegrities?limit=5' exists." test_ref="oval:ssg-test_file_for_file_integrity_exists:tst:1"/>
+            <oval-def:criterion comment="Check file mode of ^/var/log/oauth-apiserver/.+\.log$" test_ref="oval:ssg-test_file_permissions_var_log_oauth_audit_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_integrity_notification_enabled:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_var_log_ocp_audit:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure the notification is enabled for file integrity operator</oval-def:title>
+            <oval-def:title>OpenShift Audit Logs Must Have Mode 0600</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#1af9e378f0bc0282076028afdb43f9d17f4cfb2f631c4d73ce65d9d0f3b10a08' at path '[:]' at least one: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-90572-9" source="CCE"/>
-            <oval-def:reference ref_id="file_integrity_notification_enabled" source="ssg"/>
+            <oval-def:description>This test makes sure that ^/var/log/openshift-apiserver/.+\.log$ has mode 0600.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-90638-8" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_var_log_ocp_audit" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#1af9e378f0bc0282076028afdb43f9d17f4cfb2f631c4d73ce65d9d0f3b10a08' at path '[:]' at least one" test_ref="oval:ssg-test_file_integrity_notification_enabled:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/monitoring.coreos.com/v1/prometheusrules?limit=500#1af9e378f0bc0282076028afdb43f9d17f4cfb2f631c4d73ce65d9d0f3b10a08' exists." test_ref="oval:ssg-test_file_for_file_integrity_notification_enabled:tst:1"/>
+            <oval-def:criterion comment="Check file mode of ^/var/log/openshift-apiserver/.+\.log$" test_ref="oval:ssg-test_file_permissions_var_log_ocp_audit_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_cni_conf:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_worker_ca:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The OpenShift Container Network Interface Files</oval-def:title>
+            <oval-def:title>Verify Permissions on the Worker Certificate Authority File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/cni/net.d/.*$ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83460-6" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_cni_conf" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/kubernetes/kubelet-ca.crt has mode 0644.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83493-7" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_worker_ca" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of ^/etc/cni/net.d/.*$" test_ref="oval:ssg-test_file_owner_cni_conf_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of /etc/kubernetes/kubelet-ca.crt" test_ref="oval:ssg-test_file_permissions_worker_ca_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_controller_manager_kubeconfig:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_worker_kubeconfig:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The OpenShift Controller Manager Kubeconfig File</oval-def:title>
+            <oval-def:title>Verify Permissions on the Worker Kubeconfig File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83904-3" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_controller_manager_kubeconfig" source="ssg"/>
+            <oval-def:description>This test makes sure that /var/lib/kubelet/kubeconfig has mode 0600.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83509-0" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_worker_kubeconfig" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$" test_ref="oval:ssg-test_file_owner_controller_manager_kubeconfig_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of /var/lib/kubelet/kubeconfig" test_ref="oval:ssg-test_file_permissions_worker_kubeconfig_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_etcd_data_dir:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_worker_service:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Etcd Database Directory</oval-def:title>
+            <oval-def:title>Verify Permissions on the OpenShift Node Service File</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/lib/etcd/member/ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83905-0" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_etcd_data_dir" source="ssg"/>
+            <oval-def:description>This test makes sure that /etc/systemd/system/kubelet.service has mode 0644.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83455-6" source="CCE"/>
+            <oval-def:reference ref_id="file_permissions_worker_service" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /var/lib/etcd/member/" test_ref="oval:ssg-test_file_owner_etcd_data_dir_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of /etc/systemd/system/kubelet.service" test_ref="oval:ssg-test_file_permissions_worker_service_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_etcd_data_files:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-file_perms_openshift_sdn_cniserver_config:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Etcd Write-Ahead-Log Files</oval-def:title>
+            <oval-def:title>Verify Permissions on the OpenShift SDN CNI Server Config</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/var/lib/etcd/member/wal/.*$ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-84010-8" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_etcd_data_files" source="ssg"/>
+            <oval-def:description>This test makes sure that /var/run/openshift-sdn/cniserver/config.json has mode 0444.
+      If the target file or directory has an extended ACL, then it will fail the mode check.
+      </oval-def:description>
+            <oval-def:reference ref_id="CCE-83927-4" source="CCE"/>
+            <oval-def:reference ref_id="file_perms_openshift_sdn_cniserver_config" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of ^/var/lib/etcd/member/wal/.*$" test_ref="oval:ssg-test_file_owner_etcd_data_files_0:tst:1"/>
+            <oval-def:criterion comment="Check file mode of /var/run/openshift-sdn/cniserver/config.json" test_ref="oval:ssg-test_file_permissionsfile_perms_openshift_sdn_cniserver_config_0:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_etcd_member:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-fips_mode_enabled_on_all_nodes:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Etcd Member Pod Specification File</oval-def:title>
+            <oval-def:title>Ensure that FIPS mode is enabled on all cluster nodes</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/etcd-pod-.*/etcd-pod.yaml$ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83988-6" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_etcd_member" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/machineconfiguration.openshift.io/v1/machineconfigs#ab7e02a1c3f44ae48f843ce3dee7b948d624d2f702b9428760efbfd4653847ba' at path '[:]' all: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="CCE-85860-5" source="CCE"/>
+            <oval-def:reference ref_id="fips_mode_enabled_on_all_nodes" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/etcd-pod-.*/etcd-pod.yaml$" test_ref="oval:ssg-test_file_owner_etcd_member_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/machineconfiguration.openshift.io/v1/machineconfigs#ab7e02a1c3f44ae48f843ce3dee7b948d624d2f702b9428760efbfd4653847ba' at path '[:]' all" test_ref="oval:ssg-test_fips_mode_enabled_on_all_nodes:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/machineconfiguration.openshift.io/v1/machineconfigs#ab7e02a1c3f44ae48f843ce3dee7b948d624d2f702b9428760efbfd4653847ba' exists." test_ref="oval:ssg-test_file_for_fips_mode_enabled_on_all_nodes:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_etcd_pki_cert_files:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-gcp_disk_encryption_enabled:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Etcd PKI Certificate Files</oval-def:title>
+            <oval-def:title>Ensure that the MachineSets provisioned by GCP have disk encryption enabled</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.crt$ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83898-7" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_etcd_pki_cert_files" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#4de267a890d70235b0f43110ee972bee760ecce356b1e9cb910f99cc33a02cc2' at path '[:]' all: value equals '^.+$'</oval-def:description>
+            <oval-def:reference ref_id="CCE-90357-5" source="CCE"/>
+            <oval-def:reference ref_id="gcp_disk_encryption_enabled" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.crt$" test_ref="oval:ssg-test_file_owner_etcd_pki_cert_files_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#4de267a890d70235b0f43110ee972bee760ecce356b1e9cb910f99cc33a02cc2' at path '[:]' all" test_ref="oval:ssg-test_gcp_disk_encryption_enabled:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#4de267a890d70235b0f43110ee972bee760ecce356b1e9cb910f99cc33a02cc2' exists." test_ref="oval:ssg-test_file_for_gcp_disk_encryption_enabled:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_ip_allocations:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-gitops_operator_exists:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The OpenShift SDN Container Network Interface Plugin IP Address Allocations</oval-def:title>
+            <oval-def:title>Ensure that GitOps Operator is deployed</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/var/lib/cni/networks/openshift-sdn/.*$ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-84248-4" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_ip_allocations" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/pipelines.openshift.io/v1alpha1/gitopsservices?limit=5' at path '.items[:].metadata.name' at least one: value equals '.*'</oval-def:description>
+            <oval-def:reference ref_id="CCE-86134-4" source="CCE"/>
+            <oval-def:reference ref_id="gitops_operator_exists" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of ^/var/lib/cni/networks/openshift-sdn/.*$" test_ref="oval:ssg-test_file_owner_ip_allocations_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/pipelines.openshift.io/v1alpha1/gitopsservices?limit=5' at path '.items[:].metadata.name' at least one" test_ref="oval:ssg-test_gitops_operator_exists:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/pipelines.openshift.io/v1alpha1/gitopsservices?limit=5' exists." test_ref="oval:ssg-test_file_for_gitops_operator_exists:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_kube_apiserver:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-idp_is_configured:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Kubernetes API Server Pod Specification File</oval-def:title>
+            <oval-def:title>Configure An Identity Provider</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-apiserver-pod-.*/kube-apiserver-pod.yaml$ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83372-3" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_kube_apiserver" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/config.openshift.io/v1/oauths/cluster' at path '.spec.identityProviders[:].type' at least one: value equals '.*'</oval-def:description>
+            <oval-def:reference ref_id="CCE-84088-4" source="CCE"/>
+            <oval-def:reference ref_id="idp_is_configured" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/kube-apiserver-pod-.*/kube-apiserver-pod.yaml$" test_ref="oval:ssg-test_file_owner_kube_apiserver_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/config.openshift.io/v1/oauths/cluster' at path '.spec.identityProviders[:].type' at least one" test_ref="oval:ssg-test_idp_is_configured:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/config.openshift.io/v1/oauths/cluster' exists." test_ref="oval:ssg-test_file_for_idp_is_configured:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_kube_controller_manager:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-ingress_controller_certificate:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Kubernetes Controller Manager Pod Specificiation File</oval-def:title>
+            <oval-def:title>Ensure that the default Ingress certificate has been replaced</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83795-5" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_kube_controller_manager" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default' at path '.spec.defaultCertificate.name' all: value equals '.+'</oval-def:description>
+            <oval-def:reference ref_id="ingress_controller_certificate" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$" test_ref="oval:ssg-test_file_owner_kube_controller_manager_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default' at path '.spec.defaultCertificate.name' all" test_ref="oval:ssg-test_ingress_controller_certificate:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default' exists." test_ref="oval:ssg-test_file_for_ingress_controller_certificate:tst:1"/>
+            <oval-def:criterion comment="Make sure that all target elements exists for elements at path '.metadata.name'" test_ref="oval:ssg-test_elements_count_for_ingress_controller_certificate:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_kube_scheduler:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubeadmin_removed:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Kubernetes Scheduler Pod Specification File</oval-def:title>
+            <oval-def:title>Ensure that the kubeadmin secret has been removed</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/kube-scheduler-pod.yaml$ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83393-9" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_kube_scheduler" source="ssg"/>
+            <oval-def:description>In the Compliance Operator-generated file '/api/v1/namespaces/kube-system/secrets/kubeadmin' the `not found` annotation should be set</oval-def:description>
+            <oval-def:reference ref_id="CCE-90387-2" source="CCE"/>
+            <oval-def:reference ref_id="kubeadmin_removed" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/kube-scheduler-pod.yaml$" test_ref="oval:ssg-test_file_owner_kube_scheduler_0:tst:1"/>
+            <oval-def:criterion comment="In the Compliance Operator-generated file '/api/v1/namespaces/kube-system/secrets/kubeadmin' the `not found` annotation should be set" test_ref="oval:ssg-test_kubeadmin_removed:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/kube-system/secrets/kubeadmin' exists." test_ref="oval:ssg-test_file_for_kubeadmin_removed:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_kubelet:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_anonymous_auth:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Kubelet Configuration File</oval-def:title>
+            <oval-def:title>Disable Anonymous Authentication to the Kubelet</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/lib/kubelet/config.json is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-85900-9" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_kubelet" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-83815-1" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_anonymous_auth" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /var/lib/kubelet/config.json" test_ref="oval:ssg-test_file_owner_kubelet_0:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_anonymous_auth_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_anonymous_auth_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_kubelet_conf:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_anonymous_auth_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Kubelet Configuration File</oval-def:title>
+            <oval-def:title>Disable Anonymous Authentication to the Kubelet</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/kubernetes/kubelet.conf is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83976-1" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_kubelet_conf" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.authentication.anonymous.enabled' all: value equals 'false'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_anonymous_auth_deprecated" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/kubernetes/kubelet.conf" test_ref="oval:ssg-test_file_owner_kubelet_conf_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.authentication.anonymous.enabled' all" test_ref="oval:ssg-test_kubelet_anonymous_auth_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_master_admin_kubeconfigs:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_anonymous_auth_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The OpenShift Admin Kubeconfig Files</oval-def:title>
+            <oval-def:title>Disable Anonymous Authentication to the Kubelet</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/.*\.kubeconfig$ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83719-5" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_master_admin_kubeconfigs" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.authentication.anonymous.enabled' all: value equals 'false'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_anonymous_auth_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/.*\.kubeconfig$" test_ref="oval:ssg-test_file_owner_master_admin_kubeconfigs_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.authentication.anonymous.enabled' all" test_ref="oval:ssg-test_kubelet_anonymous_auth_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_anonymous_auth_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_multus_conf:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_anonymous_auth_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The OpenShift Multus Container Network Interface Plugin Files</oval-def:title>
+            <oval-def:title>Disable Anonymous Authentication to the Kubelet</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/var/run/multus/cni/net.d/.*$ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83603-1" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_multus_conf" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.authentication.anonymous.enabled' all: value equals 'false'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_anonymous_auth_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of ^/var/run/multus/cni/net.d/.*$" test_ref="oval:ssg-test_file_owner_multus_conf_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.authentication.anonymous.enabled' all" test_ref="oval:ssg-test_kubelet_anonymous_auth_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_anonymous_auth_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_openshift_pki_cert_files:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_authorization_mode:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The OpenShift PKI Certificate Files</oval-def:title>
+            <oval-def:title>Ensure authorization is set to Webhook</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/.*/.*/.*/tls\.crt$ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83558-7" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_openshift_pki_cert_files" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-83593-4" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_authorization_mode" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/tls\.crt$" test_ref="oval:ssg-test_file_owner_openshift_pki_cert_files_0:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_authorization_mode_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_authorization_mode_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_openshift_pki_key_files:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_authorization_mode_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The OpenShift PKI Private Key Files</oval-def:title>
+            <oval-def:title>Ensure authorization is set to Webhook</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.key$ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83435-8" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_openshift_pki_key_files" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.authorization.mode' all: value equals 'AlwaysAllow'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_authorization_mode_deprecated" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.key$" test_ref="oval:ssg-test_file_owner_openshift_pki_key_files_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.authorization.mode' all" test_ref="oval:ssg-test_kubelet_authorization_mode_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_openshift_sdn_cniserver_config:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_authorization_mode_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The OpenShift SDN CNI Server Config</oval-def:title>
+            <oval-def:title>Ensure authorization is set to Webhook</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/run/openshift-sdn/cniserver/config.json is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83932-4" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_openshift_sdn_cniserver_config" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.authorization.mode' all: value equals 'AlwaysAllow'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_authorization_mode_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /var/run/openshift-sdn/cniserver/config.json" test_ref="oval:ssg-test_file_owner_openshift_sdn_cniserver_config_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.authorization.mode' all" test_ref="oval:ssg-test_kubelet_authorization_mode_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_authorization_mode_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_openvswitch:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_authorization_mode_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The OpenShift Open vSwitch Files</oval-def:title>
+            <oval-def:title>Ensure authorization is set to Webhook</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/openvswitch/ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_owner_openvswitch" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.authorization.mode' all: value equals 'AlwaysAllow'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_authorization_mode_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/openvswitch/" test_ref="oval:ssg-test_file_owner_openvswitch_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.authorization.mode' all" test_ref="oval:ssg-test_kubelet_authorization_mode_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_authorization_mode_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_ovs_conf_db:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_client_ca:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Open vSwitch Configuration Database</oval-def:title>
+            <oval-def:title>kubelet - Configure the Client CA Certificate</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/openvswitch/conf.db is owned by 800.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83489-5" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_ovs_conf_db" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-83724-5" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_configure_client_ca" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/openvswitch/conf.db" test_ref="oval:ssg-test_file_owner_ovs_conf_db_0:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_configure_client_ca_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_configure_client_ca_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_ovs_conf_db_lock:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_client_ca_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Open vSwitch Configuration Database Lock</oval-def:title>
+            <oval-def:title>kubelet - Configure the Client CA Certificate</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/openvswitch/.conf.db.~lock~ is owned by 800.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83462-2" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_ovs_conf_db_lock" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.authentication.x509.clientCAFile' all: value equals '/etc/kubernetes/kubelet-ca.crt'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_configure_client_ca_deprecated" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/openvswitch/.conf.db.~lock~" test_ref="oval:ssg-test_file_owner_ovs_conf_db_lock_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.authentication.x509.clientCAFile' all" test_ref="oval:ssg-test_kubelet_configure_client_ca_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_ovs_pid:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_client_ca_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Open vSwitch Process ID File</oval-def:title>
+            <oval-def:title>kubelet - Configure the Client CA Certificate</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/run/openvswitch/ovs-vswitchd.pid is owned by 800.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83937-3" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_ovs_pid" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.authentication.x509.clientCAFile' all: value equals '/etc/kubernetes/kubelet-ca.crt'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_configure_client_ca_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /var/run/openvswitch/ovs-vswitchd.pid" test_ref="oval:ssg-test_file_owner_ovs_pid_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.authentication.x509.clientCAFile' all" test_ref="oval:ssg-test_kubelet_configure_client_ca_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_client_ca_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_ovs_sys_id_conf:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_client_ca_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Open vSwitch Persistent System ID</oval-def:title>
+            <oval-def:title>kubelet - Configure the Client CA Certificate</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/openvswitch/system-id.conf is owned by 800.</oval-def:description>
-            <oval-def:reference ref_id="CCE-84085-0" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_ovs_sys_id_conf" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.authentication.x509.clientCAFile' all: value equals '/etc/kubernetes/kubelet-ca.crt'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_configure_client_ca_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/openvswitch/system-id.conf" test_ref="oval:ssg-test_file_owner_ovs_sys_id_conf_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.authentication.x509.clientCAFile' all" test_ref="oval:ssg-test_kubelet_configure_client_ca_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_client_ca_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_ovs_vswitchd_pid:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_event_creation:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Open vSwitch Daemon PID File</oval-def:title>
+            <oval-def:title>Kubelet - Ensure Event Creation Is Configured</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /run/openvswitch/ovs-vswitchd.pid is owned by 800.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83888-8" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_ovs_vswitchd_pid" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-83576-9" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_configure_event_creation" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /run/openvswitch/ovs-vswitchd.pid" test_ref="oval:ssg-test_file_owner_ovs_vswitchd_pid_0:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_configure_event_creation_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_configure_event_creation_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_ovsdb_server_pid:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_event_creation_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Open vSwitch Database Server PID</oval-def:title>
+            <oval-def:title>Kubelet - Ensure Event Creation Is Configured</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /run/openvswitch/ovsdb-server.pid is owned by 800.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83806-0" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_ovsdb_server_pid" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.eventRecordQPS' all: value equals '0'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_configure_event_creation_deprecated" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /run/openvswitch/ovsdb-server.pid" test_ref="oval:ssg-test_file_owner_ovsdb_server_pid_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.eventRecordQPS' all" test_ref="oval:ssg-test_kubelet_configure_event_creation_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_scheduler_kubeconfig:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_event_creation_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Kubernetes Scheduler Kubeconfig File</oval-def:title>
+            <oval-def:title>Kubelet - Ensure Event Creation Is Configured</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/configmaps/scheduler-kubeconfig/kubeconfig$ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-84017-3" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_scheduler_kubeconfig" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.eventRecordQPS' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_configure_event_creation_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/configmaps/scheduler-kubeconfig/kubeconfig$" test_ref="oval:ssg-test_file_owner_scheduler_kubeconfig_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.eventRecordQPS' all" test_ref="oval:ssg-test_kubelet_configure_event_creation_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_event_creation_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_var_lib_etcd:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_event_creation_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The OpenShift etcd Data Directory</oval-def:title>
+            <oval-def:title>Kubelet - Ensure Event Creation Is Configured</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/lib/etcd/ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_owner_var_lib_etcd" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.eventRecordQPS' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_configure_event_creation_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /var/lib/etcd/" test_ref="oval:ssg-test_file_owner_var_lib_etcd_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.eventRecordQPS' all" test_ref="oval:ssg-test_kubelet_configure_event_creation_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_event_creation_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_worker_ca:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_cert:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns the Worker Certificate Authority File</oval-def:title>
+            <oval-def:title>Ensure That The kubelet Client Certificate Is Correctly Set</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/kubernetes/kubelet-ca.crt is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83495-2" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_worker_ca" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["kubelet-client-certificate"][:]' all: value equals '(.+)'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83396-2" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_configure_tls_cert" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/kubernetes/kubelet-ca.crt" test_ref="oval:ssg-test_file_owner_worker_ca_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;kubelet-client-certificate&quot;][:]' all" test_ref="oval:ssg-test_kubelet_configure_tls_cert:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_tls_cert:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_worker_kubeconfig:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_cert_pre_4_9:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The Worker Kubeconfig File</oval-def:title>
+            <oval-def:title>Ensure That The kubelet Client Certificate Is Correctly Set</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/lib/kubelet/kubeconfig is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83408-5" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_worker_kubeconfig" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' at path '.data['config.yaml']' all: value equals '"kubelet-client-certificate":\["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"\]'</oval-def:description>
+            <oval-def:reference ref_id="CCE-90615-6" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_configure_tls_cert_pre_4_9" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /var/lib/kubelet/kubeconfig" test_ref="oval:ssg-test_file_owner_worker_kubeconfig_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' at path '.data['config.yaml']' all" test_ref="oval:ssg-test_kubelet_configure_tls_cert_pre_4_9:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_tls_cert_pre_4_9:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_worker_service:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_cipher_suites:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns The OpenShift Node Service File</oval-def:title>
+            <oval-def:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/systemd/system/kubelet.service is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-84193-2" source="CCE"/>
-            <oval-def:reference ref_id="file_owner_worker_service" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-86030-4" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_configure_tls_cipher_suites" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/systemd/system/kubelet.service" test_ref="oval:ssg-test_file_owner_worker_service_0:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_configure_tls_cipher_suites_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_configure_tls_cipher_suites_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_ownership_var_log_kube_audit:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_cipher_suites_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Kubernetes Audit Logs Must Be Owned By Root</oval-def:title>
+            <oval-def:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/var/log/kube-apiserver($|/.*$) is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83650-2" source="CCE"/>
-            <oval-def:reference ref_id="file_ownership_var_log_kube_audit" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.tlsCipherSuites[:]' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_configure_tls_cipher_suites_deprecated" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of ^/var/log/kube-apiserver($|/.*$)" test_ref="oval:ssg-test_file_ownership_var_log_kube_audit_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.tlsCipherSuites[:]' all" test_ref="oval:ssg-test_kubelet_configure_tls_cipher_suites_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_ownership_var_log_oauth_audit:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_cipher_suites_ingresscontroller:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>OAuth Audit Logs Must Be Owned By Root</oval-def:title>
+            <oval-def:title>Ensure that the Ingress Controller only makes use of Strong Cryptographic Ciphers</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/var/log/oauth-apiserver($|/.*$) is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-90635-4" source="CCE"/>
-            <oval-def:reference ref_id="file_ownership_var_log_oauth_audit" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default' at path '.status.tlsProfile.ciphers[:]' all: value equals '^(ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|AES256-GCM-SHA384|AES128-GCM-SHA256)$'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_configure_tls_cipher_suites_ingresscontroller" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of ^/var/log/oauth-apiserver($|/.*$)" test_ref="oval:ssg-test_file_ownership_var_log_oauth_audit_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default' at path '.status.tlsProfile.ciphers[:]' all" test_ref="oval:ssg-test_kubelet_configure_tls_cipher_suites_ingresscontroller:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_tls_cipher_suites_ingresscontroller:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_ownership_var_log_ocp_audit:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_cipher_suites_kubeapiserver_operator:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>OpenShift Audit Logs Must Be Owned By Root</oval-def:title>
+            <oval-def:title>Ensure that the Kubernetes API Server Operator only makes use of Strong Cryptographic Ciphers</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/var/log/openshift-apiserver($|/.*$) is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-90636-2" source="CCE"/>
-            <oval-def:reference ref_id="file_ownership_var_log_ocp_audit" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/operator.openshift.io/v1/kubeapiservers/cluster' at path '.spec.unsupportedConfigOverrides.servingInfo.cipherSuites[:]' all: value equals '^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_128_GCM_SHA256)$'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_configure_tls_cipher_suites_kubeapiserver_operator" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of ^/var/log/openshift-apiserver($|/.*$)" test_ref="oval:ssg-test_file_ownership_var_log_ocp_audit_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/operator.openshift.io/v1/kubeapiservers/cluster' at path '.spec.unsupportedConfigOverrides.servingInfo.cipherSuites[:]' all" test_ref="oval:ssg-test_kubelet_configure_tls_cipher_suites_kubeapiserver_operator:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/operator.openshift.io/v1/kubeapiservers/cluster' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_tls_cipher_suites_kubeapiserver_operator:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_cni_conf:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_cipher_suites_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the OpenShift Container Network Interface Files</oval-def:title>
+            <oval-def:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/cni/net.d/.*$ has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83379-8" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_cni_conf" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.tlsCipherSuites[:]' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_configure_tls_cipher_suites_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of ^/etc/cni/net.d/.*$" test_ref="oval:ssg-test_file_permissions_cni_conf_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.tlsCipherSuites[:]' all" test_ref="oval:ssg-test_kubelet_configure_tls_cipher_suites_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_tls_cipher_suites_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_controller_manager_kubeconfig:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_cipher_suites_openshiftapiserver_operator:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the OpenShift Controller Manager Kubeconfig File</oval-def:title>
+            <oval-def:title>Ensure that the OpenShift API Server Operator only makes use of Strong Cryptographic Ciphers</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$ has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83604-9" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_controller_manager_kubeconfig" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/apis/operator.openshift.io/v1/openshiftapiservers/cluster' at path '.spec.unsupportedConfigOverrides.servingInfo.cipherSuites[:]' all: value equals '^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_128_GCM_SHA256)$'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_configure_tls_cipher_suites_openshiftapiserver_operator" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/configmaps/controller-manager-kubeconfig/kubeconfig$" test_ref="oval:ssg-test_file_permissions_controller_manager_kubeconfig_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/operator.openshift.io/v1/openshiftapiservers/cluster' at path '.spec.unsupportedConfigOverrides.servingInfo.cipherSuites[:]' all" test_ref="oval:ssg-test_kubelet_configure_tls_cipher_suites_openshiftapiserver_operator:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/operator.openshift.io/v1/openshiftapiservers/cluster' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_tls_cipher_suites_openshiftapiserver_operator:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_etcd_data_dir:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_cipher_suites_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the Etcd Database Directory</oval-def:title>
+            <oval-def:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/lib/etcd/member/ has mode 0700.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-84013-2" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_etcd_data_dir" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.tlsCipherSuites[:]' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_configure_tls_cipher_suites_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /var/lib/etcd/member/" test_ref="oval:ssg-test_file_permissions_etcd_data_dir_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.tlsCipherSuites[:]' all" test_ref="oval:ssg-test_kubelet_configure_tls_cipher_suites_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_tls_cipher_suites_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_etcd_data_files:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_key:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the Etcd Write-Ahead-Log Files</oval-def:title>
+            <oval-def:title>Ensure That The kubelet Server Key Is Correctly Set</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/var/lib/etcd/member/wal/.*$ has mode 0600.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83382-2" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_etcd_data_files" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["kubelet-client-key"][:]' all: value equals '(.+)'</oval-def:description>
+            <oval-def:reference ref_id="CCE-90614-9" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_configure_tls_key" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of ^/var/lib/etcd/member/wal/.*$" test_ref="oval:ssg-test_file_permissions_etcd_data_files_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;kubelet-client-key&quot;][:]' all" test_ref="oval:ssg-test_kubelet_configure_tls_key:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_tls_key:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_etcd_member:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_key_pre_4_9:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the Etcd Member Pod Specification File</oval-def:title>
+            <oval-def:title>Ensure That The kubelet Server Key Is Correctly Set</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/etcd-pod-.*/etcd-pod.yaml$ has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83973-8" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_etcd_member" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' at path '.data['config.yaml']' all: value equals '"kubelet-client-key":\["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"\]'</oval-def:description>
+            <oval-def:reference ref_id="CCE-90542-2" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_configure_tls_key_pre_4_9" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/etcd-pod-.*/etcd-pod.yaml$" test_ref="oval:ssg-test_file_permissions_etcd_member_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' at path '.data['config.yaml']' all" test_ref="oval:ssg-test_kubelet_configure_tls_key_pre_4_9:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_tls_key_pre_4_9:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_etcd_pki_cert_files:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_disable_readonly_port:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the Etcd PKI Certificate Files</oval-def:title>
+            <oval-def:title>kubelet - Disable the Read-Only Port</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/etcd-.*/secrets/.*/.*\.crt$ has mode 0600.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83362-4" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_etcd_pki_cert_files" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["kubelet-read-only-port"][:]' all: value equals '0'</oval-def:description>
+            <oval-def:reference ref_id="CCE-83427-5" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_disable_readonly_port" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/etcd-.*/secrets/.*/.*\.crt$" test_ref="oval:ssg-test_file_permissions_etcd_pki_cert_files_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;kubelet-read-only-port&quot;][:]' all" test_ref="oval:ssg-test_kubelet_disable_readonly_port:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_kubelet_disable_readonly_port:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_ip_allocations:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_cert_rotation:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the OpenShift SDN Container Network Interface Plugin IP Address Allocations</oval-def:title>
+            <oval-def:title>kubelet - Enable Certificate Rotation</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/var/lib/cni/networks/openshift-sdn/.*$ has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83469-7" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_ip_allocations" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-83838-3" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_enable_cert_rotation" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of ^/var/lib/cni/networks/openshift-sdn/.*$" test_ref="oval:ssg-test_file_permissions_ip_allocations_0:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_enable_cert_rotation_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_enable_cert_rotation_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_kube_apiserver:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_cert_rotation_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the Kubernetes API Server Pod Specification File</oval-def:title>
+            <oval-def:title>kubelet - Enable Certificate Rotation</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-apiserver-pod-.*/kube-apiserver-pod.yaml$ has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83983-7" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_kube_apiserver" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.rotateCertificates' all: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_cert_rotation_deprecated" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/kube-apiserver-pod-.*/kube-apiserver-pod.yaml$" test_ref="oval:ssg-test_file_permissions_kube_apiserver_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.rotateCertificates' all" test_ref="oval:ssg-test_kubelet_enable_cert_rotation_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_kube_controller_manager:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_cert_rotation_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the Kubernetes Controller Manager Pod Specificiation File</oval-def:title>
+            <oval-def:title>kubelet - Enable Certificate Rotation</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$ has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-84161-9" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_kube_controller_manager" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.rotateCertificates' all: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_cert_rotation_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/kube-controller-manager-pod-.*/kube-controller-manager-pod.yaml$" test_ref="oval:ssg-test_file_permissions_kube_controller_manager_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.rotateCertificates' all" test_ref="oval:ssg-test_kubelet_enable_cert_rotation_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_enable_cert_rotation_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_kubelet:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_cert_rotation_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on The Kubelet Configuration File</oval-def:title>
+            <oval-def:title>kubelet - Enable Certificate Rotation</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/lib/kubelet/config.json has mode 0600.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-85896-9" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_kubelet" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.rotateCertificates' all: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_cert_rotation_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /var/lib/kubelet/config.json" test_ref="oval:ssg-test_file_permissions_kubelet_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.rotateCertificates' all" test_ref="oval:ssg-test_kubelet_enable_cert_rotation_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_enable_cert_rotation_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_kubelet_conf:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_client_cert_rotation:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on The Kubelet Configuration File</oval-def:title>
+            <oval-def:title>kubelet - Enable Client Certificate Rotation</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/kubernetes/kubelet.conf has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83470-5" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_kubelet_conf" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-83352-5" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_enable_client_cert_rotation" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/kubernetes/kubelet.conf" test_ref="oval:ssg-test_file_permissions_kubelet_conf_0:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_enable_client_cert_rotation_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_enable_client_cert_rotation_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_master_admin_kubeconfigs:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_client_cert_rotation_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the OpenShift Admin Kubeconfig Files</oval-def:title>
+            <oval-def:title>kubelet - Enable Client Certificate Rotation</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/.*\.kubeconfig$ has mode 0600.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-84278-1" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_master_admin_kubeconfigs" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.featureGates.RotateKubeletClientCertificate' all: value equals 'false'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_client_cert_rotation_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/.*\.kubeconfig$" test_ref="oval:ssg-test_file_permissions_master_admin_kubeconfigs_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.featureGates.RotateKubeletClientCertificate' all" test_ref="oval:ssg-test_kubelet_enable_client_cert_rotation_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_enable_client_cert_rotation_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_multus_conf:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_client_cert_rotation_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the OpenShift Multus Container Network Interface Plugin Files</oval-def:title>
+            <oval-def:title>kubelet - Enable Client Certificate Rotation</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/var/run/multus/cni/net.d/.*$ has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83467-1" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_multus_conf" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.featureGates.RotateKubeletClientCertificate' all: value equals 'false'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_client_cert_rotation_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of ^/var/run/multus/cni/net.d/.*$" test_ref="oval:ssg-test_file_permissions_multus_conf_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.featureGates.RotateKubeletClientCertificate' all" test_ref="oval:ssg-test_kubelet_enable_client_cert_rotation_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_enable_client_cert_rotation_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_openshift_pki_cert_files:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_iptables_util_chains:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the OpenShift PKI Certificate Files</oval-def:title>
+            <oval-def:title>kubelet - Allow Automatic Firewall Configuration</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-.*/secrets/.*/tls\.crt$ has mode 0600.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83552-0" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_openshift_pki_cert_files" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-83775-7" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_enable_iptables_util_chains" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/kube-.*/secrets/.*/tls\.crt$" test_ref="oval:ssg-test_file_permissions_openshift_pki_cert_files_0:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_enable_iptables_util_chains_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_enable_iptables_util_chains_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_openshift_pki_key_files:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_iptables_util_chains_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the OpenShift PKI Private Key Files</oval-def:title>
+            <oval-def:title>kubelet - Allow Automatic Firewall Configuration</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.key$ has mode 0600.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83580-1" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_openshift_pki_key_files" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.makeIPTablesUtilChains' all: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_iptables_util_chains_deprecated" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/.*/.*/.*/.*\.key$" test_ref="oval:ssg-test_file_permissions_openshift_pki_key_files_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.makeIPTablesUtilChains' all" test_ref="oval:ssg-test_kubelet_enable_iptables_util_chains_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_openvswitch:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_iptables_util_chains_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the OpenShift Open vSwitch Files</oval-def:title>
+            <oval-def:title>kubelet - Allow Automatic Firewall Configuration</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/openvswitch/ has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_openvswitch" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.makeIPTablesUtilChains' all: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_iptables_util_chains_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/openvswitch/" test_ref="oval:ssg-test_file_permissions_openvswitch_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.makeIPTablesUtilChains' all" test_ref="oval:ssg-test_kubelet_enable_iptables_util_chains_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_enable_iptables_util_chains_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_ovs_conf_db:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_iptables_util_chains_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the Open vSwitch Configuration Database</oval-def:title>
+            <oval-def:title>kubelet - Allow Automatic Firewall Configuration</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/openvswitch/conf.db has mode 0640.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83788-0" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_ovs_conf_db" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.makeIPTablesUtilChains' all: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_iptables_util_chains_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/openvswitch/conf.db" test_ref="oval:ssg-test_file_permissions_ovs_conf_db_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.makeIPTablesUtilChains' all" test_ref="oval:ssg-test_kubelet_enable_iptables_util_chains_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_enable_iptables_util_chains_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_ovs_conf_db_lock:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_defaults:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the Open vSwitch Configuration Database Lock</oval-def:title>
+            <oval-def:title>kubelet - Enable Protect Kernel Defaults</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/openvswitch/.conf.db.~lock~ has mode 0600.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-84202-1" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_ovs_conf_db_lock" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.protectKernelDefaults' all: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_protect_kernel_defaults" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/openvswitch/.conf.db.~lock~" test_ref="oval:ssg-test_file_permissions_ovs_conf_db_lock_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.protectKernelDefaults' all" test_ref="oval:ssg-test_kubelet_enable_protect_kernel_defaults:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_ovs_pid:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_sysctl_file_exist:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the Open vSwitch Process ID File</oval-def:title>
+            <oval-def:title>kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check sysctl configuration file exist</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/run/openvswitch/ovs-vswitchd.pid has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83666-8" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_ovs_pid" source="ssg"/>
+            <oval-def:description>This test makes sure that/etc/sysctl.d/90-kubelet.conf does exist.</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_protect_kernel_sysctl_file_exist" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /var/run/openvswitch/ovs-vswitchd.pid" test_ref="oval:ssg-test_file_permissions_ovs_pid_0:tst:1"/>
+            <oval-def:criterion comment="Ensure that /etc/sysctl.d/90-kubelet.conf does exist." test_ref="oval:ssg-test_kubelet_enable_protect_kernel_sysctl_file_exist:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_ovs_sys_id_conf:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the Open vSwitch Persistent System ID</oval-def:title>
+            <oval-def:title>kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxbytes</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/openvswitch/system-id.conf has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83400-2" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_ovs_sys_id_conf" source="ssg"/>
+            <oval-def:description>Check presence of kernel.keys.root_maxbytes=25000000 in /etc/sysctl.d/90-kubelet.conf</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/openvswitch/system-id.conf" test_ref="oval:ssg-test_file_permissions_ovs_sys_id_conf_0:tst:1"/>
+          <oval-def:criteria operator="AND" comment="Test conditions - presence of the file plus 0 extra definitions.">
+            <oval-def:criterion comment="Check that /etc/sysctl.d/90-kubelet.conf contains a line with certain text" test_ref="oval:ssg-test_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_ovs_vswitchd_pid:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the Open vSwitch Daemon PID File</oval-def:title>
+            <oval-def:title>kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxkeys</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /run/openvswitch/ovs-vswitchd.pid has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83710-4" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_ovs_vswitchd_pid" source="ssg"/>
+            <oval-def:description>Check presence of kernel.keys.root_maxkeys=1000000 in /etc/sysctl.d/90-kubelet.conf</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /run/openvswitch/ovs-vswitchd.pid" test_ref="oval:ssg-test_file_permissions_ovs_vswitchd_pid_0:tst:1"/>
+          <oval-def:criteria operator="AND" comment="Test conditions - presence of the file plus 0 extra definitions.">
+            <oval-def:criterion comment="Check that /etc/sysctl.d/90-kubelet.conf contains a line with certain text" test_ref="oval:ssg-test_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_ovsdb_server_pid:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the Open vSwitch Database Server PID</oval-def:title>
+            <oval-def:title>kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.panic</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /run/openvswitch/ovsdb-server.pid has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83679-1" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_ovsdb_server_pid" source="ssg"/>
+            <oval-def:description>Check presence of kernel.panic=10 in /etc/sysctl.d/90-kubelet.conf</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_protect_kernel_sysctl_kernel_panic" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /run/openvswitch/ovsdb-server.pid" test_ref="oval:ssg-test_file_permissions_ovsdb_server_pid_0:tst:1"/>
+          <oval-def:criteria operator="AND" comment="Test conditions - presence of the file plus 0 extra definitions.">
+            <oval-def:criterion comment="Check that /etc/sysctl.d/90-kubelet.conf contains a line with certain text" test_ref="oval:ssg-test_kubelet_enable_protect_kernel_sysctl_kernel_panic:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_proxy_kubeconfig:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the Worker Proxy Kubeconfig File</oval-def:title>
+            <oval-def:title>kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.panic_on_oops</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn' at path 'spec.template.spec.volumes[:].configMap['defaultMode','name']' at least one: key 'name' value equals 'sdn-config' and key 'defaultMode' value equals '420'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84047-0" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_proxy_kubeconfig" source="ssg"/>
+            <oval-def:description>Check presence of kernel.panic_on_oops=1 in /etc/sysctl.d/90-kubelet.conf</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn' at path 'spec.template.spec.volumes[:].configMap['defaultMode','name']' at least one" test_ref="oval:ssg-test_file_permissions_proxy_kubeconfig:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn' exists." test_ref="oval:ssg-test_file_for_file_permissions_proxy_kubeconfig:tst:1"/>
+          <oval-def:criteria operator="AND" comment="Test conditions - presence of the file plus 0 extra definitions.">
+            <oval-def:criterion comment="Check that /etc/sysctl.d/90-kubelet.conf contains a line with certain text" test_ref="oval:ssg-test_kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_scheduler:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the Kubernetes Scheduler Pod Specification File</oval-def:title>
+            <oval-def:title>kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter vm.overcommit_memory</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/kube-scheduler-pod.yaml$ has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-84057-9" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_scheduler" source="ssg"/>
+            <oval-def:description>Check presence of vm.overcommit_memory=1 in /etc/sysctl.d/90-kubelet.conf</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/kube-scheduler-pod.yaml$" test_ref="oval:ssg-test_file_permissions_scheduler_0:tst:1"/>
+          <oval-def:criteria operator="AND" comment="Test conditions - presence of the file plus 0 extra definitions.">
+            <oval-def:criterion comment="Check that /etc/sysctl.d/90-kubelet.conf contains a line with certain text" test_ref="oval:ssg-test_kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_scheduler_kubeconfig:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the Kubernetes Scheduler Kubeconfig File</oval-def:title>
+            <oval-def:title>kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter vm.panic_on_oom</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/configmaps/scheduler-kubeconfig/kubeconfig$ has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83772-4" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_scheduler_kubeconfig" source="ssg"/>
+            <oval-def:description>Check presence of kernel.panic=10 in /etc/sysctl.d/90-kubelet.conf</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of ^/etc/kubernetes/static-pod-resources/kube-scheduler-pod-.*/configmaps/scheduler-kubeconfig/kubeconfig$" test_ref="oval:ssg-test_file_permissions_scheduler_kubeconfig_0:tst:1"/>
+          <oval-def:criteria operator="AND" comment="Test conditions - presence of the file plus 0 extra definitions.">
+            <oval-def:criterion comment="Check that /etc/sysctl.d/90-kubelet.conf contains a line with certain text" test_ref="oval:ssg-test_kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_var_lib_etcd:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_server_cert_rotation:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>The OpenShift etcd Data Directory Must Have Mode 0700</oval-def:title>
+            <oval-def:title>kubelet - Enable Server Certificate Rotation</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/lib/etcd/ has mode 0700.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_var_lib_etcd" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-83356-6" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_enable_server_cert_rotation" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /var/lib/etcd/" test_ref="oval:ssg-test_file_permissions_var_lib_etcd_0:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_enable_server_cert_rotation_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_enable_server_cert_rotation_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_var_log_kube_audit:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_server_cert_rotation_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Kubernetes Audit Logs Must Have Mode 0600</oval-def:title>
+            <oval-def:title>kubelet - Enable Server Certificate Rotation</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/var/log/kube-apiserver/.+\.log$ has mode 0600.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83654-4" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_var_log_kube_audit" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.featureGates.RotateKubeletServerCertificate' all: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_server_cert_rotation_deprecated" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of ^/var/log/kube-apiserver/.+\.log$" test_ref="oval:ssg-test_file_permissions_var_log_kube_audit_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.featureGates.RotateKubeletServerCertificate' all" test_ref="oval:ssg-test_kubelet_enable_server_cert_rotation_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_var_log_oauth_audit:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_server_cert_rotation_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>OAuth Audit Logs Must Have Mode 0600</oval-def:title>
+            <oval-def:title>kubelet - Enable Server Certificate Rotation</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/var/log/oauth-apiserver/.+\.log$ has mode 0600.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-90637-0" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_var_log_oauth_audit" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.featureGates.RotateKubeletServerCertificate' all: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_server_cert_rotation_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of ^/var/log/oauth-apiserver/.+\.log$" test_ref="oval:ssg-test_file_permissions_var_log_oauth_audit_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.featureGates.RotateKubeletServerCertificate' all" test_ref="oval:ssg-test_kubelet_enable_server_cert_rotation_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_enable_server_cert_rotation_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_var_log_ocp_audit:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_server_cert_rotation_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>OpenShift Audit Logs Must Have Mode 0600</oval-def:title>
+            <oval-def:title>kubelet - Enable Server Certificate Rotation</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that ^/var/log/openshift-apiserver/.+\.log$ has mode 0600.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-90638-8" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_var_log_ocp_audit" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.featureGates.RotateKubeletServerCertificate' all: value equals 'true'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_server_cert_rotation_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of ^/var/log/openshift-apiserver/.+\.log$" test_ref="oval:ssg-test_file_permissions_var_log_ocp_audit_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.featureGates.RotateKubeletServerCertificate' all" test_ref="oval:ssg-test_kubelet_enable_server_cert_rotation_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_enable_server_cert_rotation_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_worker_ca:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_streaming_connections:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the Worker Certificate Authority File</oval-def:title>
+            <oval-def:title>kubelet - Do Not Disable Streaming Timeouts</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/kubernetes/kubelet-ca.crt has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83493-7" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_worker_ca" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-84097-5" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_enable_streaming_connections" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/kubernetes/kubelet-ca.crt" test_ref="oval:ssg-test_file_permissions_worker_ca_0:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_enable_streaming_connections_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_enable_streaming_connections_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_worker_kubeconfig:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_streaming_connections_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the Worker Kubeconfig File</oval-def:title>
+            <oval-def:title>kubelet - Do Not Disable Streaming Timeouts</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/lib/kubelet/kubeconfig has mode 0600.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83509-0" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_worker_kubeconfig" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.streamingConnectionIdleTimeout' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_streaming_connections_deprecated" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /var/lib/kubelet/kubeconfig" test_ref="oval:ssg-test_file_permissions_worker_kubeconfig_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.streamingConnectionIdleTimeout' all" test_ref="oval:ssg-test_kubelet_enable_streaming_connections_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_worker_service:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_streaming_connections_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the OpenShift Node Service File</oval-def:title>
+            <oval-def:title>kubelet - Do Not Disable Streaming Timeouts</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/systemd/system/kubelet.service has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83455-6" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_worker_service" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.streamingConnectionIdleTimeout' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_streaming_connections_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/systemd/system/kubelet.service" test_ref="oval:ssg-test_file_permissions_worker_service_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.streamingConnectionIdleTimeout' all" test_ref="oval:ssg-test_kubelet_enable_streaming_connections_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_enable_streaming_connections_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_perms_openshift_sdn_cniserver_config:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_streaming_connections_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Verify Permissions on the OpenShift SDN CNI Server Config</oval-def:title>
+            <oval-def:title>kubelet - Do Not Disable Streaming Timeouts</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/run/openshift-sdn/cniserver/config.json has mode 0444.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-83927-4" source="CCE"/>
-            <oval-def:reference ref_id="file_perms_openshift_sdn_cniserver_config" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.streamingConnectionIdleTimeout' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_enable_streaming_connections_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /var/run/openshift-sdn/cniserver/config.json" test_ref="oval:ssg-test_file_permissionsfile_perms_openshift_sdn_cniserver_config_0:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.streamingConnectionIdleTimeout' all" test_ref="oval:ssg-test_kubelet_enable_streaming_connections_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_enable_streaming_connections_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-fips_mode_enabled:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that the cluster was installed with FIPS mode enabled</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/machineconfiguration.openshift.io/v1/machineconfigs/99-master-fips' at path '.spec.fips' all: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84214-6" source="CCE"/>
-            <oval-def:reference ref_id="fips_mode_enabled" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-84144-5" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_imagefs_available" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/machineconfiguration.openshift.io/v1/machineconfigs/99-master-fips' at path '.spec.fips' all" test_ref="oval:ssg-test_fips_mode_enabled:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/machineconfiguration.openshift.io/v1/machineconfigs/99-master-fips' exists." test_ref="oval:ssg-test_file_for_fips_mode_enabled:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-fips_mode_enabled_on_all_nodes:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that FIPS mode is enabled on all cluster nodes</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/machineconfiguration.openshift.io/v1/machineconfigs#191c7889a801949fcc07c8f067ca719c614388ea53f4b96b7148c57799e423b3' at path '[:]' all: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="CCE-85860-5" source="CCE"/>
-            <oval-def:reference ref_id="fips_mode_enabled_on_all_nodes" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['imagefs.available']' all: value equals '.*'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/machineconfiguration.openshift.io/v1/machineconfigs#191c7889a801949fcc07c8f067ca719c614388ea53f4b96b7148c57799e423b3' at path '[:]' all" test_ref="oval:ssg-test_fips_mode_enabled_on_all_nodes:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/machineconfiguration.openshift.io/v1/machineconfigs#191c7889a801949fcc07c8f067ca719c614388ea53f4b96b7148c57799e423b3' exists." test_ref="oval:ssg-test_file_for_fips_mode_enabled_on_all_nodes:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['imagefs.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-gcp_disk_encryption_enabled:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that the MachineSets provisioned by GCP have disk encryption enabled</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#4de267a890d70235b0f43110ee972bee760ecce356b1e9cb910f99cc33a02cc2' at path '[:]' all: value equals '^.+$'</oval-def:description>
-            <oval-def:reference ref_id="CCE-90357-5" source="CCE"/>
-            <oval-def:reference ref_id="gcp_disk_encryption_enabled" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['imagefs.available']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_imagefs_available_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#4de267a890d70235b0f43110ee972bee760ecce356b1e9cb910f99cc33a02cc2' at path '[:]' all" test_ref="oval:ssg-test_gcp_disk_encryption_enabled:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#4de267a890d70235b0f43110ee972bee760ecce356b1e9cb910f99cc33a02cc2' exists." test_ref="oval:ssg-test_file_for_gcp_disk_encryption_enabled:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['imagefs.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_available_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_imagefs_available_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-gitops_operator_exists:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that GitOps Operator is deployed</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/pipelines.openshift.io/v1alpha1/gitopsservices?limit=5' at path '.items[:].metadata.name' at least one: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-86134-4" source="CCE"/>
-            <oval-def:reference ref_id="gitops_operator_exists" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['imagefs.available']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_imagefs_available_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/pipelines.openshift.io/v1alpha1/gitopsservices?limit=5' at path '.items[:].metadata.name' at least one" test_ref="oval:ssg-test_gitops_operator_exists:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/pipelines.openshift.io/v1alpha1/gitopsservices?limit=5' exists." test_ref="oval:ssg-test_file_for_gitops_operator_exists:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['imagefs.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_available_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_imagefs_available_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-idp_is_configured:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Configure An Identity Provider</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/config.openshift.io/v1/oauths/cluster' at path '.spec.identityProviders[:].type' at least one: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84088-4" source="CCE"/>
-            <oval-def:reference ref_id="idp_is_configured" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-84147-8" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_imagefs_inodesfree" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/config.openshift.io/v1/oauths/cluster' at path '.spec.identityProviders[:].type' at least one" test_ref="oval:ssg-test_idp_is_configured:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/config.openshift.io/v1/oauths/cluster' exists." test_ref="oval:ssg-test_file_for_idp_is_configured:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-ingress_controller_certificate:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that the default Ingress certificate has been replaced</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default' at path '.spec.defaultCertificate.name' all: value equals '.+'</oval-def:description>
-            <oval-def:reference ref_id="ingress_controller_certificate" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['imagefs.inodesFree']' all: value equals '.*'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default' at path '.spec.defaultCertificate.name' all" test_ref="oval:ssg-test_ingress_controller_certificate:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default' exists." test_ref="oval:ssg-test_file_for_ingress_controller_certificate:tst:1"/>
-            <oval-def:criterion comment="Make sure that all target elements exists for elements at path '.metadata.name'" test_ref="oval:ssg-test_elements_count_for_ingress_controller_certificate:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['imagefs.inodesFree']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubeadmin_removed:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that the kubeadmin secret has been removed</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the Compliance Operator-generated file '/api/v1/namespaces/kube-system/secrets/kubeadmin' the `not found` annotation should be set</oval-def:description>
-            <oval-def:reference ref_id="CCE-90387-2" source="CCE"/>
-            <oval-def:reference ref_id="kubeadmin_removed" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['imagefs.inodesFree']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the Compliance Operator-generated file '/api/v1/namespaces/kube-system/secrets/kubeadmin' the `not found` annotation should be set" test_ref="oval:ssg-test_kubeadmin_removed:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/kube-system/secrets/kubeadmin' exists." test_ref="oval:ssg-test_file_for_kubeadmin_removed:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['imagefs.inodesFree']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_anonymous_auth_worker:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Disable Anonymous Authentication to the Kubelet</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.authentication.anonymous.enabled' all: value equals 'false'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83815-1" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_anonymous_auth_worker" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['imagefs.inodesFree']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.authentication.anonymous.enabled' all" test_ref="oval:ssg-test_kubelet_anonymous_auth_worker:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['imagefs.inodesFree']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_authorization_mode_worker:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure authorization is set to Webhook</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: memory.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.authorization.mode' all: value equals 'AlwaysAllow'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83593-4" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_authorization_mode_worker" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-84135-3" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_memory_available" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.authorization.mode' all" test_ref="oval:ssg-test_kubelet_authorization_mode_worker:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_client_ca_worker:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>kubelet - Configure the Client CA Certificate</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: memory.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.authentication.x509.clientCAFile' all: value equals '/etc/kubernetes/kubelet-ca.crt'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83724-5" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_configure_client_ca_worker" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['memory.available']' all: value equals '.*'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_memory_available_deprecated" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.authentication.x509.clientCAFile' all" test_ref="oval:ssg-test_kubelet_configure_client_ca_worker:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['memory.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_memory_available_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_event_creation_worker:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Kubelet - Ensure Event Creation Is Configured</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.eventRecordQPS' all: value equals '0'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83576-9" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_configure_event_creation_worker" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['memory.available']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_memory_available_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.eventRecordQPS' all" test_ref="oval:ssg-test_kubelet_configure_event_creation_worker:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['memory.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_memory_available_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_memory_available_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_cert:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure That The kubelet Client Certificate Is Correctly Set</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: memory.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["kubelet-client-certificate"][:]' all: value equals '(.+)'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83396-2" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_configure_tls_cert" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['memory.available']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_memory_available_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;kubelet-client-certificate&quot;][:]' all" test_ref="oval:ssg-test_kubelet_configure_tls_cert:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_tls_cert:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['memory.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_memory_available_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_memory_available_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_cert_pre_4_9:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure That The kubelet Client Certificate Is Correctly Set</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' at path '.data['config.yaml']' all: value equals '"kubelet-client-certificate":\["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"\]'</oval-def:description>
-            <oval-def:reference ref_id="CCE-90615-6" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_configure_tls_cert_pre_4_9" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-84138-7" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_nodefs_available" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' at path '.data['config.yaml']' all" test_ref="oval:ssg-test_kubelet_configure_tls_cert_pre_4_9:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_tls_cert_pre_4_9:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_cipher_suites_ingresscontroller:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that the Ingress Controller only makes use of Strong Cryptographic Ciphers</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default' at path '.status.tlsProfile.ciphers[:]' all: value equals '^(ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|AES256-GCM-SHA384|AES128-GCM-SHA256)$'</oval-def:description>
-            <oval-def:reference ref_id="kubelet_configure_tls_cipher_suites_ingresscontroller" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['nodefs.available']' all: value equals '.*'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default' at path '.status.tlsProfile.ciphers[:]' all" test_ref="oval:ssg-test_kubelet_configure_tls_cipher_suites_ingresscontroller:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_tls_cipher_suites_ingresscontroller:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['nodefs.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_cipher_suites_kubeapiserver_operator:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that the Kubernetes API Server Operator only makes use of Strong Cryptographic Ciphers</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/operator.openshift.io/v1/kubeapiservers/cluster' at path '.spec.unsupportedConfigOverrides.servingInfo.cipherSuites[:]' all: value equals '^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_128_GCM_SHA256)$'</oval-def:description>
-            <oval-def:reference ref_id="kubelet_configure_tls_cipher_suites_kubeapiserver_operator" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['nodefs.available']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_nodefs_available_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/operator.openshift.io/v1/kubeapiservers/cluster' at path '.spec.unsupportedConfigOverrides.servingInfo.cipherSuites[:]' all" test_ref="oval:ssg-test_kubelet_configure_tls_cipher_suites_kubeapiserver_operator:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/operator.openshift.io/v1/kubeapiservers/cluster' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_tls_cipher_suites_kubeapiserver_operator:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['nodefs.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_available_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_nodefs_available_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_cipher_suites_openshiftapiserver_operator:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that the OpenShift API Server Operator only makes use of Strong Cryptographic Ciphers</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/operator.openshift.io/v1/openshiftapiservers/cluster' at path '.spec.unsupportedConfigOverrides.servingInfo.cipherSuites[:]' all: value equals '^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_128_GCM_SHA256)$'</oval-def:description>
-            <oval-def:reference ref_id="kubelet_configure_tls_cipher_suites_openshiftapiserver_operator" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['nodefs.available']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_nodefs_available_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/operator.openshift.io/v1/openshiftapiservers/cluster' at path '.spec.unsupportedConfigOverrides.servingInfo.cipherSuites[:]' all" test_ref="oval:ssg-test_kubelet_configure_tls_cipher_suites_openshiftapiserver_operator:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/operator.openshift.io/v1/openshiftapiservers/cluster' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_tls_cipher_suites_openshiftapiserver_operator:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['nodefs.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_available_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_nodefs_available_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_cipher_suites_worker:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.tlsCipherSuites[:]' all: </oval-def:description>
-            <oval-def:reference ref_id="kubelet_configure_tls_cipher_suites_worker" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-84141-1" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_nodefs_inodesfree" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.tlsCipherSuites[:]' all" test_ref="oval:ssg-test_kubelet_configure_tls_cipher_suites_worker:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_key:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure That The kubelet Server Key Is Correctly Set</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["kubelet-client-key"][:]' all: value equals '(.+)'</oval-def:description>
-            <oval-def:reference ref_id="CCE-90614-9" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_configure_tls_key" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['nodefs.inodesFree']' all: value equals '.*'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;kubelet-client-key&quot;][:]' all" test_ref="oval:ssg-test_kubelet_configure_tls_key:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_tls_key:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['nodefs.inodesFree']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_configure_tls_key_pre_4_9:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure That The kubelet Server Key Is Correctly Set</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' at path '.data['config.yaml']' all: value equals '"kubelet-client-key":\["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.key"\]'</oval-def:description>
-            <oval-def:reference ref_id="CCE-90542-2" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_configure_tls_key_pre_4_9" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['nodefs.inodesFree']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' at path '.data['config.yaml']' all" test_ref="oval:ssg-test_kubelet_configure_tls_key_pre_4_9:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config' exists." test_ref="oval:ssg-test_file_for_kubelet_configure_tls_key_pre_4_9:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['nodefs.inodesFree']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_disable_readonly_port:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>kubelet - Disable the Read-Only Port</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments["kubelet-read-only-port"][:]' all: value equals '0'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83427-5" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_disable_readonly_port" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['nodefs.inodesFree']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' at path '.apiServerArguments[&quot;kubelet-read-only-port&quot;][:]' all" test_ref="oval:ssg-test_kubelet_disable_readonly_port:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' exists." test_ref="oval:ssg-test_file_for_kubelet_disable_readonly_port:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionHard['nodefs.inodesFree']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_cert_rotation_worker:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>kubelet - Enable Certificate Rotation</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.rotateCertificates' all: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83838-3" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_enable_cert_rotation_worker" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-84127-0" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_imagefs_available" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.rotateCertificates' all" test_ref="oval:ssg-test_kubelet_enable_cert_rotation_worker:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_client_cert_rotation:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>kubelet - Enable Client Certificate Rotation</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.featureGates.RotateKubeletClientCertificate' all: value equals 'false'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83352-5" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_enable_client_cert_rotation" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['imagefs.available']' all: value equals '.*'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.featureGates.RotateKubeletClientCertificate' all" test_ref="oval:ssg-test_kubelet_enable_client_cert_rotation:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['imagefs.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_iptables_util_chains:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>kubelet - Allow Automatic Firewall Configuration</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.makeIPTablesUtilChains' all: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83775-7" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_enable_iptables_util_chains" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['imagefs.available']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_imagefs_available_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.makeIPTablesUtilChains' all" test_ref="oval:ssg-test_kubelet_enable_iptables_util_chains:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['imagefs.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_available_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_imagefs_available_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_defaults:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>kubelet - Enable Protect Kernel Defaults</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.protectKernelDefaults' all: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="kubelet_enable_protect_kernel_defaults" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['imagefs.available']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_imagefs_available_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.protectKernelDefaults' all" test_ref="oval:ssg-test_kubelet_enable_protect_kernel_defaults:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['imagefs.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_available_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_imagefs_available_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_sysctl_file_exist:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check sysctl configuration file exist</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>This test makes sure that/etc/sysctl.d/90-kubelet.conf does exist.</oval-def:description>
-            <oval-def:reference ref_id="kubelet_enable_protect_kernel_sysctl_file_exist" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-84132-0" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_imagefs_inodesfree" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Ensure that /etc/sysctl.d/90-kubelet.conf does exist." test_ref="oval:ssg-test_kubelet_enable_protect_kernel_sysctl_file_exist:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxbytes</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>Check presence of kernel.keys.root_maxbytes=25000000 in /etc/sysctl.d/90-kubelet.conf</oval-def:description>
-            <oval-def:reference ref_id="kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['imagefs.inodesFree']' all: value equals '.*'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="AND" comment="Test conditions - presence of the file plus 0 extra definitions.">
-            <oval-def:criterion comment="Check that /etc/sysctl.d/90-kubelet.conf contains a line with certain text" test_ref="oval:ssg-test_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxbytes:tst:1"/>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['imagefs.inodesFree']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.keys.root_maxkeys</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>Check presence of kernel.keys.root_maxkeys=1000000 in /etc/sysctl.d/90-kubelet.conf</oval-def:description>
-            <oval-def:reference ref_id="kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['imagefs.inodesFree']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="AND" comment="Test conditions - presence of the file plus 0 extra definitions.">
-            <oval-def:criterion comment="Check that /etc/sysctl.d/90-kubelet.conf contains a line with certain text" test_ref="oval:ssg-test_kubelet_enable_protect_kernel_sysctl_kernel_keys_root_maxkeys:tst:1"/>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['imagefs.inodesFree']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.panic</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>Check presence of kernel.panic=10 in /etc/sysctl.d/90-kubelet.conf</oval-def:description>
-            <oval-def:reference ref_id="kubelet_enable_protect_kernel_sysctl_kernel_panic" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['imagefs.inodesFree']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="AND" comment="Test conditions - presence of the file plus 0 extra definitions.">
-            <oval-def:criterion comment="Check that /etc/sysctl.d/90-kubelet.conf contains a line with certain text" test_ref="oval:ssg-test_kubelet_enable_protect_kernel_sysctl_kernel_panic:tst:1"/>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['imagefs.inodesFree']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter kernel.panic_on_oops</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>Check presence of kernel.panic_on_oops=1 in /etc/sysctl.d/90-kubelet.conf</oval-def:description>
-            <oval-def:reference ref_id="kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-84222-9" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_memory_available" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="AND" comment="Test conditions - presence of the file plus 0 extra definitions.">
-            <oval-def:criterion comment="Check that /etc/sysctl.d/90-kubelet.conf contains a line with certain text" test_ref="oval:ssg-test_kubelet_enable_protect_kernel_sysctl_kernel_panic_on_oops:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter vm.overcommit_memory</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>Check presence of vm.overcommit_memory=1 in /etc/sysctl.d/90-kubelet.conf</oval-def:description>
-            <oval-def:reference ref_id="kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['memory.available']' all: value equals '.*'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_memory_available_deprecated" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="AND" comment="Test conditions - presence of the file plus 0 extra definitions.">
-            <oval-def:criterion comment="Check that /etc/sysctl.d/90-kubelet.conf contains a line with certain text" test_ref="oval:ssg-test_kubelet_enable_protect_kernel_sysctl_vm_overcommit_memory:tst:1"/>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['memory.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_memory_available_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>kubelet - Set Up Sysctl to Enable Protect Kernel Defaults - Check Parameter vm.panic_on_oom</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>Check presence of kernel.panic=10 in /etc/sysctl.d/90-kubelet.conf</oval-def:description>
-            <oval-def:reference ref_id="kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['memory.available']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_memory_available_master" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria operator="AND" comment="Test conditions - presence of the file plus 0 extra definitions.">
-            <oval-def:criterion comment="Check that /etc/sysctl.d/90-kubelet.conf contains a line with certain text" test_ref="oval:ssg-test_kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom:tst:1"/>
+          <oval-def:criteria>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['memory.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_memory_available_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_memory_available_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_server_cert_rotation_worker:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>kubelet - Enable Server Certificate Rotation</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.featureGates.RotateKubeletServerCertificate' all: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="CCE-83356-6" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_enable_server_cert_rotation_worker" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['memory.available']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_memory_available_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.featureGates.RotateKubeletServerCertificate' all" test_ref="oval:ssg-test_kubelet_enable_server_cert_rotation_worker:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['memory.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_memory_available_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_memory_available_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_enable_streaming_connections_worker:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>kubelet - Do Not Disable Streaming Timeouts</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.streamingConnectionIdleTimeout' all: </oval-def:description>
-            <oval-def:reference ref_id="CCE-84097-5" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_enable_streaming_connections_worker" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-84119-7" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_nodefs_available" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.streamingConnectionIdleTimeout' all" test_ref="oval:ssg-test_kubelet_enable_streaming_connections_worker:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_worker:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['imagefs.available']' all: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84144-5" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_imagefs_available_worker" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['nodefs.available']' all: value equals '.*'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['imagefs.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_available_worker:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['nodefs.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['imagefs.inodesFree']' all: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84147-8" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['nodefs.available']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_nodefs_available_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['imagefs.inodesFree']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['nodefs.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_available_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_nodefs_available_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_worker:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: memory.available</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['memory.available']' all: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84135-3" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_memory_available_worker" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['nodefs.available']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_nodefs_available_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['memory.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_memory_available_worker:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['nodefs.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_available_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_nodefs_available_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_worker:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['nodefs.available']' all: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84138-7" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_nodefs_available_worker" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="CCE-84123-9" source="CCE"/>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_nodefs_inodesfree" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['nodefs.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_available_worker:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['nodefs.inodesFree']' all: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84141-1" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['nodefs.inodesFree']' all: value equals '.*'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionHard['nodefs.inodesFree']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['nodefs.inodesFree']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_worker:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['imagefs.available']' all: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84127-0" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_imagefs_available_worker" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['nodefs.inodesFree']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['imagefs.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_available_worker:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['nodefs.inodesFree']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree</oval-def:title>
+            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['imagefs.inodesFree']' all: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84132-0" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['nodefs.inodesFree']' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['imagefs.inodesFree']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.evictionSoft['nodefs.inodesFree']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_worker:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_read_only_port_secured:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available</oval-def:title>
+            <oval-def:title>kubelet - Ensure that the --read-only-port is secured</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['memory.available']' all: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84222-9" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_memory_available_worker" source="ssg"/>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="kubelet_read_only_port_secured" source="ssg"/>
           </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['memory.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_memory_available_worker:tst:1"/>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_read_only_port_secured_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_read_only_port_secured_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_worker:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_read_only_port_secured_deprecated:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available</oval-def:title>
+            <oval-def:title>kubelet - Ensure that the --read-only-port is secured</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['nodefs.available']' all: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84119-7" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_nodefs_available_worker" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.readOnlyPort' all: value equals '0'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_read_only_port_secured_deprecated" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['nodefs.available']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_available_worker:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.readOnlyPort' all" test_ref="oval:ssg-test_kubelet_read_only_port_secured_deprecated:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_read_only_port_secured_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree</oval-def:title>
+            <oval-def:title>kubelet - Ensure that the --read-only-port is secured</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['nodefs.inodesFree']' all: value equals '.*'</oval-def:description>
-            <oval-def:reference ref_id="CCE-84123-9" source="CCE"/>
-            <oval-def:reference ref_id="kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.readOnlyPort' all: value equals '0'</oval-def:description>
+            <oval-def:reference ref_id="kubelet_read_only_port_secured_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.evictionSoft['nodefs.inodesFree']' all" test_ref="oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.readOnlyPort' all" test_ref="oval:ssg-test_kubelet_read_only_port_secured_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_read_only_port_secured_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
         <oval-def:definition class="compliance" id="oval:ssg-kubelet_read_only_port_secured_worker:def:1" version="1">
@@ -18565,39 +22723,54 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.readOnlyPort' all: value equals '0'</oval-def:description>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.readOnlyPort' all: value equals '0'</oval-def:description>
             <oval-def:reference ref_id="kubelet_read_only_port_secured_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/etc/kubernetes/kubelet.conf' at path '.readOnlyPort' all" test_ref="oval:ssg-test_kubelet_read_only_port_secured_worker:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.readOnlyPort' all" test_ref="oval:ssg-test_kubelet_read_only_port_secured_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_read_only_port_secured_worker:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_test_cipher:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description>The combined kubeletconfig check</oval-def:description>
+            <oval-def:reference ref_id="kubelet_test_cipher" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria operator="AND">
+            <oval-def:extend_definition comment="check kubeletconfig worker" definition_ref="oval:ssg-kubelet_test_cipher_worker:def:1"/>
+            <oval-def:extend_definition comment="check kubeletconfig master" definition_ref="oval:ssg-kubelet_test_cipher_master:def:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_test:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_test_cipher_master:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>KubeletTest</oval-def:title>
+            <oval-def:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.enableServer' all: value equals 'true'</oval-def:description>
-            <oval-def:reference ref_id="kubelet_test" source="ssg"/>
+            <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.tlsCipherSuites[:]' all: </oval-def:description>
+            <oval-def:reference ref_id="kubelet_test_cipher_master" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.enableServer' all" test_ref="oval:ssg-test_kubelet_test:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_test:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.tlsCipherSuites[:]' all" test_ref="oval:ssg-test_kubelet_test_cipher_master:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_test_cipher_master:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kubelet_test_cipher:def:1" version="1">
+        <oval-def:definition class="compliance" id="oval:ssg-kubelet_test_cipher_worker:def:1" version="1">
           <oval-def:metadata>
-            <oval-def:title>KubeletTest</oval-def:title>
+            <oval-def:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</oval-def:title>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
             <oval-def:description>In the YAML/JSON file '/kubeletconfig/role' at path '.tlsCipherSuites[:]' all: </oval-def:description>
-            <oval-def:reference ref_id="kubelet_test_cipher" source="ssg"/>
+            <oval-def:reference ref_id="kubelet_test_cipher_worker" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.tlsCipherSuites[:]' all" test_ref="oval:ssg-test_kubelet_test_cipher:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_test_cipher:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/kubeletconfig/role' at path '.tlsCipherSuites[:]' all" test_ref="oval:ssg-test_kubelet_test_cipher_worker:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/kubeletconfig/role' exists." test_ref="oval:ssg-test_file_for_kubelet_test_cipher_worker:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
         <oval-def:definition class="compliance" id="oval:ssg-luks_enabled_on_all_nodes:def:1" version="1">
@@ -18606,13 +22779,13 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:affected family="unix">
               <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
             </oval-def:affected>
-            <oval-def:description>In the YAML/JSON file '/apis/machineconfiguration.openshift.io/v1/machineconfigs#136fe907b51dc9ea5011707799731b533561dab4b043f086f36c0b5c9c288414' at path '[:]' all: value equals 'true'</oval-def:description>
+            <oval-def:description>In the YAML/JSON file '/apis/machineconfiguration.openshift.io/v1/machineconfigs#9fab597988075d76a1c081cdc533f05623251a854b9936a08ae52cca5fc5a311' at path '[:]' all: value equals 'true'</oval-def:description>
             <oval-def:reference ref_id="CCE-85862-1" source="CCE"/>
             <oval-def:reference ref_id="luks_enabled_on_all_nodes" source="ssg"/>
           </oval-def:metadata>
           <oval-def:criteria>
-            <oval-def:criterion comment="In the YAML/JSON file '/apis/machineconfiguration.openshift.io/v1/machineconfigs#136fe907b51dc9ea5011707799731b533561dab4b043f086f36c0b5c9c288414' at path '[:]' all" test_ref="oval:ssg-test_luks_enabled_on_all_nodes:tst:1"/>
-            <oval-def:criterion comment="Make sure that the file '/apis/machineconfiguration.openshift.io/v1/machineconfigs#136fe907b51dc9ea5011707799731b533561dab4b043f086f36c0b5c9c288414' exists." test_ref="oval:ssg-test_file_for_luks_enabled_on_all_nodes:tst:1"/>
+            <oval-def:criterion comment="In the YAML/JSON file '/apis/machineconfiguration.openshift.io/v1/machineconfigs#9fab597988075d76a1c081cdc533f05623251a854b9936a08ae52cca5fc5a311' at path '[:]' all" test_ref="oval:ssg-test_luks_enabled_on_all_nodes:tst:1"/>
+            <oval-def:criterion comment="Make sure that the file '/apis/machineconfiguration.openshift.io/v1/machineconfigs#9fab597988075d76a1c081cdc533f05623251a854b9936a08ae52cca5fc5a311' exists." test_ref="oval:ssg-test_file_for_luks_enabled_on_all_nodes:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
         <oval-def:definition class="compliance" id="oval:ssg-oauth_inactivity_timeout:def:1" version="1">
@@ -19522,21 +23695,6 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:criterion comment="Debian11 is installed" test_ref="oval:ssg-test_debian_11:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_debian9:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Debian 9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:debian:debian_linux:9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Debian 9</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_debian9" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="current Debian version is Debian Stretch" operator="AND">
-            <oval-def:extend_definition comment="Debian is installed" definition_ref="oval:ssg-installed_OS_is_debian:def:1"/>
-            <oval-def:criterion comment="Debian9 is installed" test_ref="oval:ssg-test_debian_9:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
         <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_fedora:def:1" version="3">
           <oval-def:metadata>
             <oval-def:title>Installed operating system is Fedora</oval-def:title>
@@ -20044,6 +24202,21 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:criterion comment="Focal is installed" test_ref="oval:ssg-test_ubuntu_focal:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
+        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ubuntu2204:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ubuntu 2204</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:reference ref_id="cpe:/o:canonical:ubuntu_linux:22.04" source="CPE"/>
+            <oval-def:description>The operating system installed on the system is Ubuntu 2204</oval-def:description>
+            <oval-def:reference ref_id="installed_OS_is_ubuntu2204" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria comment="current Ubuntu version is Jammy" operator="AND">
+            <oval-def:extend_definition comment="Ubuntu is installed" definition_ref="oval:ssg-installed_OS_is_ubuntu:def:1"/>
+            <oval-def:criterion comment="Jammy is installed" test_ref="oval:ssg-test_ubuntu_jammy:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
         <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_uos20:def:1" version="1">
           <oval-def:metadata>
             <oval-def:title>UnionTech OS Server 20</oval-def:title>
@@ -20774,6 +24947,32 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:extend_definition comment="If environment is not a container, it is machine" definition_ref="oval:ssg-installed_env_is_a_container:def:1" negate="true"/>
           </oval-def:criteria>
         </oval-def:definition>
+        <oval-def:definition class="inventory" id="oval:ssg-installed_env_mounts_tmp:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Partition /tmp exists</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description/>
+            <oval-def:reference ref_id="installed_env_mounts_tmp" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="The path /tmp is a partition's mount point" test_ref="oval:ssg-test_partition_tmp_exists:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="inventory" id="oval:ssg-installed_env_mounts_var_tmp:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Partition /var/tmp exists</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description/>
+            <oval-def:reference ref_id="installed_env_mounts_var_tmp" source="ssg"/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="The path /var/tmp is a partition's mount point" test_ref="oval:ssg-test_partition_var_tmp_exists:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
         <oval-def:definition class="inventory" id="oval:ssg-krb5_server_older_than_1_17_18:def:1" version="1">
           <oval-def:metadata>
             <oval-def:title>Kerberos server is older than 1.17-18</oval-def:title>
@@ -21364,10 +25563,10 @@ critical for OpenShift security.</xccdf-1.2:rationale>
         <unix:file_test id="oval:ssg-test_file_for_api_server_basic_auth:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430')." version="1">
           <unix:object object_ref="oval:ssg-object_file_for_api_server_basic_auth:obj:1"/>
         </unix:file_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_api_server_bind_address:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430' find only one object at path '.servingInfo[&quot;bindAddress&quot;]'." version="1">
-          <ind:object object_ref="oval:ssg-object_api_server_bind_address:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_api_server_bind_address:ste:1"/>
-        </ind:yamlfilecontent_test>
+        <ind:variable_test id="oval:ssg-test_api_server_bind_address:tst:1" check="all" check_existence="all_exist" comment="Variable test to check XCCDF variable" version="1">
+          <ind:object object_ref="oval:ssg-variable_object_api_server_bind_address:obj:1"/>
+          <ind:state state_ref="oval:ssg-variable_state_api_server_bind_address:ste:1"/>
+        </ind:variable_test>
         <unix:file_test id="oval:ssg-test_file_for_api_server_bind_address:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430')." version="1">
           <unix:object object_ref="oval:ssg-object_file_for_api_server_bind_address:obj:1"/>
         </unix:file_test>
@@ -22049,18 +26248,11 @@ critical for OpenShift security.</xccdf-1.2:rationale>
         <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /var/run/openshift-sdn/cniserver/config.json" id="oval:ssg-test_file_permissionsfile_perms_openshift_sdn_cniserver_config_0:tst:1" version="3">
           <unix:object object_ref="oval:ssg-object_file_permissionsfile_perms_openshift_sdn_cniserver_config_0:obj:1"/>
         </unix:file_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_fips_mode_enabled:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/apis/machineconfiguration.openshift.io/v1/machineconfigs/99-master-fips' find only one object at path '.spec.fips'." version="1">
-          <ind:object object_ref="oval:ssg-object_fips_mode_enabled:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_fips_mode_enabled:ste:1"/>
-        </ind:yamlfilecontent_test>
-        <unix:file_test id="oval:ssg-test_file_for_fips_mode_enabled:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/apis/machineconfiguration.openshift.io/v1/machineconfigs/99-master-fips')." version="1">
-          <unix:object object_ref="oval:ssg-object_file_for_fips_mode_enabled:obj:1"/>
-        </unix:file_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_fips_mode_enabled_on_all_nodes:tst:1" check="all" check_existence="all_exist" comment="In the file '/apis/machineconfiguration.openshift.io/v1/machineconfigs#191c7889a801949fcc07c8f067ca719c614388ea53f4b96b7148c57799e423b3' find only one object at path '[:]'." version="1">
+        <ind:yamlfilecontent_test id="oval:ssg-test_fips_mode_enabled_on_all_nodes:tst:1" check="all" check_existence="all_exist" comment="In the file '/apis/machineconfiguration.openshift.io/v1/machineconfigs#ab7e02a1c3f44ae48f843ce3dee7b948d624d2f702b9428760efbfd4653847ba' find only one object at path '[:]'." version="1">
           <ind:object object_ref="oval:ssg-object_fips_mode_enabled_on_all_nodes:obj:1"/>
           <ind:state state_ref="oval:ssg-state_fips_mode_enabled_on_all_nodes:ste:1"/>
         </ind:yamlfilecontent_test>
-        <unix:file_test id="oval:ssg-test_file_for_fips_mode_enabled_on_all_nodes:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/apis/machineconfiguration.openshift.io/v1/machineconfigs#191c7889a801949fcc07c8f067ca719c614388ea53f4b96b7148c57799e423b3')." version="1">
+        <unix:file_test id="oval:ssg-test_file_for_fips_mode_enabled_on_all_nodes:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/apis/machineconfiguration.openshift.io/v1/machineconfigs#ab7e02a1c3f44ae48f843ce3dee7b948d624d2f702b9428760efbfd4653847ba')." version="1">
           <unix:object object_ref="oval:ssg-object_file_for_fips_mode_enabled_on_all_nodes:obj:1"/>
         </unix:file_test>
         <ind:yamlfilecontent_test id="oval:ssg-test_gcp_disk_encryption_enabled:tst:1" check="all" check_existence="all_exist" comment="In the file '/apis/machine.openshift.io/v1beta1/machinesets?limit=500#4de267a890d70235b0f43110ee972bee760ecce356b1e9cb910f99cc33a02cc2' find only one object at path '[:]'." version="1">
@@ -22101,22 +26293,78 @@ critical for OpenShift security.</xccdf-1.2:rationale>
         <unix:file_test id="oval:ssg-test_file_for_kubeadmin_removed:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/api/v1/namespaces/kube-system/secrets/kubeadmin')." version="1">
           <unix:object object_ref="oval:ssg-object_file_for_kubeadmin_removed:obj:1"/>
         </unix:file_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_anonymous_auth_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.authentication.anonymous.enabled'." version="1">
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_anonymous_auth_deprecated:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.authentication.anonymous.enabled'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_anonymous_auth_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_anonymous_auth_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_anonymous_auth_master:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.authentication.anonymous.enabled'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_anonymous_auth_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_anonymous_auth_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_anonymous_auth_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_anonymous_auth_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_anonymous_auth_worker:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.authentication.anonymous.enabled'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_anonymous_auth_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_anonymous_auth_worker:ste:1"/>
         </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_authorization_mode_worker:tst:1" check="all" check_existence="any_exist" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.authorization.mode'." version="1">
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_anonymous_auth_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_anonymous_auth_worker:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_authorization_mode_deprecated:tst:1" check="all" check_existence="any_exist" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.authorization.mode'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_authorization_mode_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_authorization_mode_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_authorization_mode_master:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.authorization.mode'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_authorization_mode_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_authorization_mode_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_authorization_mode_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_authorization_mode_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_authorization_mode_worker:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.authorization.mode'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_authorization_mode_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_authorization_mode_worker:ste:1"/>
         </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_configure_client_ca_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.authentication.x509.clientCAFile'." version="1">
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_authorization_mode_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_authorization_mode_worker:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_configure_client_ca_deprecated:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.authentication.x509.clientCAFile'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_configure_client_ca_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_configure_client_ca_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_configure_client_ca_master:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.authentication.x509.clientCAFile'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_configure_client_ca_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_configure_client_ca_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_configure_client_ca_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_configure_client_ca_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_configure_client_ca_worker:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.authentication.x509.clientCAFile'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_configure_client_ca_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_configure_client_ca_worker:ste:1"/>
         </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_configure_event_creation_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.eventRecordQPS'." version="1">
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_configure_client_ca_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_configure_client_ca_worker:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_configure_event_creation_deprecated:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.eventRecordQPS'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_configure_event_creation_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_configure_event_creation_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_configure_event_creation_master:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.eventRecordQPS'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_configure_event_creation_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_configure_event_creation_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_configure_event_creation_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_configure_event_creation_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_configure_event_creation_worker:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.eventRecordQPS'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_configure_event_creation_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_configure_event_creation_worker:ste:1"/>
         </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_configure_event_creation_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_configure_event_creation_worker:obj:1"/>
+        </unix:file_test>
         <ind:variable_test id="oval:ssg-test_kubelet_configure_tls_cert:tst:1" check="all" check_existence="all_exist" comment="Variable test to check XCCDF variable" version="1">
           <ind:object object_ref="oval:ssg-variable_object_kubelet_configure_tls_cert:obj:1"/>
           <ind:state state_ref="oval:ssg-variable_state_kubelet_configure_tls_cert:ste:1"/>
@@ -22131,6 +26379,10 @@ critical for OpenShift security.</xccdf-1.2:rationale>
         <unix:file_test id="oval:ssg-test_file_for_kubelet_configure_tls_cert_pre_4_9:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config')." version="1">
           <unix:object object_ref="oval:ssg-object_file_for_kubelet_configure_tls_cert_pre_4_9:obj:1"/>
         </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_configure_tls_cipher_suites_deprecated:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.tlsCipherSuites[:]'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_configure_tls_cipher_suites_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_configure_tls_cipher_suites_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
         <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_configure_tls_cipher_suites_ingresscontroller:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/default' find only one object at path '.status.tlsProfile.ciphers[:]'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_configure_tls_cipher_suites_ingresscontroller:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_configure_tls_cipher_suites_ingresscontroller:ste:1"/>
@@ -22145,6 +26397,13 @@ critical for OpenShift security.</xccdf-1.2:rationale>
         <unix:file_test id="oval:ssg-test_file_for_kubelet_configure_tls_cipher_suites_kubeapiserver_operator:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/apis/operator.openshift.io/v1/kubeapiservers/cluster')." version="1">
           <unix:object object_ref="oval:ssg-object_file_for_kubelet_configure_tls_cipher_suites_kubeapiserver_operator:obj:1"/>
         </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_configure_tls_cipher_suites_master:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/kubeletconfig/role' find only one object at path '.tlsCipherSuites[:]'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_configure_tls_cipher_suites_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_configure_tls_cipher_suites_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_configure_tls_cipher_suites_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_configure_tls_cipher_suites_master:obj:1"/>
+        </unix:file_test>
         <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_configure_tls_cipher_suites_openshiftapiserver_operator:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/apis/operator.openshift.io/v1/openshiftapiservers/cluster' find only one object at path '.spec.unsupportedConfigOverrides.servingInfo.cipherSuites[:]'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_configure_tls_cipher_suites_openshiftapiserver_operator:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_configure_tls_cipher_suites_openshiftapiserver_operator:ste:1"/>
@@ -22152,10 +26411,13 @@ critical for OpenShift security.</xccdf-1.2:rationale>
         <unix:file_test id="oval:ssg-test_file_for_kubelet_configure_tls_cipher_suites_openshiftapiserver_operator:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/apis/operator.openshift.io/v1/openshiftapiservers/cluster')." version="1">
           <unix:object object_ref="oval:ssg-object_file_for_kubelet_configure_tls_cipher_suites_openshiftapiserver_operator:obj:1"/>
         </unix:file_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_configure_tls_cipher_suites_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.tlsCipherSuites[:]'." version="1">
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_configure_tls_cipher_suites_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/kubeletconfig/role' find only one object at path '.tlsCipherSuites[:]'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_configure_tls_cipher_suites_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_configure_tls_cipher_suites_worker:ste:1"/>
         </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_configure_tls_cipher_suites_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_configure_tls_cipher_suites_worker:obj:1"/>
+        </unix:file_test>
         <ind:variable_test id="oval:ssg-test_kubelet_configure_tls_key:tst:1" check="all" check_existence="all_exist" comment="Variable test to check XCCDF variable" version="1">
           <ind:object object_ref="oval:ssg-variable_object_kubelet_configure_tls_key:obj:1"/>
           <ind:state state_ref="oval:ssg-variable_state_kubelet_configure_tls_key:ste:1"/>
@@ -22177,18 +26439,56 @@ critical for OpenShift security.</xccdf-1.2:rationale>
         <unix:file_test id="oval:ssg-test_file_for_kubelet_disable_readonly_port:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430')." version="1">
           <unix:object object_ref="oval:ssg-object_file_for_kubelet_disable_readonly_port:obj:1"/>
         </unix:file_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_cert_rotation_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.rotateCertificates'." version="1">
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_cert_rotation_deprecated:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.rotateCertificates'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_enable_cert_rotation_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_enable_cert_rotation_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_cert_rotation_master:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.rotateCertificates'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_enable_cert_rotation_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_enable_cert_rotation_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_enable_cert_rotation_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_enable_cert_rotation_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_cert_rotation_worker:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.rotateCertificates'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_enable_cert_rotation_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_enable_cert_rotation_worker:ste:1"/>
         </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_client_cert_rotation:tst:1" check="all" check_existence="any_exist" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.featureGates.RotateKubeletClientCertificate'." version="1">
-          <ind:object object_ref="oval:ssg-object_kubelet_enable_client_cert_rotation:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kubelet_enable_client_cert_rotation:ste:1"/>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_enable_cert_rotation_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_enable_cert_rotation_worker:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_client_cert_rotation_master:tst:1" check="all" check_existence="any_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.featureGates.RotateKubeletClientCertificate'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_enable_client_cert_rotation_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_enable_client_cert_rotation_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_enable_client_cert_rotation_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_enable_client_cert_rotation_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_client_cert_rotation_worker:tst:1" check="all" check_existence="any_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.featureGates.RotateKubeletClientCertificate'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_enable_client_cert_rotation_worker:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_enable_client_cert_rotation_worker:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_enable_client_cert_rotation_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_enable_client_cert_rotation_worker:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_iptables_util_chains_deprecated:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.makeIPTablesUtilChains'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_enable_iptables_util_chains_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_enable_iptables_util_chains_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_iptables_util_chains_master:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/kubeletconfig/role' find only one object at path '.makeIPTablesUtilChains'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_enable_iptables_util_chains_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_enable_iptables_util_chains_master:ste:1"/>
         </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_iptables_util_chains:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.makeIPTablesUtilChains'." version="1">
-          <ind:object object_ref="oval:ssg-object_kubelet_enable_iptables_util_chains:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kubelet_enable_iptables_util_chains:ste:1"/>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_enable_iptables_util_chains_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_enable_iptables_util_chains_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_iptables_util_chains_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/kubeletconfig/role' find only one object at path '.makeIPTablesUtilChains'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_enable_iptables_util_chains_worker:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_enable_iptables_util_chains_worker:ste:1"/>
         </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_enable_iptables_util_chains_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_enable_iptables_util_chains_worker:obj:1"/>
+        </unix:file_test>
         <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_protect_kernel_defaults:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.protectKernelDefaults'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_enable_protect_kernel_defaults:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_enable_protect_kernel_defaults:ste:1"/>
@@ -22214,77 +26514,259 @@ critical for OpenShift security.</xccdf-1.2:rationale>
         <ind:textfilecontent54_test check="all" comment="tests the presence of 'kernel.panic=10' setting in the /etc/sysctl.d/90-kubelet.conf file" id="oval:ssg-test_kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom:tst:1" version="1">
           <ind:object object_ref="oval:ssg-obj_kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom:obj:1"/>
         </ind:textfilecontent54_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_server_cert_rotation_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.featureGates.RotateKubeletServerCertificate'." version="1">
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_server_cert_rotation_deprecated:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.featureGates.RotateKubeletServerCertificate'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_enable_server_cert_rotation_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_enable_server_cert_rotation_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_server_cert_rotation_master:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/kubeletconfig/role' find only one object at path '.featureGates.RotateKubeletServerCertificate'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_enable_server_cert_rotation_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_enable_server_cert_rotation_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_enable_server_cert_rotation_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_enable_server_cert_rotation_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_server_cert_rotation_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/kubeletconfig/role' find only one object at path '.featureGates.RotateKubeletServerCertificate'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_enable_server_cert_rotation_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_enable_server_cert_rotation_worker:ste:1"/>
         </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_streaming_connections_worker:tst:1" check="all" check_existence="all_exist" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.streamingConnectionIdleTimeout'." version="1">
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_enable_server_cert_rotation_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_enable_server_cert_rotation_worker:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_streaming_connections_deprecated:tst:1" check="all" check_existence="all_exist" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.streamingConnectionIdleTimeout'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_enable_streaming_connections_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_enable_streaming_connections_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_streaming_connections_master:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.streamingConnectionIdleTimeout'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_enable_streaming_connections_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_enable_streaming_connections_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_enable_streaming_connections_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_enable_streaming_connections_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_enable_streaming_connections_worker:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.streamingConnectionIdleTimeout'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_enable_streaming_connections_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_enable_streaming_connections_worker:ste:1"/>
         </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_available_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['imagefs.available']'." version="1">
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_enable_streaming_connections_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_enable_streaming_connections_worker:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['imagefs.available']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_available_master:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionHard['imagefs.available']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_hard_imagefs_available_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_hard_imagefs_available_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_imagefs_available_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_imagefs_available_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_available_worker:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionHard['imagefs.available']'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_hard_imagefs_available_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_hard_imagefs_available_worker:ste:1"/>
         </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['imagefs.inodesFree']'." version="1">
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_imagefs_available_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_imagefs_available_worker:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['imagefs.inodesFree']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionHard['imagefs.inodesFree']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionHard['imagefs.inodesFree']'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker:ste:1"/>
         </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_memory_available_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['memory.available']'." version="1">
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_memory_available_deprecated:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['memory.available']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_hard_memory_available_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_hard_memory_available_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_memory_available_master:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionHard['memory.available']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_hard_memory_available_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_hard_memory_available_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_memory_available_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_memory_available_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_memory_available_worker:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionHard['memory.available']'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_hard_memory_available_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_hard_memory_available_worker:ste:1"/>
         </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_available_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['nodefs.available']'." version="1">
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_memory_available_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_memory_available_worker:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['nodefs.available']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_available_master:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionHard['nodefs.available']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_hard_nodefs_available_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_hard_nodefs_available_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_nodefs_available_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_nodefs_available_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_available_worker:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionHard['nodefs.available']'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_hard_nodefs_available_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_hard_nodefs_available_worker:ste:1"/>
         </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['nodefs.inodesFree']'." version="1">
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_nodefs_available_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_nodefs_available_worker:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionHard['nodefs.inodesFree']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionHard['nodefs.inodesFree']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionHard['nodefs.inodesFree']'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker:ste:1"/>
         </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_available_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['imagefs.available']'." version="1">
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['imagefs.available']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_available_master:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionSoft['imagefs.available']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_soft_imagefs_available_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_soft_imagefs_available_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_imagefs_available_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_imagefs_available_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_available_worker:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionSoft['imagefs.available']'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_soft_imagefs_available_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_soft_imagefs_available_worker:ste:1"/>
         </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['imagefs.inodesFree']'." version="1">
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_imagefs_available_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_imagefs_available_worker:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['imagefs.inodesFree']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionSoft['imagefs.inodesFree']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionSoft['imagefs.inodesFree']'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker:ste:1"/>
         </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_memory_available_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['memory.available']'." version="1">
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_memory_available_deprecated:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['memory.available']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_soft_memory_available_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_soft_memory_available_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_memory_available_master:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionSoft['memory.available']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_soft_memory_available_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_soft_memory_available_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_memory_available_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_memory_available_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_memory_available_worker:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionSoft['memory.available']'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_soft_memory_available_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_soft_memory_available_worker:ste:1"/>
         </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_available_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['nodefs.available']'." version="1">
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_memory_available_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_memory_available_worker:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['nodefs.available']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_available_master:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionSoft['nodefs.available']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_soft_nodefs_available_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_soft_nodefs_available_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_nodefs_available_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_nodefs_available_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_available_worker:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionSoft['nodefs.available']'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_soft_nodefs_available_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_soft_nodefs_available_worker:ste:1"/>
         </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['nodefs.inodesFree']'." version="1">
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_nodefs_available_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_nodefs_available_worker:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.evictionSoft['nodefs.inodesFree']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionSoft['nodefs.inodesFree']'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker:tst:1" check="all" check_existence="all_exist" comment="In the file '/kubeletconfig/role' find only one object at path '.evictionSoft['nodefs.inodesFree']'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker:ste:1"/>
         </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_read_only_port_secured_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.readOnlyPort'." version="1">
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_read_only_port_secured_deprecated:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/etc/kubernetes/kubelet.conf' find only one object at path '.readOnlyPort'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_read_only_port_secured_deprecated:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_read_only_port_secured_deprecated:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_read_only_port_secured_master:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/kubeletconfig/role' find only one object at path '.readOnlyPort'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_read_only_port_secured_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_read_only_port_secured_master:ste:1"/>
+        </ind:yamlfilecontent_test>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_read_only_port_secured_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_read_only_port_secured_master:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_read_only_port_secured_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/kubeletconfig/role' find only one object at path '.readOnlyPort'." version="1">
           <ind:object object_ref="oval:ssg-object_kubelet_read_only_port_secured_worker:obj:1"/>
           <ind:state state_ref="oval:ssg-state_kubelet_read_only_port_secured_worker:ste:1"/>
         </ind:yamlfilecontent_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_test:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/kubeletconfig/role' find only one object at path '.enableServer'." version="1">
-          <ind:object object_ref="oval:ssg-object_kubelet_test:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kubelet_test:ste:1"/>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_read_only_port_secured_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_read_only_port_secured_worker:obj:1"/>
+        </unix:file_test>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_test_cipher_master:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/kubeletconfig/role' find only one object at path '.tlsCipherSuites[:]'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_test_cipher_master:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_test_cipher_master:ste:1"/>
         </ind:yamlfilecontent_test>
-        <unix:file_test id="oval:ssg-test_file_for_kubelet_test:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
-          <unix:object object_ref="oval:ssg-object_file_for_kubelet_test:obj:1"/>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_test_cipher_master:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_test_cipher_master:obj:1"/>
         </unix:file_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_test_cipher:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/kubeletconfig/role' find only one object at path '.tlsCipherSuites[:]'." version="1">
-          <ind:object object_ref="oval:ssg-object_kubelet_test_cipher:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kubelet_test_cipher:ste:1"/>
+        <ind:yamlfilecontent_test id="oval:ssg-test_kubelet_test_cipher_worker:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/kubeletconfig/role' find only one object at path '.tlsCipherSuites[:]'." version="1">
+          <ind:object object_ref="oval:ssg-object_kubelet_test_cipher_worker:obj:1"/>
+          <ind:state state_ref="oval:ssg-state_kubelet_test_cipher_worker:ste:1"/>
         </ind:yamlfilecontent_test>
-        <unix:file_test id="oval:ssg-test_file_for_kubelet_test_cipher:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
-          <unix:object object_ref="oval:ssg-object_file_for_kubelet_test_cipher:obj:1"/>
+        <unix:file_test id="oval:ssg-test_file_for_kubelet_test_cipher_worker:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/kubeletconfig/role')." version="1">
+          <unix:object object_ref="oval:ssg-object_file_for_kubelet_test_cipher_worker:obj:1"/>
         </unix:file_test>
-        <ind:yamlfilecontent_test id="oval:ssg-test_luks_enabled_on_all_nodes:tst:1" check="all" check_existence="all_exist" comment="In the file '/apis/machineconfiguration.openshift.io/v1/machineconfigs#136fe907b51dc9ea5011707799731b533561dab4b043f086f36c0b5c9c288414' find only one object at path '[:]'." version="1">
+        <ind:yamlfilecontent_test id="oval:ssg-test_luks_enabled_on_all_nodes:tst:1" check="all" check_existence="all_exist" comment="In the file '/apis/machineconfiguration.openshift.io/v1/machineconfigs#9fab597988075d76a1c081cdc533f05623251a854b9936a08ae52cca5fc5a311' find only one object at path '[:]'." version="1">
           <ind:object object_ref="oval:ssg-object_luks_enabled_on_all_nodes:obj:1"/>
           <ind:state state_ref="oval:ssg-state_luks_enabled_on_all_nodes:ste:1"/>
         </ind:yamlfilecontent_test>
-        <unix:file_test id="oval:ssg-test_file_for_luks_enabled_on_all_nodes:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/apis/machineconfiguration.openshift.io/v1/machineconfigs#136fe907b51dc9ea5011707799731b533561dab4b043f086f36c0b5c9c288414')." version="1">
+        <unix:file_test id="oval:ssg-test_file_for_luks_enabled_on_all_nodes:tst:1" check="all" check_existence="only_one_exists" comment="Find the file to be checked ('/apis/machineconfiguration.openshift.io/v1/machineconfigs#9fab597988075d76a1c081cdc533f05623251a854b9936a08ae52cca5fc5a311')." version="1">
           <unix:object object_ref="oval:ssg-object_file_for_luks_enabled_on_all_nodes:obj:1"/>
         </unix:file_test>
         <ind:yamlfilecontent_test id="oval:ssg-test_oauth_inactivity_timeout:tst:1" check="all" check_existence="only_one_exists" comment="In the file '/apis/config.openshift.io/v1/oauths/cluster' find only one object at path '.spec.tokenConfig.accessTokenInactivityTimeout'." version="1">
@@ -22633,9 +27115,6 @@ critical for OpenShift security.</xccdf-1.2:rationale>
         <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Debian version" id="oval:ssg-test_debian_11:tst:1" version="1">
           <ind:object object_ref="oval:ssg-obj_debian_11:obj:1"/>
         </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Debian version" id="oval:ssg-test_debian_9:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_debian_9:obj:1"/>
-        </ind:textfilecontent54_test>
         <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="fedora-release RPM packages are installed" id="oval:ssg-test_fedora_release_rpm:tst:1" version="1">
           <linux:object object_ref="oval:ssg-object_fedora_release_rpm:obj:1"/>
         </linux:rpminfo_test>
@@ -22825,6 +27304,9 @@ critical for OpenShift security.</xccdf-1.2:rationale>
         <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu version" id="oval:ssg-test_ubuntu_focal:tst:1" version="1">
           <ind:object object_ref="oval:ssg-obj_ubuntu_focal:obj:1"/>
         </ind:textfilecontent54_test>
+        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu version" id="oval:ssg-test_ubuntu_jammy:tst:1" version="1">
+          <ind:object object_ref="oval:ssg-obj_ubuntu_jammy:obj:1"/>
+        </ind:textfilecontent54_test>
         <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="uos-release is version 20" id="oval:ssg-test_uos20:tst:1" version="1">
           <linux:object object_ref="oval:ssg-obj_uos20:obj:1"/>
           <linux:state state_ref="oval:ssg-state_uos20:ste:1"/>
@@ -23017,11 +27499,17 @@ critical for OpenShift security.</xccdf-1.2:rationale>
         <unix:file_test check="all" check_existence="all_exist" comment="Check if /run/.containerenv exists" id="oval:ssg-test_installed_env_is_a_podman_container:tst:1" version="1">
           <unix:object object_ref="oval:ssg-object_installed_env_is_a_podman_container:obj:1"/>
         </unix:file_test>
+        <linux:partition_test check="all" check_existence="all_exist" comment="Partition /tmp exists" id="oval:ssg-test_partition_tmp_exists:tst:1" version="1">
+          <linux:object object_ref="oval:ssg-object_partition_tmp_exists:obj:1"/>
+        </linux:partition_test>
+        <linux:partition_test check="all" check_existence="all_exist" comment="Partition /var/tmp exists" id="oval:ssg-test_partition_var_tmp_exists:tst:1" version="1">
+          <linux:object object_ref="oval:ssg-object_partition_var_tmp_exists:obj:1"/>
+        </linux:partition_test>
         <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="Kerberos server version is lesser than 1.17-18" id="oval:ssg-test_krb5_server_version_1_17_18:tst:1" version="1">
           <linux:object object_ref="oval:ssg-obj_krb5_server_version_1_17_18:obj:1"/>
           <linux:state state_ref="oval:ssg-state_krb5_server_version_1_17_18:ste:1"/>
         </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="Kerberos workstaton version is lesser than 1.17-18" id="oval:ssg-test_krb5_workstation_version_1_17_18:tst:1" version="1">
+        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="Kerberos workstation version is lesser than 1.17-18" id="oval:ssg-test_krb5_workstation_version_1_17_18:tst:1" version="1">
           <linux:object object_ref="oval:ssg-obj_krb5_workstation_version_1_17_18:obj:1"/>
           <linux:state state_ref="oval:ssg-state_krb5_workstation_version_1_17_18:ste:1"/>
         </linux:rpminfo_test>
@@ -23332,6 +27820,9 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-api_server_basic_auth_file_location:var:1"/>
           <ind:yamlpath>.apiServerArguments[:]</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <ind:variable_object id="oval:ssg-variable_object_api_server_bind_address:obj:1" version="1">
+          <ind:var_ref>oval:ssg-local_variable_api_server_bind_address:var:1</ind:var_ref>
+        </ind:variable_object>
         <unix:file_object id="oval:ssg-object_file_for_api_server_bind_address:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-api_server_bind_address_file_location:var:1"/>
         </unix:file_object>
@@ -24250,13 +28741,6 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <oval-def:filter action="exclude">oval:ssg-exclude_symlinks_file_perms_openshift_sdn_cniserver_config:ste:1</oval-def:filter>
           <oval-def:filter action="exclude">oval:ssg-state_file_permissionsfile_perms_openshift_sdn_cniserver_config_0_mode_0444or_stricter_:ste:1</oval-def:filter>
         </unix:file_object>
-        <unix:file_object id="oval:ssg-object_file_for_fips_mode_enabled:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-fips_mode_enabled_file_location:var:1"/>
-        </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_fips_mode_enabled:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-fips_mode_enabled_file_location:var:1"/>
-          <ind:yamlpath>.spec.fips</ind:yamlpath>
-        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_fips_mode_enabled_on_all_nodes:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-fips_mode_enabled_on_all_nodes_file_location:var:1"/>
         </unix:file_object>
@@ -24307,6 +28791,20 @@ critical for OpenShift security.</xccdf-1.2:rationale>
         <unix:file_object id="oval:ssg-object_file_for_kubeadmin_removed:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubeadmin_removed_file_location:var:1"/>
         </unix:file_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_anonymous_auth_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_anonymous_auth_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_anonymous_auth_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_anonymous_auth_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.authentication.anonymous.enabled</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_anonymous_auth_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_anonymous_auth_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_anonymous_auth_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_anonymous_auth_master_file_location:var:1"/>
+          <ind:yamlpath>.authentication.anonymous.enabled</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_anonymous_auth_worker:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_anonymous_auth_worker_file_location:var:1"/>
         </unix:file_object>
@@ -24314,6 +28812,20 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_anonymous_auth_worker_file_location:var:1"/>
           <ind:yamlpath>.authentication.anonymous.enabled</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_authorization_mode_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_authorization_mode_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_authorization_mode_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_authorization_mode_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.authorization.mode</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_authorization_mode_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_authorization_mode_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_authorization_mode_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_authorization_mode_master_file_location:var:1"/>
+          <ind:yamlpath>.authorization.mode</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_authorization_mode_worker:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_authorization_mode_worker_file_location:var:1"/>
         </unix:file_object>
@@ -24321,6 +28833,20 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_authorization_mode_worker_file_location:var:1"/>
           <ind:yamlpath>.authorization.mode</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_configure_client_ca_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_configure_client_ca_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_configure_client_ca_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_configure_client_ca_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.authentication.x509.clientCAFile</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_configure_client_ca_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_configure_client_ca_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_configure_client_ca_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_configure_client_ca_master_file_location:var:1"/>
+          <ind:yamlpath>.authentication.x509.clientCAFile</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_configure_client_ca_worker:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_configure_client_ca_worker_file_location:var:1"/>
         </unix:file_object>
@@ -24328,6 +28854,20 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_configure_client_ca_worker_file_location:var:1"/>
           <ind:yamlpath>.authentication.x509.clientCAFile</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_configure_event_creation_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_configure_event_creation_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_configure_event_creation_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_configure_event_creation_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.eventRecordQPS</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_configure_event_creation_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_configure_event_creation_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_configure_event_creation_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_configure_event_creation_master_file_location:var:1"/>
+          <ind:yamlpath>.eventRecordQPS</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_configure_event_creation_worker:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_configure_event_creation_worker_file_location:var:1"/>
         </unix:file_object>
@@ -24352,6 +28892,13 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_configure_tls_cert_pre_4_9_file_location:var:1"/>
           <ind:yamlpath>.data['config.yaml']</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_configure_tls_cipher_suites_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_configure_tls_cipher_suites_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_configure_tls_cipher_suites_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_configure_tls_cipher_suites_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.tlsCipherSuites[:]</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_configure_tls_cipher_suites_ingresscontroller:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_configure_tls_cipher_suites_ingresscontroller_file_location:var:1"/>
         </unix:file_object>
@@ -24366,6 +28913,13 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_configure_tls_cipher_suites_kubeapiserver_operator_file_location:var:1"/>
           <ind:yamlpath>.spec.unsupportedConfigOverrides.servingInfo.cipherSuites[:]</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_configure_tls_cipher_suites_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_configure_tls_cipher_suites_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_configure_tls_cipher_suites_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_configure_tls_cipher_suites_master_file_location:var:1"/>
+          <ind:yamlpath>.tlsCipherSuites[:]</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_configure_tls_cipher_suites_openshiftapiserver_operator:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_configure_tls_cipher_suites_openshiftapiserver_operator_file_location:var:1"/>
         </unix:file_object>
@@ -24404,6 +28958,20 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_disable_readonly_port_file_location:var:1"/>
           <ind:yamlpath>.apiServerArguments["kubelet-read-only-port"][:]</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_cert_rotation_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_enable_cert_rotation_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_cert_rotation_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_enable_cert_rotation_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.rotateCertificates</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_cert_rotation_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_enable_cert_rotation_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_cert_rotation_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_enable_cert_rotation_master_file_location:var:1"/>
+          <ind:yamlpath>.rotateCertificates</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_cert_rotation_worker:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_enable_cert_rotation_worker_file_location:var:1"/>
         </unix:file_object>
@@ -24411,18 +28979,39 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_enable_cert_rotation_worker_file_location:var:1"/>
           <ind:yamlpath>.rotateCertificates</ind:yamlpath>
         </ind:yamlfilecontent_object>
-        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_client_cert_rotation:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-kubelet_enable_client_cert_rotation_file_location:var:1"/>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_client_cert_rotation_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_enable_client_cert_rotation_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_client_cert_rotation_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_enable_client_cert_rotation_master_file_location:var:1"/>
+          <ind:yamlpath>.featureGates.RotateKubeletClientCertificate</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_client_cert_rotation_worker:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_enable_client_cert_rotation_worker_file_location:var:1"/>
         </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_client_cert_rotation:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-kubelet_enable_client_cert_rotation_file_location:var:1"/>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_client_cert_rotation_worker:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_enable_client_cert_rotation_worker_file_location:var:1"/>
           <ind:yamlpath>.featureGates.RotateKubeletClientCertificate</ind:yamlpath>
         </ind:yamlfilecontent_object>
-        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_iptables_util_chains:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-kubelet_enable_iptables_util_chains_file_location:var:1"/>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_iptables_util_chains_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_enable_iptables_util_chains_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_iptables_util_chains_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_enable_iptables_util_chains_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.makeIPTablesUtilChains</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_iptables_util_chains_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_enable_iptables_util_chains_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_iptables_util_chains_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_enable_iptables_util_chains_master_file_location:var:1"/>
+          <ind:yamlpath>.makeIPTablesUtilChains</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_iptables_util_chains_worker:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_enable_iptables_util_chains_worker_file_location:var:1"/>
         </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_iptables_util_chains:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-kubelet_enable_iptables_util_chains_file_location:var:1"/>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_iptables_util_chains_worker:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_enable_iptables_util_chains_worker_file_location:var:1"/>
           <ind:yamlpath>.makeIPTablesUtilChains</ind:yamlpath>
         </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_protect_kernel_defaults:obj:1" version="1">
@@ -24465,6 +29054,20 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:pattern operation="pattern match">^[\s]*kernel\.panic=10[\s]*$</ind:pattern>
           <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
         </ind:textfilecontent54_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_server_cert_rotation_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_enable_server_cert_rotation_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_server_cert_rotation_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_enable_server_cert_rotation_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.featureGates.RotateKubeletServerCertificate</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_server_cert_rotation_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_enable_server_cert_rotation_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_server_cert_rotation_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_enable_server_cert_rotation_master_file_location:var:1"/>
+          <ind:yamlpath>.featureGates.RotateKubeletServerCertificate</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_server_cert_rotation_worker:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_enable_server_cert_rotation_worker_file_location:var:1"/>
         </unix:file_object>
@@ -24472,6 +29075,20 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_enable_server_cert_rotation_worker_file_location:var:1"/>
           <ind:yamlpath>.featureGates.RotateKubeletServerCertificate</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_streaming_connections_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_enable_streaming_connections_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_streaming_connections_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_enable_streaming_connections_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.streamingConnectionIdleTimeout</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_streaming_connections_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_enable_streaming_connections_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_enable_streaming_connections_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_enable_streaming_connections_master_file_location:var:1"/>
+          <ind:yamlpath>.streamingConnectionIdleTimeout</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_enable_streaming_connections_worker:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_enable_streaming_connections_worker_file_location:var:1"/>
         </unix:file_object>
@@ -24479,6 +29096,20 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_enable_streaming_connections_worker_file_location:var:1"/>
           <ind:yamlpath>.streamingConnectionIdleTimeout</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.evictionHard['imagefs.available']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_imagefs_available_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_hard_imagefs_available_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_master_file_location:var:1"/>
+          <ind:yamlpath>.evictionHard['imagefs.available']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_imagefs_available_worker:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_worker_file_location:var:1"/>
         </unix:file_object>
@@ -24486,6 +29117,20 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_worker_file_location:var:1"/>
           <ind:yamlpath>.evictionHard['imagefs.available']</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.evictionHard['imagefs.inodesFree']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master_file_location:var:1"/>
+          <ind:yamlpath>.evictionHard['imagefs.inodesFree']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker_file_location:var:1"/>
         </unix:file_object>
@@ -24493,6 +29138,20 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker_file_location:var:1"/>
           <ind:yamlpath>.evictionHard['imagefs.inodesFree']</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_memory_available_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_hard_memory_available_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.evictionHard['memory.available']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_memory_available_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_hard_memory_available_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_master_file_location:var:1"/>
+          <ind:yamlpath>.evictionHard['memory.available']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_memory_available_worker:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_worker_file_location:var:1"/>
         </unix:file_object>
@@ -24500,6 +29159,20 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_worker_file_location:var:1"/>
           <ind:yamlpath>.evictionHard['memory.available']</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.evictionHard['nodefs.available']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_nodefs_available_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_hard_nodefs_available_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_master_file_location:var:1"/>
+          <ind:yamlpath>.evictionHard['nodefs.available']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_nodefs_available_worker:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_worker_file_location:var:1"/>
         </unix:file_object>
@@ -24507,6 +29180,20 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_worker_file_location:var:1"/>
           <ind:yamlpath>.evictionHard['nodefs.available']</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.evictionHard['nodefs.inodesFree']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master_file_location:var:1"/>
+          <ind:yamlpath>.evictionHard['nodefs.inodesFree']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker_file_location:var:1"/>
         </unix:file_object>
@@ -24514,6 +29201,20 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker_file_location:var:1"/>
           <ind:yamlpath>.evictionHard['nodefs.inodesFree']</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.evictionSoft['imagefs.available']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_imagefs_available_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_soft_imagefs_available_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_master_file_location:var:1"/>
+          <ind:yamlpath>.evictionSoft['imagefs.available']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_imagefs_available_worker:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_worker_file_location:var:1"/>
         </unix:file_object>
@@ -24521,6 +29222,20 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_worker_file_location:var:1"/>
           <ind:yamlpath>.evictionSoft['imagefs.available']</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.evictionSoft['imagefs.inodesFree']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master_file_location:var:1"/>
+          <ind:yamlpath>.evictionSoft['imagefs.inodesFree']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker_file_location:var:1"/>
         </unix:file_object>
@@ -24528,6 +29243,20 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker_file_location:var:1"/>
           <ind:yamlpath>.evictionSoft['imagefs.inodesFree']</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_memory_available_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_soft_memory_available_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.evictionSoft['memory.available']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_memory_available_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_soft_memory_available_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_master_file_location:var:1"/>
+          <ind:yamlpath>.evictionSoft['memory.available']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_memory_available_worker:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_worker_file_location:var:1"/>
         </unix:file_object>
@@ -24535,6 +29264,20 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_worker_file_location:var:1"/>
           <ind:yamlpath>.evictionSoft['memory.available']</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.evictionSoft['nodefs.available']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_nodefs_available_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_soft_nodefs_available_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_master_file_location:var:1"/>
+          <ind:yamlpath>.evictionSoft['nodefs.available']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_nodefs_available_worker:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_worker_file_location:var:1"/>
         </unix:file_object>
@@ -24542,6 +29285,20 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_worker_file_location:var:1"/>
           <ind:yamlpath>.evictionSoft['nodefs.available']</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.evictionSoft['nodefs.inodesFree']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master_file_location:var:1"/>
+          <ind:yamlpath>.evictionSoft['nodefs.inodesFree']</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker_file_location:var:1"/>
         </unix:file_object>
@@ -24549,6 +29306,20 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker_file_location:var:1"/>
           <ind:yamlpath>.evictionSoft['nodefs.inodesFree']</ind:yamlpath>
         </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_read_only_port_secured_deprecated:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_read_only_port_secured_deprecated_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_read_only_port_secured_deprecated:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_read_only_port_secured_deprecated_file_location:var:1"/>
+          <ind:yamlpath>.readOnlyPort</ind:yamlpath>
+        </ind:yamlfilecontent_object>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_read_only_port_secured_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_read_only_port_secured_master_file_location:var:1"/>
+        </unix:file_object>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_read_only_port_secured_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_read_only_port_secured_master_file_location:var:1"/>
+          <ind:yamlpath>.readOnlyPort</ind:yamlpath>
+        </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_kubelet_read_only_port_secured_worker:obj:1" version="1">
           <unix:filepath var_ref="oval:ssg-kubelet_read_only_port_secured_worker_file_location:var:1"/>
         </unix:file_object>
@@ -24556,18 +29327,18 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:filepath var_ref="oval:ssg-kubelet_read_only_port_secured_worker_file_location:var:1"/>
           <ind:yamlpath>.readOnlyPort</ind:yamlpath>
         </ind:yamlfilecontent_object>
-        <unix:file_object id="oval:ssg-object_file_for_kubelet_test:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-kubelet_test_file_location:var:1"/>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_test_cipher_master:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_test_cipher_master_file_location:var:1"/>
         </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_test:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-kubelet_test_file_location:var:1"/>
-          <ind:yamlpath>.enableServer</ind:yamlpath>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_test_cipher_master:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_test_cipher_master_file_location:var:1"/>
+          <ind:yamlpath>.tlsCipherSuites[:]</ind:yamlpath>
         </ind:yamlfilecontent_object>
-        <unix:file_object id="oval:ssg-object_file_for_kubelet_test_cipher:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-kubelet_test_cipher_file_location:var:1"/>
+        <unix:file_object id="oval:ssg-object_file_for_kubelet_test_cipher_worker:obj:1" version="1">
+          <unix:filepath var_ref="oval:ssg-kubelet_test_cipher_worker_file_location:var:1"/>
         </unix:file_object>
-        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_test_cipher:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-kubelet_test_cipher_file_location:var:1"/>
+        <ind:yamlfilecontent_object id="oval:ssg-object_kubelet_test_cipher_worker:obj:1" version="1">
+          <ind:filepath var_ref="oval:ssg-kubelet_test_cipher_worker_file_location:var:1"/>
           <ind:yamlpath>.tlsCipherSuites[:]</ind:yamlpath>
         </ind:yamlfilecontent_object>
         <unix:file_object id="oval:ssg-object_file_for_luks_enabled_on_all_nodes:obj:1" version="1">
@@ -24989,11 +29760,6 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:pattern operation="pattern match">^11.[0-9]+$</ind:pattern>
           <ind:instance datatype="int">1</ind:instance>
         </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_debian_9:obj:1" version="1" comment="Check Debian version">
-          <ind:filepath>/etc/debian_version</ind:filepath>
-          <ind:pattern operation="pattern match">^9.[0-9]+$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
         <linux:rpminfo_object id="oval:ssg-object_fedora_release_rpm:obj:1" version="1">
           <linux:name operation="pattern match">fedora-release.*</linux:name>
         </linux:rpminfo_object>
@@ -25149,6 +29915,11 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           <ind:pattern operation="pattern match">^DISTRIB_CODENAME=focal$</ind:pattern>
           <ind:instance datatype="int">1</ind:instance>
         </ind:textfilecontent54_object>
+        <ind:textfilecontent54_object id="oval:ssg-obj_ubuntu_jammy:obj:1" version="1" comment="Check Ubuntu version">
+          <ind:filepath>/etc/lsb-release</ind:filepath>
+          <ind:pattern operation="pattern match">^DISTRIB_CODENAME=jammy$</ind:pattern>
+          <ind:instance datatype="int">1</ind:instance>
+        </ind:textfilecontent54_object>
         <linux:rpminfo_object id="oval:ssg-obj_uos20:obj:1" version="1">
           <linux:name>uos-release</linux:name>
         </linux:rpminfo_object>
@@ -25271,6 +30042,12 @@ critical for OpenShift security.</xccdf-1.2:rationale>
         <unix:file_object comment="Check file /run/.containerenv" id="oval:ssg-object_installed_env_is_a_podman_container:obj:1" version="1">
           <unix:filepath datatype="string">/run/.containerenv</unix:filepath>
         </unix:file_object>
+        <linux:partition_object id="oval:ssg-object_partition_tmp_exists:obj:1" version="1">
+          <linux:mount_point>/tmp</linux:mount_point>
+        </linux:partition_object>
+        <linux:partition_object id="oval:ssg-object_partition_var_tmp_exists:obj:1" version="1">
+          <linux:mount_point>/var/tmp</linux:mount_point>
+        </linux:partition_object>
         <linux:rpminfo_object id="oval:ssg-obj_krb5_server_version_1_17_18:obj:1" version="1">
           <linux:name>krb5-server</linux:name>
         </linux:rpminfo_object>
@@ -25476,11 +30253,9 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:field name="basic-auth-file" datatype="string" operation="pattern match"/>
           </ind:value>
         </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_api_server_bind_address:ste:1" version="1">
-          <ind:value datatype="record" entity_check="all">
-            <oval-def:field name="#" datatype="string" operation="pattern match">(.+)</oval-def:field>
-          </ind:value>
-        </ind:yamlfilecontent_state>
+        <ind:variable_state id="oval:ssg-variable_state_api_server_bind_address:ste:1" version="1">
+          <ind:value datatype="string" operation="equals" var_ref="oval:ssg-var_apiserver_bind_address:var:1"/>
+        </ind:variable_state>
         <ind:variable_state id="oval:ssg-variable_state_api_server_client_ca:ste:1" version="1">
           <ind:value datatype="string" operation="equals" var_ref="oval:ssg-var_apiserver_client_ca:var:1"/>
         </ind:variable_state>
@@ -26590,11 +31365,6 @@ critical for OpenShift security.</xccdf-1.2:rationale>
         <unix:file_state id="oval:ssg-exclude_symlinks_file_perms_openshift_sdn_cniserver_config:ste:1" version="1">
           <unix:type operation="equals">symbolic link</unix:type>
         </unix:file_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_fips_mode_enabled:ste:1" version="1">
-          <ind:value datatype="record">
-            <oval-def:field name="#" datatype="string">true</oval-def:field>
-          </ind:value>
-        </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_fips_mode_enabled_on_all_nodes:ste:1" version="1">
           <ind:value datatype="record" entity_check="all">
             <oval-def:field name="#" operation="equals">true</oval-def:field>
@@ -26623,26 +31393,66 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:field name="#" operation="pattern match">.+</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_anonymous_auth_deprecated:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" operation="equals">false</oval-def:field>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_anonymous_auth_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" operation="equals">false</oval-def:field>
+          </ind:value>
+        </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_anonymous_auth_worker:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="equals">false</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_authorization_mode_deprecated:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" operation="not equal">AlwaysAllow</oval-def:field>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_authorization_mode_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" operation="not equal">AlwaysAllow</oval-def:field>
+          </ind:value>
+        </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_authorization_mode_worker:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="not equal">AlwaysAllow</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_configure_client_ca_deprecated:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" operation="equals">/etc/kubernetes/kubelet-ca.crt</oval-def:field>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_configure_client_ca_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" operation="equals">/etc/kubernetes/kubelet-ca.crt</oval-def:field>
+          </ind:value>
+        </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_configure_client_ca_worker:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="equals">/etc/kubernetes/kubelet-ca.crt</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_configure_event_creation_worker:ste:1" version="1">
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_configure_event_creation_deprecated:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" datatype="int" operation="greater than or equal">0</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_configure_event_creation_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_event_record_qps:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_configure_event_creation_worker:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_event_record_qps:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
         <ind:variable_state id="oval:ssg-variable_state_kubelet_configure_tls_cert:ste:1" version="1">
           <ind:value datatype="string" operation="equals" var_ref="oval:ssg-var_apiserver_kubelet_client_cert:var:1"/>
         </ind:variable_state>
@@ -26651,6 +31461,11 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:field name="#" operation="pattern match">"kubelet-client-certificate":\["/etc/kubernetes/static-pod-resources/secrets/kubelet-client/tls.crt"\]</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_configure_tls_cipher_suites_deprecated:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" operation="pattern match" var_ref="oval:ssg-var_kubelet_tls_cipher_suites_regex:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_configure_tls_cipher_suites_ingresscontroller:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="pattern match">^(ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES256-GCM-SHA384|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|AES256-GCM-SHA384|AES128-GCM-SHA256)$</oval-def:field>
@@ -26661,6 +31476,11 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:field name="#" operation="pattern match">^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_128_GCM_SHA256)$</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_configure_tls_cipher_suites_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" operation="pattern match" var_ref="oval:ssg-var_kubelet_tls_cipher_suites_regex:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_configure_tls_cipher_suites_openshiftapiserver_operator:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="pattern match">^(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305|TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_256_GCM_SHA384|TLS_RSA_WITH_AES_128_GCM_SHA256)$</oval-def:field>
@@ -26684,17 +31504,42 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:field name="#" datatype="string" operation="pattern match">0</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_cert_rotation_deprecated:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" operation="equals">true</oval-def:field>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_cert_rotation_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" operation="equals">true</oval-def:field>
+          </ind:value>
+        </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_cert_rotation_worker:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="equals">true</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_client_cert_rotation:ste:1" version="1">
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_client_cert_rotation_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" operation="not equal">false</oval-def:field>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_client_cert_rotation_worker:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="not equal">false</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_iptables_util_chains:ste:1" version="1">
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_iptables_util_chains_deprecated:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" operation="equals">true</oval-def:field>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_iptables_util_chains_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" operation="equals">true</oval-def:field>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_iptables_util_chains_worker:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="equals">true</oval-def:field>
           </ind:value>
@@ -26704,64 +31549,194 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:field name="#" operation="equals">true</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_server_cert_rotation_deprecated:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" operation="equals">true</oval-def:field>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_server_cert_rotation_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" operation="equals">true</oval-def:field>
+          </ind:value>
+        </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_server_cert_rotation_worker:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="equals">true</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_streaming_connections_worker:ste:1" version="1">
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_streaming_connections_deprecated:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="pattern match" var_ref="oval:ssg-var_streaming_connection_timeouts:var:1"/>
           </ind:value>
         </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_streaming_connections_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_streaming_connection_timeouts:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_enable_streaming_connections_worker:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_streaming_connection_timeouts:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" operation="pattern match">.*</oval-def:field>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_hard_imagefs_available_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionhard_imagefs_available:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_hard_imagefs_available_worker:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionhard_imagefs_available:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="pattern match">.*</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionhard_imagefs_inodesfree:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionhard_imagefs_inodesfree:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_hard_memory_available_deprecated:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="pattern match">.*</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_hard_memory_available_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionhard_memory_available:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_hard_memory_available_worker:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionhard_memory_available:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="pattern match">.*</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_hard_nodefs_available_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionhard_nodefs_available:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_hard_nodefs_available_worker:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionhard_nodefs_available:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="pattern match">.*</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionhard_nodefs_inodesfree:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionhard_nodefs_inodesfree:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="pattern match">.*</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_soft_imagefs_available_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionsoft_imagefs_available:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_soft_imagefs_available_worker:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionsoft_imagefs_available:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="pattern match">.*</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionsoft_imagefs_inodesfree:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionsoft_imagefs_inodesfree:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_soft_memory_available_deprecated:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="pattern match">.*</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_soft_memory_available_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionsoft_memory_available:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_soft_memory_available_worker:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionsoft_memory_available:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="pattern match">.*</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_soft_nodefs_available_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionsoft_nodefs_available:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_soft_nodefs_available_worker:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionsoft_nodefs_available:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="pattern match">.*</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionsoft_nodefs_inodesfree:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker:ste:1" version="1">
           <ind:value datatype="record">
-            <oval-def:field name="#" operation="pattern match">.*</oval-def:field>
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_kubelet_evictionsoft_nodefs_inodesfree:var:1"/>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_read_only_port_secured_deprecated:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" operation="equals">0</oval-def:field>
+          </ind:value>
+        </ind:yamlfilecontent_state>
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_read_only_port_secured_master:ste:1" version="1">
+          <ind:value datatype="record">
+            <oval-def:field name="#" operation="equals">0</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_read_only_port_secured_worker:ste:1" version="1">
@@ -26769,12 +31744,12 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:field name="#" operation="equals">0</oval-def:field>
           </ind:value>
         </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_test:ste:1" version="1">
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_test_cipher_master:ste:1" version="1">
           <ind:value datatype="record">
-            <oval-def:field name="#" operation="pattern match">true</oval-def:field>
+            <oval-def:field name="#" operation="pattern match" var_ref="oval:ssg-var_kubelet_tls_cipher_suites_regex:var:1"/>
           </ind:value>
         </ind:yamlfilecontent_state>
-        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_test_cipher:ste:1" version="1">
+        <ind:yamlfilecontent_state id="oval:ssg-state_kubelet_test_cipher_worker:ste:1" version="1">
           <ind:value datatype="record">
             <oval-def:field name="#" operation="pattern match" var_ref="oval:ssg-var_kubelet_tls_cipher_suites_regex:var:1"/>
           </ind:value>
@@ -26801,7 +31776,7 @@ critical for OpenShift security.</xccdf-1.2:rationale>
         </ind:yamlfilecontent_state>
         <ind:yamlfilecontent_state id="oval:ssg-state_oauthclient_inactivity_timeout:ste:1" version="1">
           <ind:value datatype="record" entity_check="all">
-            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_oauth_inactivity_timeout:var:1"/>
+            <oval-def:field name="#" datatype="string" operation="equals" var_ref="oval:ssg-var_access_token_inactivity_timeout_seconds:var:1"/>
           </ind:value>
         </ind:yamlfilecontent_state>
         <ind:variable_state id="oval:ssg-state_elements_count_for_oauthclient_token_maxage:ste:1" version="1">
@@ -27451,6 +32426,12 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:literal_component>/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430</oval-def:literal_component>
           </oval-def:concat>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-local_variable_api_server_bind_address:var:1" datatype="string" comment="Captured value to be compared with XCCDF value" version="1">
+          <oval-def:regex_capture pattern="(.+)">
+            <oval-def:object_component item_field="value" record_field="#" object_ref="oval:ssg-object_api_server_bind_address:obj:1"/>
+          </oval-def:regex_capture>
+        </oval-def:local_variable>
+        <oval-def:external_variable comment="variable" datatype="string" id="oval:ssg-var_apiserver_bind_address:var:1" version="1"/>
         <oval-def:local_variable id="oval:ssg-api_server_client_ca_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:concat>
             <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
@@ -27856,16 +32837,10 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:literal_component>/apis/apps/v1/namespaces/openshift-sdn/daemonsets/sdn</oval-def:literal_component>
           </oval-def:concat>
         </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-fips_mode_enabled_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
-            <oval-def:literal_component>/apis/machineconfiguration.openshift.io/v1/machineconfigs/99-master-fips</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
         <oval-def:local_variable id="oval:ssg-fips_mode_enabled_on_all_nodes_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:concat>
             <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
-            <oval-def:literal_component>/apis/machineconfiguration.openshift.io/v1/machineconfigs#191c7889a801949fcc07c8f067ca719c614388ea53f4b96b7148c57799e423b3</oval-def:literal_component>
+            <oval-def:literal_component>/apis/machineconfiguration.openshift.io/v1/machineconfigs#ab7e02a1c3f44ae48f843ce3dee7b948d624d2f702b9428760efbfd4653847ba</oval-def:literal_component>
           </oval-def:concat>
         </oval-def:local_variable>
         <oval-def:local_variable id="oval:ssg-gcp_disk_encryption_enabled_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
@@ -27908,17 +32883,84 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:literal_component>/api/v1/namespaces/kube-system/secrets/kubeadmin</oval-def:literal_component>
           </oval-def:concat>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_anonymous_auth_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_anonymous_auth_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:external_variable comment="File Path Suffix" datatype="string" id="oval:ssg-var_role_master:var:1" version="1"/>
         <oval-def:local_variable id="oval:ssg-kubelet_anonymous_auth_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:external_variable comment="File Path Suffix" datatype="string" id="oval:ssg-var_role_worker:var:1" version="1"/>
+        <oval-def:local_variable id="oval:ssg-kubelet_authorization_mode_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_authorization_mode_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
         <oval-def:local_variable id="oval:ssg-kubelet_authorization_mode_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_configure_client_ca_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_configure_client_ca_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
         <oval-def:local_variable id="oval:ssg-kubelet_configure_client_ca_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_configure_event_creation_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_configure_event_creation_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:external_variable comment="variable" datatype="string" id="oval:ssg-var_event_record_qps:var:1" version="1"/>
         <oval-def:local_variable id="oval:ssg-kubelet_configure_event_creation_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
-          <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
         </oval-def:local_variable>
         <oval-def:local_variable id="oval:ssg-kubelet_configure_tls_cert_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:concat>
@@ -27937,6 +32979,10 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:literal_component>/api/v1/namespaces/openshift-kube-apiserver/configmaps/config</oval-def:literal_component>
           </oval-def:concat>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_configure_tls_cipher_suites_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
+        </oval-def:local_variable>
+        <oval-def:external_variable comment="variable" datatype="string" id="oval:ssg-var_kubelet_tls_cipher_suites_regex:var:1" version="1"/>
         <oval-def:local_variable id="oval:ssg-kubelet_configure_tls_cipher_suites_ingresscontroller_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:concat>
             <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
@@ -27949,6 +32995,14 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:literal_component>/apis/operator.openshift.io/v1/kubeapiservers/cluster</oval-def:literal_component>
           </oval-def:concat>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_configure_tls_cipher_suites_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
         <oval-def:local_variable id="oval:ssg-kubelet_configure_tls_cipher_suites_openshiftapiserver_operator_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:concat>
             <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
@@ -27956,9 +33010,13 @@ critical for OpenShift security.</xccdf-1.2:rationale>
           </oval-def:concat>
         </oval-def:local_variable>
         <oval-def:local_variable id="oval:ssg-kubelet_configure_tls_cipher_suites_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
-          <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
         </oval-def:local_variable>
-        <oval-def:external_variable comment="variable" datatype="string" id="oval:ssg-var_kubelet_tls_cipher_suites_regex:var:1" version="1"/>
         <oval-def:local_variable id="oval:ssg-kubelet_configure_tls_key_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:concat>
             <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
@@ -27982,79 +33040,341 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:literal_component>/api/v1/namespaces/openshift-kube-apiserver/configmaps/config#54842ba5cf821644f2727625c1518eba2de6e6b7ae318043d0bf7ccc9570e430</oval-def:literal_component>
           </oval-def:concat>
         </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-kubelet_enable_cert_rotation_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+        <oval-def:local_variable id="oval:ssg-kubelet_enable_cert_rotation_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
         </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-kubelet_enable_client_cert_rotation_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
-          <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
+        <oval-def:local_variable id="oval:ssg-kubelet_enable_cert_rotation_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
         </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-kubelet_enable_iptables_util_chains_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+        <oval-def:local_variable id="oval:ssg-kubelet_enable_cert_rotation_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_enable_client_cert_rotation_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_enable_client_cert_rotation_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_enable_iptables_util_chains_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_enable_iptables_util_chains_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_enable_iptables_util_chains_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
         <oval-def:local_variable id="oval:ssg-kubelet_enable_protect_kernel_defaults_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_enable_server_cert_rotation_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_enable_server_cert_rotation_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
         <oval-def:local_variable id="oval:ssg-kubelet_enable_server_cert_rotation_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_enable_streaming_connections_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
         </oval-def:local_variable>
+        <oval-def:external_variable comment="variable" datatype="string" id="oval:ssg-var_streaming_connection_timeouts:var:1" version="1"/>
+        <oval-def:local_variable id="oval:ssg-kubelet_enable_streaming_connections_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
         <oval-def:local_variable id="oval:ssg-kubelet_enable_streaming_connections_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
         </oval-def:local_variable>
-        <oval-def:external_variable comment="variable" datatype="string" id="oval:ssg-var_streaming_connection_timeouts:var:1" version="1"/>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:external_variable comment="variable" datatype="string" id="oval:ssg-var_kubelet_evictionhard_imagefs_available:var:1" version="1"/>
         <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:external_variable comment="variable" datatype="string" id="oval:ssg-var_kubelet_evictionhard_imagefs_inodesfree:var:1" version="1"/>
         <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:external_variable comment="variable" datatype="string" id="oval:ssg-var_kubelet_evictionhard_memory_available:var:1" version="1"/>
         <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_hard_memory_available_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:external_variable comment="variable" datatype="string" id="oval:ssg-var_kubelet_evictionhard_nodefs_available:var:1" version="1"/>
         <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:external_variable comment="variable" datatype="string" id="oval:ssg-var_kubelet_evictionhard_nodefs_inodesfree:var:1" version="1"/>
         <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:external_variable comment="variable" datatype="string" id="oval:ssg-var_kubelet_evictionsoft_imagefs_available:var:1" version="1"/>
         <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:external_variable comment="variable" datatype="string" id="oval:ssg-var_kubelet_evictionsoft_imagefs_inodesfree:var:1" version="1"/>
         <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:external_variable comment="variable" datatype="string" id="oval:ssg-var_kubelet_evictionsoft_memory_available:var:1" version="1"/>
         <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_soft_memory_available_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:external_variable comment="variable" datatype="string" id="oval:ssg-var_kubelet_evictionsoft_nodefs_available:var:1" version="1"/>
         <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:external_variable comment="variable" datatype="string" id="oval:ssg-var_kubelet_evictionsoft_nodefs_inodesfree:var:1" version="1"/>
         <oval-def:local_variable id="oval:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_read_only_port_secured_deprecated_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-kubelet_read_only_port_secured_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
+          </oval-def:concat>
+        </oval-def:local_variable>
         <oval-def:local_variable id="oval:ssg-kubelet_read_only_port_secured_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
-          <oval-def:literal_component>/etc/kubernetes/kubelet.conf</oval-def:literal_component>
+          <oval-def:concat>
+            <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
+            <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
+            <oval-def:literal_component>/</oval-def:literal_component>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
+          </oval-def:concat>
         </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-kubelet_test_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+        <oval-def:local_variable id="oval:ssg-kubelet_test_cipher_master_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:concat>
             <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
             <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
             <oval-def:literal_component>/</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_role:var:1"/>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_master:var:1"/>
           </oval-def:concat>
         </oval-def:local_variable>
-        <oval-def:external_variable comment="File Path Suffix" datatype="string" id="oval:ssg-var_role:var:1" version="1"/>
-        <oval-def:local_variable id="oval:ssg-kubelet_test_cipher_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
+        <oval-def:local_variable id="oval:ssg-kubelet_test_cipher_worker_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:concat>
             <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
             <oval-def:literal_component>/kubeletconfig/role</oval-def:literal_component>
             <oval-def:literal_component>/</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_role:var:1"/>
+            <oval-def:variable_component var_ref="oval:ssg-var_role_worker:var:1"/>
           </oval-def:concat>
         </oval-def:local_variable>
         <oval-def:local_variable id="oval:ssg-luks_enabled_on_all_nodes_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:concat>
             <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
-            <oval-def:literal_component>/apis/machineconfiguration.openshift.io/v1/machineconfigs#136fe907b51dc9ea5011707799731b533561dab4b043f086f36c0b5c9c288414</oval-def:literal_component>
+            <oval-def:literal_component>/apis/machineconfiguration.openshift.io/v1/machineconfigs#9fab597988075d76a1c081cdc533f05623251a854b9936a08ae52cca5fc5a311</oval-def:literal_component>
           </oval-def:concat>
         </oval-def:local_variable>
         <oval-def:local_variable id="oval:ssg-oauth_inactivity_timeout_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
@@ -28082,6 +33402,7 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <oval-def:literal_component>/apis/oauth.openshift.io/v1/oauthclients</oval-def:literal_component>
           </oval-def:concat>
         </oval-def:local_variable>
+        <oval-def:external_variable comment="variable" datatype="string" id="oval:ssg-var_access_token_inactivity_timeout_seconds:var:1" version="1"/>
         <oval-def:local_variable id="oval:ssg-oauthclient_token_maxage_file_location:var:1" datatype="string" comment="The actual path of the file to scan." version="1">
           <oval-def:concat>
             <oval-def:variable_component var_ref="oval:ssg-ocp_data_root:var:1"/>
@@ -28356,13 +33677,13 @@ critical for OpenShift security.</xccdf-1.2:rationale>
       </oval-def:variables>
     </oval-def:oval_definitions>
   </ds:component>
-  <ds:component id="scap_org.open-scap_comp_ssg-ocp4-ocil.xml" timestamp="2022-08-11T18:55:00">
+  <ds:component id="scap_org.open-scap_comp_ssg-ocp4-ocil.xml" timestamp="2022-10-19T15:33:05">
     <ocil:ocil>
       <ocil:generator>
         <ocil:product_name>build_shorthand.py from SCAP Security Guide</ocil:product_name>
-        <ocil:product_version>ssg: 0.1.64</ocil:product_version>
+        <ocil:product_version>ssg: 0.1.65</ocil:product_version>
         <ocil:schema_version>2.0</ocil:schema_version>
-        <ocil:timestamp>2022-08-11T18:54:57</ocil:timestamp>
+        <ocil:timestamp>2022-10-19T19:33:03</ocil:timestamp>
       </ocil:generator>
       <ocil:questionnaires>
         <ocil:questionnaire id="ocil:ssg-accounts_restrict_service_account_tokens_ocil:questionnaire:1">
@@ -28965,12 +34286,6 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:test_action_ref>ocil:ssg-ebs_encryption_enabled_on_machinesets_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-fips_mode_enabled_ocil:questionnaire:1">
-          <ocil:title>Ensure that the cluster was installed with FIPS mode enabled</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-fips_mode_enabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-fips_mode_enabled_on_all_nodes_ocil:questionnaire:1">
           <ocil:title>Ensure that FIPS mode is enabled on all cluster nodes</ocil:title>
           <ocil:actions>
@@ -29025,24 +34340,96 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:test_action_ref>ocil:ssg-reject_unsigned_images_by_default_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_anonymous_auth_ocil:questionnaire:1">
+          <ocil:title>Disable Anonymous Authentication to the Kubelet</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_anonymous_auth_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_anonymous_auth_deprecated_ocil:questionnaire:1">
+          <ocil:title>Disable Anonymous Authentication to the Kubelet</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_anonymous_auth_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_anonymous_auth_master_ocil:questionnaire:1">
+          <ocil:title>Disable Anonymous Authentication to the Kubelet</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_anonymous_auth_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_anonymous_auth_worker_ocil:questionnaire:1">
           <ocil:title>Disable Anonymous Authentication to the Kubelet</ocil:title>
           <ocil:actions>
             <ocil:test_action_ref>ocil:ssg-kubelet_anonymous_auth_worker_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_authorization_mode_ocil:questionnaire:1">
+          <ocil:title>Ensure authorization is set to Webhook</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_authorization_mode_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_authorization_mode_deprecated_ocil:questionnaire:1">
+          <ocil:title>Ensure authorization is set to Webhook</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_authorization_mode_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_authorization_mode_master_ocil:questionnaire:1">
+          <ocil:title>Ensure authorization is set to Webhook</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_authorization_mode_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_authorization_mode_worker_ocil:questionnaire:1">
           <ocil:title>Ensure authorization is set to Webhook</ocil:title>
           <ocil:actions>
             <ocil:test_action_ref>ocil:ssg-kubelet_authorization_mode_worker_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_configure_client_ca_ocil:questionnaire:1">
+          <ocil:title>kubelet - Configure the Client CA Certificate</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_configure_client_ca_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_configure_client_ca_deprecated_ocil:questionnaire:1">
+          <ocil:title>kubelet - Configure the Client CA Certificate</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_configure_client_ca_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_configure_client_ca_master_ocil:questionnaire:1">
+          <ocil:title>kubelet - Configure the Client CA Certificate</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_configure_client_ca_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_configure_client_ca_worker_ocil:questionnaire:1">
           <ocil:title>kubelet - Configure the Client CA Certificate</ocil:title>
           <ocil:actions>
             <ocil:test_action_ref>ocil:ssg-kubelet_configure_client_ca_worker_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_configure_event_creation_ocil:questionnaire:1">
+          <ocil:title>Kubelet - Ensure Event Creation Is Configured</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_configure_event_creation_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_configure_event_creation_deprecated_ocil:questionnaire:1">
+          <ocil:title>Kubelet - Ensure Event Creation Is Configured</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_configure_event_creation_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_configure_event_creation_master_ocil:questionnaire:1">
+          <ocil:title>Kubelet - Ensure Event Creation Is Configured</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_configure_event_creation_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_configure_event_creation_worker_ocil:questionnaire:1">
           <ocil:title>Kubelet - Ensure Event Creation Is Configured</ocil:title>
           <ocil:actions>
@@ -29061,6 +34448,18 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:test_action_ref>ocil:ssg-kubelet_configure_tls_cert_pre_4_9_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_configure_tls_cipher_suites_ocil:questionnaire:1">
+          <ocil:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_configure_tls_cipher_suites_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_configure_tls_cipher_suites_deprecated_ocil:questionnaire:1">
+          <ocil:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_configure_tls_cipher_suites_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_configure_tls_cipher_suites_ingresscontroller_ocil:questionnaire:1">
           <ocil:title>Ensure that the Ingress Controller only makes use of Strong Cryptographic Ciphers</ocil:title>
           <ocil:actions>
@@ -29073,6 +34472,12 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:test_action_ref>ocil:ssg-kubelet_configure_tls_cipher_suites_kubeapiserver_operator_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_configure_tls_cipher_suites_master_ocil:questionnaire:1">
+          <ocil:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_configure_tls_cipher_suites_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_configure_tls_cipher_suites_openshiftapiserver_operator_ocil:questionnaire:1">
           <ocil:title>Ensure that the OpenShift API Server Operator only makes use of Strong Cryptographic Ciphers</ocil:title>
           <ocil:actions>
@@ -29103,6 +34508,24 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:test_action_ref>ocil:ssg-kubelet_disable_readonly_port_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_enable_cert_rotation_ocil:questionnaire:1">
+          <ocil:title>kubelet - Enable Certificate Rotation</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_enable_cert_rotation_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_enable_cert_rotation_deprecated_ocil:questionnaire:1">
+          <ocil:title>kubelet - Enable Certificate Rotation</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_enable_cert_rotation_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_enable_cert_rotation_master_ocil:questionnaire:1">
+          <ocil:title>kubelet - Enable Certificate Rotation</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_enable_cert_rotation_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_enable_cert_rotation_worker_ocil:questionnaire:1">
           <ocil:title>kubelet - Enable Certificate Rotation</ocil:title>
           <ocil:actions>
@@ -29115,12 +34538,42 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:test_action_ref>ocil:ssg-kubelet_enable_client_cert_rotation_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_enable_client_cert_rotation_master_ocil:questionnaire:1">
+          <ocil:title>kubelet - Enable Client Certificate Rotation</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_enable_client_cert_rotation_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_enable_client_cert_rotation_worker_ocil:questionnaire:1">
+          <ocil:title>kubelet - Enable Client Certificate Rotation</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_enable_client_cert_rotation_worker_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_enable_iptables_util_chains_ocil:questionnaire:1">
           <ocil:title>kubelet - Allow Automatic Firewall Configuration</ocil:title>
           <ocil:actions>
             <ocil:test_action_ref>ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_enable_iptables_util_chains_deprecated_ocil:questionnaire:1">
+          <ocil:title>kubelet - Allow Automatic Firewall Configuration</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_enable_iptables_util_chains_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_enable_iptables_util_chains_master_ocil:questionnaire:1">
+          <ocil:title>kubelet - Allow Automatic Firewall Configuration</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_enable_iptables_util_chains_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_enable_iptables_util_chains_worker_ocil:questionnaire:1">
+          <ocil:title>kubelet - Allow Automatic Firewall Configuration</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_enable_iptables_util_chains_worker_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_enable_protect_kernel_defaults_ocil:questionnaire:1">
           <ocil:title>kubelet - Enable Protect Kernel Defaults</ocil:title>
           <ocil:actions>
@@ -29175,96 +34628,336 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:test_action_ref>ocil:ssg-kubelet_enable_protect_kernel_sysctl_vm_panic_on_oom_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_enable_server_cert_rotation_ocil:questionnaire:1">
+          <ocil:title>kubelet - Enable Server Certificate Rotation</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_enable_server_cert_rotation_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_enable_server_cert_rotation_deprecated_ocil:questionnaire:1">
+          <ocil:title>kubelet - Enable Server Certificate Rotation</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_enable_server_cert_rotation_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_enable_server_cert_rotation_master_ocil:questionnaire:1">
+          <ocil:title>kubelet - Enable Server Certificate Rotation</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_enable_server_cert_rotation_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_enable_server_cert_rotation_worker_ocil:questionnaire:1">
           <ocil:title>kubelet - Enable Server Certificate Rotation</ocil:title>
           <ocil:actions>
             <ocil:test_action_ref>ocil:ssg-kubelet_enable_server_cert_rotation_worker_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_enable_streaming_connections_ocil:questionnaire:1">
+          <ocil:title>kubelet - Do Not Disable Streaming Timeouts</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_enable_streaming_connections_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_enable_streaming_connections_deprecated_ocil:questionnaire:1">
+          <ocil:title>kubelet - Do Not Disable Streaming Timeouts</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_enable_streaming_connections_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_enable_streaming_connections_master_ocil:questionnaire:1">
+          <ocil:title>kubelet - Do Not Disable Streaming Timeouts</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_enable_streaming_connections_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_enable_streaming_connections_worker_ocil:questionnaire:1">
           <ocil:title>kubelet - Do Not Disable Streaming Timeouts</ocil:title>
           <ocil:actions>
             <ocil:test_action_ref>ocil:ssg-kubelet_enable_streaming_connections_worker_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_master_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_worker_ocil:questionnaire:1">
           <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.available</ocil:title>
           <ocil:actions>
             <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_worker_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker_ocil:questionnaire:1">
           <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree</ocil:title>
           <ocil:actions>
             <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: memory.available</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_deprecated_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: memory.available</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_master_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: imagefs.inodesFree</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_worker_ocil:questionnaire:1">
           <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: memory.available</ocil:title>
           <ocil:actions>
             <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_worker_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_master_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_worker_ocil:questionnaire:1">
           <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.available</ocil:title>
           <ocil:actions>
             <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_worker_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker_ocil:questionnaire:1">
           <ocil:title>Ensure Eviction threshold Settings Are Set - evictionHard: nodefs.inodesFree</ocil:title>
           <ocil:actions>
             <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_master_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_worker_ocil:questionnaire:1">
           <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.available</ocil:title>
           <ocil:actions>
             <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_worker_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker_ocil:questionnaire:1">
           <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: imagefs.inodesFree</ocil:title>
           <ocil:actions>
             <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_deprecated_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_master_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_worker_ocil:questionnaire:1">
           <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: memory.available</ocil:title>
           <ocil:actions>
             <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_worker_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_master_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_worker_ocil:questionnaire:1">
           <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.available</ocil:title>
           <ocil:actions>
             <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_worker_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master_ocil:questionnaire:1">
+          <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker_ocil:questionnaire:1">
           <ocil:title>Ensure Eviction threshold Settings Are Set - evictionSoft: nodefs.inodesFree</ocil:title>
           <ocil:actions>
             <ocil:test_action_ref>ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kubelet_read_only_port_secured_worker_ocil:questionnaire:1">
+        <ocil:questionnaire id="ocil:ssg-kubelet_read_only_port_secured_ocil:questionnaire:1">
           <ocil:title>kubelet - Ensure that the --read-only-port is secured</ocil:title>
           <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kubelet_read_only_port_secured_worker_action:testaction:1</ocil:test_action_ref>
+            <ocil:test_action_ref>ocil:ssg-kubelet_read_only_port_secured_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kubelet_test_ocil:questionnaire:1">
-          <ocil:title>KubeletTest</ocil:title>
+        <ocil:questionnaire id="ocil:ssg-kubelet_read_only_port_secured_deprecated_ocil:questionnaire:1">
+          <ocil:title>kubelet - Ensure that the --read-only-port is secured</ocil:title>
           <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kubelet_test_action:testaction:1</ocil:test_action_ref>
+            <ocil:test_action_ref>ocil:ssg-kubelet_read_only_port_secured_deprecated_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_read_only_port_secured_master_ocil:questionnaire:1">
+          <ocil:title>kubelet - Ensure that the --read-only-port is secured</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_read_only_port_secured_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_read_only_port_secured_worker_ocil:questionnaire:1">
+          <ocil:title>kubelet - Ensure that the --read-only-port is secured</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_read_only_port_secured_worker_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-kubelet_test_cipher_ocil:questionnaire:1">
-          <ocil:title>KubeletTest</ocil:title>
+          <ocil:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</ocil:title>
           <ocil:actions>
             <ocil:test_action_ref>ocil:ssg-kubelet_test_cipher_action:testaction:1</ocil:test_action_ref>
           </ocil:actions>
         </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_test_cipher_master_ocil:questionnaire:1">
+          <ocil:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_test_cipher_master_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
+        <ocil:questionnaire id="ocil:ssg-kubelet_test_cipher_worker_ocil:questionnaire:1">
+          <ocil:title>Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers</ocil:title>
+          <ocil:actions>
+            <ocil:test_action_ref>ocil:ssg-kubelet_test_cipher_worker_action:testaction:1</ocil:test_action_ref>
+          </ocil:actions>
+        </ocil:questionnaire>
         <ocil:questionnaire id="ocil:ssg-audit_error_alert_exists_ocil:questionnaire:1">
           <ocil:title>Ensure that Audit Log Errors Emit Alerts</ocil:title>
           <ocil:actions>
@@ -30931,14 +36624,6 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-fips_mode_enabled_action:testaction:1" question_ref="ocil:ssg-fips_mode_enabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-fips_mode_enabled_on_all_nodes_action:testaction:1" question_ref="ocil:ssg-fips_mode_enabled_on_all_nodes_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31011,6 +36696,30 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_anonymous_auth_action:testaction:1" question_ref="ocil:ssg-kubelet_anonymous_auth_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_anonymous_auth_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_anonymous_auth_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_anonymous_auth_master_action:testaction:1" question_ref="ocil:ssg-kubelet_anonymous_auth_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_anonymous_auth_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_anonymous_auth_worker_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31019,6 +36728,30 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_authorization_mode_action:testaction:1" question_ref="ocil:ssg-kubelet_authorization_mode_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_authorization_mode_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_authorization_mode_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_authorization_mode_master_action:testaction:1" question_ref="ocil:ssg-kubelet_authorization_mode_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_authorization_mode_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_authorization_mode_worker_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31027,6 +36760,30 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_configure_client_ca_action:testaction:1" question_ref="ocil:ssg-kubelet_configure_client_ca_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_configure_client_ca_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_configure_client_ca_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_configure_client_ca_master_action:testaction:1" question_ref="ocil:ssg-kubelet_configure_client_ca_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_configure_client_ca_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_configure_client_ca_worker_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31035,6 +36792,30 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_configure_event_creation_action:testaction:1" question_ref="ocil:ssg-kubelet_configure_event_creation_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_configure_event_creation_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_configure_event_creation_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_configure_event_creation_master_action:testaction:1" question_ref="ocil:ssg-kubelet_configure_event_creation_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_configure_event_creation_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_configure_event_creation_worker_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31059,6 +36840,22 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_configure_tls_cipher_suites_action:testaction:1" question_ref="ocil:ssg-kubelet_configure_tls_cipher_suites_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_configure_tls_cipher_suites_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_configure_tls_cipher_suites_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_configure_tls_cipher_suites_ingresscontroller_action:testaction:1" question_ref="ocil:ssg-kubelet_configure_tls_cipher_suites_ingresscontroller_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31075,6 +36872,14 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_configure_tls_cipher_suites_master_action:testaction:1" question_ref="ocil:ssg-kubelet_configure_tls_cipher_suites_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_configure_tls_cipher_suites_openshiftapiserver_operator_action:testaction:1" question_ref="ocil:ssg-kubelet_configure_tls_cipher_suites_openshiftapiserver_operator_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31115,6 +36920,30 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_cert_rotation_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_cert_rotation_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_cert_rotation_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_cert_rotation_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_cert_rotation_master_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_cert_rotation_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_cert_rotation_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_cert_rotation_worker_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31131,6 +36960,22 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_client_cert_rotation_master_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_client_cert_rotation_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_client_cert_rotation_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_client_cert_rotation_worker_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_iptables_util_chains_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_iptables_util_chains_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31139,6 +36984,30 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_iptables_util_chains_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_iptables_util_chains_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_iptables_util_chains_master_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_iptables_util_chains_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_iptables_util_chains_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_iptables_util_chains_worker_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_protect_kernel_defaults_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_protect_kernel_defaults_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31211,6 +37080,30 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_server_cert_rotation_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_server_cert_rotation_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_server_cert_rotation_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_server_cert_rotation_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_server_cert_rotation_master_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_server_cert_rotation_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_server_cert_rotation_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_server_cert_rotation_worker_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31219,6 +37112,30 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_streaming_connections_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_streaming_connections_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_streaming_connections_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_streaming_connections_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_streaming_connections_master_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_streaming_connections_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_enable_streaming_connections_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_enable_streaming_connections_worker_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31227,6 +37144,30 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_master_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_worker_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31235,6 +37176,30 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31243,6 +37208,30 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_master_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_worker_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31251,6 +37240,30 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_master_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_worker_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31259,6 +37272,30 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31267,6 +37304,30 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_master_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_worker_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31275,6 +37336,30 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31283,6 +37368,30 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_master_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_worker_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31291,6 +37400,30 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_master_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_worker_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31299,6 +37432,30 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -31307,7 +37464,7 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_read_only_port_secured_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_read_only_port_secured_worker_question:question:1">
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_read_only_port_secured_action:testaction:1" question_ref="ocil:ssg-kubelet_read_only_port_secured_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
           </ocil:when_true>
@@ -31315,7 +37472,23 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_test_action:testaction:1" question_ref="ocil:ssg-kubelet_test_question:question:1">
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_read_only_port_secured_deprecated_action:testaction:1" question_ref="ocil:ssg-kubelet_read_only_port_secured_deprecated_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_read_only_port_secured_master_action:testaction:1" question_ref="ocil:ssg-kubelet_read_only_port_secured_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_read_only_port_secured_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_read_only_port_secured_worker_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
           </ocil:when_true>
@@ -31331,6 +37504,22 @@ critical for OpenShift security.</xccdf-1.2:rationale>
             <ocil:result>FAIL</ocil:result>
           </ocil:when_false>
         </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_test_cipher_master_action:testaction:1" question_ref="ocil:ssg-kubelet_test_cipher_master_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
+        <ocil:boolean_question_test_action id="ocil:ssg-kubelet_test_cipher_worker_action:testaction:1" question_ref="ocil:ssg-kubelet_test_cipher_worker_question:question:1">
+          <ocil:when_true>
+            <ocil:result>PASS</ocil:result>
+          </ocil:when_true>
+          <ocil:when_false>
+            <ocil:result>FAIL</ocil:result>
+          </ocil:when_false>
+        </ocil:boolean_question_test_action>
         <ocil:boolean_question_test_action id="ocil:ssg-audit_error_alert_exists_action:testaction:1" question_ref="ocil:ssg-audit_error_alert_exists_question:question:1">
           <ocil:when_true>
             <ocil:result>PASS</ocil:result>
@@ -33118,11 +39307,11 @@ Make sure that there is one output named: file-integrity
       </ocil:question_text>
         </ocil:boolean_question>
         <ocil:boolean_question id="ocil:ssg-general_apply_scc_question:question:1">
-          <ocil:question_text>Review the pod definitions in your cluster and verify that you have security
-contexts defined as appropriate.  OpenShift's Security Context Constraint
-feature is on by default in OpenShift 4 and applied to all pods deployed. SCC
-selection is determined by a combination of the values in the securityContext
-and the rolebindings for the account deploying the pod.
+          <ocil:question_text>Review the pod definitions in your cluster and verify they have appropriate
+security contexts. OpenShift comes configured with default security context
+constraints you can use immediately to secure pods in your cluster. For more
+information on security context constraints, how to use them, and how to
+build your own, please refer to the OpenShift security constraints documentation.
       Is it the case that SCCs in Pod definitions need review?
       </ocil:question_text>
         </ocil:boolean_question>
@@ -33280,18 +39469,11 @@ with $ oc get machineset --all-namespaces -o yaml
 $ oc get machineset --all-namespaces -o json | jq '[.items[] | .spec.template.spec.providerSpec.value.blockDevices[0].ebs.encrypted] | map(. == true)'
 Make sure that the result is an array of 'true' values.
       Is it the case that EBS encryption is not enabled on cluster nodes?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-fips_mode_enabled_question:question:1">
-          <ocil:question_text>Run the following command to retrieve if the FIPS flag is enabled:
-$ oc get machineconfig 99-master-fips -o jsonpath={.spec.fips}
-Make sure that the result is 'true'.
-      Is it the case that FIPS mode is not enabled?
       </ocil:question_text>
         </ocil:boolean_question>
         <ocil:boolean_question id="ocil:ssg-fips_mode_enabled_on_all_nodes_question:question:1">
           <ocil:question_text>Run the following command to retrieve if the FIPS flag is enabled:
-$ oc get machineconfig -o json | jq '[.items[] | select(.metadata.name | test("^[0-9]{2}-worker$|^[0-9]{2}-master$"))]|map(.spec.fips == true)'
+$ oc get machineconfig -o json | jq '[.items[] | select(.metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.fips == true)'
 Make sure that the result is an array of 'true' values.
       Is it the case that FIPS mode is not enabled on all nodes (control plane and workers)?
       </ocil:question_text>
@@ -33307,7 +39489,7 @@ with $ oc get machineset --all-namespaces -o yaml
         </ocil:boolean_question>
         <ocil:boolean_question id="ocil:ssg-luks_enabled_on_all_nodes_question:question:1">
           <ocil:question_text>Run the following command to retrieve if the LUKS object is configured:
-$ oc get machineconfig -o json | jq '[.items[] | select(.metadata.name | test("^[0-9]{2}-worker$|^[0-9]{2}-master$"))]|map(.spec.config.storage.luks[0].clevis != null)'
+$ oc get machineconfig -o json | jq '[.items[] | select(.metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.config.storage.luks[0].clevis != null)'
 Make sure that the result is an array of 'true' values.
       Is it the case that LUKS encryption is not enabled on worker nodes?
       </ocil:question_text>
@@ -33331,10 +39513,10 @@ This can be inspected by going through them
 with $ oc get machineset --all-namespaces -o yaml
 
 If not, run the following command to retrieve if the FIPS flag is enabled:
-$ oc get machineconfig -o json | jq '. | [select(.items[].metadata.name | test("^[0-9]{2}-worker$|^[0-9]{2}-master$"))]|[.[].items[].spec.fips]'
+$ oc get machineconfig -o json | jq '[.items[] | select(.metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.fips == true)'
 Make sure that the result is an array of 'true' values.
 Then, run this next command to retrieve if LUKS encryption is enabled:
-$ oc get machineconfig -o json | jq '. | [select(.items[].metadata.name | test("^[0-9]{2}-worker$|^[0-9]{2}-master$"))]|map(.spec.config.storage.luks[0].clevis != null)'
+$ oc get machineconfig -o json | jq '[.items[] | select(.metadata.name | test("^rendered-worker-[0-9a-z]+$|^rendered-master-[0-9a-z]+$"))] | map(.spec.config.storage.luks[0].clevis != null)'
 The result must also be an array of 'true' values.
       Is it the case that FIPS mode is not enabled on worker nodes?
       </ocil:question_text>
@@ -33395,14 +39577,43 @@ This should look as follows:
       Is it the case that The default policy of image verification is not 'reject'?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_anonymous_auth_worker_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_anonymous_auth_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done
+The output should return enabled: false.
+      Is it the case that &lt;tt&gt;anonymous&lt;/tt&gt; authentication is not set to &lt;tt&gt;false&lt;/tt&gt;?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_anonymous_auth_deprecated_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
 $ sudo grep -A1 anonymous /etc/kubernetes/kubelet.conf
 The output should return enabled: false.
       Is it the case that &lt;tt&gt;anonymous&lt;/tt&gt; authentication is not set to &lt;tt&gt;false&lt;/tt&gt;?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_authorization_mode_worker_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_anonymous_auth_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done
+The output should return enabled: false.
+      Is it the case that &lt;tt&gt;anonymous&lt;/tt&gt; authentication is not set to &lt;tt&gt;false&lt;/tt&gt;?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_anonymous_auth_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 anonymous; done
+The output should return enabled: false.
+      Is it the case that &lt;tt&gt;anonymous&lt;/tt&gt; authentication is not set to &lt;tt&gt;false&lt;/tt&gt;?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_authorization_mode_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | sudo grep -A1 authorization; done
+Verify that the output is not set to mode: AlwaysAllow, or missing
+(defaults to mode: Webhook).
+      Is it the case that &lt;tt&gt;authorization-mode&lt;/tt&gt; is not configured to &lt;tt&gt;Webhook&lt;/tt&gt;?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_authorization_mode_deprecated_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
 $ sudo grep -A1 authorization /etc/kubernetes/kubelet.conf
 Verify that the output is not set to mode: AlwaysAllow, or missing
@@ -33410,16 +39621,74 @@ Verify that the output is not set to mode: AlwaysAllow, or missing
       Is it the case that &lt;tt&gt;authorization-mode&lt;/tt&gt; is not configured to &lt;tt&gt;Webhook&lt;/tt&gt;?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_configure_client_ca_worker_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_authorization_mode_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | sudo grep -A1 authorization; done
+Verify that the output is not set to mode: AlwaysAllow, or missing
+(defaults to mode: Webhook).
+      Is it the case that &lt;tt&gt;authorization-mode&lt;/tt&gt; is not configured to &lt;tt&gt;Webhook&lt;/tt&gt;?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_authorization_mode_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | sudo grep -A1 authorization; done
+Verify that the output is not set to mode: AlwaysAllow, or missing
+(defaults to mode: Webhook).
+      Is it the case that &lt;tt&gt;authorization-mode&lt;/tt&gt; is not configured to &lt;tt&gt;Webhook&lt;/tt&gt;?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_configure_client_ca_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 x509; done
+The output should contain a configured certificate like /etc/kubernetes/kubelet-ca.crt.
+      Is it the case that no client CA certificate has been configured?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_configure_client_ca_deprecated_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
 $ sudo grep -A1 x509 /etc/kubernetes/kubelet.conf
 The output should contain a configured certificate like /etc/kubernetes/kubelet-ca.crt.
       Is it the case that no client CA certificate has been configured?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_configure_event_creation_worker_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_configure_client_ca_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 x509; done
+The output should contain a configured certificate like /etc/kubernetes/kubelet-ca.crt.
+      Is it the case that no client CA certificate has been configured?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_configure_client_ca_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep -A1 x509; done
+The output should contain a configured certificate like /etc/kubernetes/kubelet-ca.crt.
+      Is it the case that no client CA certificate has been configured?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_configure_event_creation_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep eventRecordQPS; done
+The output should return .
+      Is it the case that event creation limits are not configured?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_configure_event_creation_deprecated_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
 $ sudo grep eventRecordQPS /etc/kubernetes/kubelet.conf
+The output should return .
+      Is it the case that event creation limits are not configured?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_configure_event_creation_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep eventRecordQPS; done
+The output should return .
+      Is it the case that event creation limits are not configured?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_configure_event_creation_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep eventRecordQPS; done
 The output should return .
       Is it the case that event creation limits are not configured?
       </ocil:question_text>
@@ -33436,6 +39705,34 @@ Verify that a client certificate is configured.
 $ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]'
 Verify that a client certificate is configured.
       Is it the case that the kubelet certificate is not configured?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_configure_tls_cipher_suites_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep tlsCipherSuites; done
+Verify that the set of ciphers contains only the following:
+
+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+
+      Is it the case that TLS cipher suite configuration is not configured or contains insecure ciphers?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_configure_tls_cipher_suites_deprecated_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ sudo grep tlsCipherSuites /etc/kubernetes/kubelet.conf
+Verify that the set of ciphers contains only the following:
+
+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+
+      Is it the case that TLS cipher suite configuration is not configured or contains insecure ciphers?
       </ocil:question_text>
         </ocil:boolean_question>
         <ocil:boolean_question id="ocil:ssg-kubelet_configure_tls_cipher_suites_ingresscontroller_question:question:1">
@@ -33448,6 +39745,21 @@ oc -n openshift-ingress-operator patch ingresscontroller/default --type merge -p
           <ocil:question_text>Run the following comman on the kubelete nodes(s):
 oc patch kubeapiservers.operator.openshift.io cluster --type merge -p '{"spec":{"unsupportedConfigOverrides":{"servingInfo":{"cipherSuites":["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305","TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_128_GCM_SHA256"]} } } }'
       Is it the case that TLS cipher suite configuration is not configured?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_configure_tls_cipher_suites_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep tlsCipherSuites; done
+Verify that the set of ciphers contains only the following:
+
+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+
+      Is it the case that TLS cipher suite configuration is not configured or contains insecure ciphers?
       </ocil:question_text>
         </ocil:boolean_question>
         <ocil:boolean_question id="ocil:ssg-kubelet_configure_tls_cipher_suites_openshiftapiserver_operator_question:question:1">
@@ -33458,13 +39770,15 @@ oc patch openshiftapiservers.operator.openshift.io cluster --type merge -p '{"sp
         </ocil:boolean_question>
         <ocil:boolean_question id="ocil:ssg-kubelet_configure_tls_cipher_suites_worker_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
-$ sudo grep tlsCipherSuites /etc/kubernetes/kubelet.conf
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep tlsCipherSuites; done
 Verify that the set of ciphers contains only the following:
 
 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
-TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 
       Is it the case that TLS cipher suite configuration is not configured or contains insecure ciphers?
       </ocil:question_text>
@@ -33490,16 +39804,51 @@ The output should be 0.
       Is it the case that the read-only port is not disabled?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_enable_cert_rotation_worker_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_enable_cert_rotation_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
 $ sudo grep rotateCertificates /etc/kubernetes/kubelet.conf
+The output should return nothing or true.
+      Is it the case that the kubelet cannot rotate client certificate?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_enable_cert_rotation_deprecated_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ sudo grep rotateCertificates /etc/kubernetes/kubelet.conf
+The output should return nothing or true.
+      Is it the case that the kubelet cannot rotate client certificate?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_enable_cert_rotation_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
+The output should return nothing or true.
+      Is it the case that the kubelet cannot rotate client certificate?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_enable_cert_rotation_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep rotateCertificates; done
 The output should return nothing or true.
       Is it the case that the kubelet cannot rotate client certificate?
       </ocil:question_text>
         </ocil:boolean_question>
         <ocil:boolean_question id="ocil:ssg-kubelet_enable_client_cert_rotation_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
-$ sudo grep RotateKubeletClientCertificate /etc/kubernetes/kubelet.conf
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletClientCertificate; done
+The output should return nothing or true.
+      Is it the case that the kubelet cannot rotate client certificate?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_enable_client_cert_rotation_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletClientCertificate; done
+The output should return nothing or true.
+      Is it the case that the kubelet cannot rotate client certificate?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_enable_client_cert_rotation_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletClientCertificate; done
 The output should return nothing or true.
       Is it the case that the kubelet cannot rotate client certificate?
       </ocil:question_text>
@@ -33507,6 +39856,27 @@ The output should return nothing or true.
         <ocil:boolean_question id="ocil:ssg-kubelet_enable_iptables_util_chains_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
 $ sudo grep makeIPTablesUtilChains /etc/kubernetes/kubelet.conf
+The output should return true.
+      Is it the case that the kubelet cannot modify the firewall settings?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_enable_iptables_util_chains_deprecated_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ sudo grep makeIPTablesUtilChains /etc/kubernetes/kubelet.conf
+The output should return true.
+      Is it the case that the kubelet cannot modify the firewall settings?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_enable_iptables_util_chains_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains 
+The output should return true.
+      Is it the case that the kubelet cannot modify the firewall settings?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_enable_iptables_util_chains_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ oc get --raw /api/v1/nodes/${NODE_NAME}/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep makeIPTablesUtilChains 
 The output should return true.
       Is it the case that the kubelet cannot modify the firewall settings?
       </ocil:question_text>
@@ -33602,91 +39972,350 @@ The output should return a value.
       Is it the case that the kubelet can modify kernel parameters?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_enable_server_cert_rotation_worker_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_enable_server_cert_rotation_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletServerCertificate; done
+The output should return true.
+      Is it the case that the kubelet cannot rotate server certificate?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_enable_server_cert_rotation_deprecated_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
 $ sudo grep RotateKubeletServerCertificate /etc/kubernetes/kubelet.conf
 The output should return true.
       Is it the case that the kubelet cannot rotate server certificate?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_enable_streaming_connections_worker_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_enable_server_cert_rotation_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletServerCertificate; done
+The output should return true.
+      Is it the case that the kubelet cannot rotate server certificate?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_enable_server_cert_rotation_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep RotateKubeletServerCertificate; done
+The output should return true.
+      Is it the case that the kubelet cannot rotate server certificate?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_enable_streaming_connections_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
+The output should return .
+      Is it the case that the streaming connection timeouts are not disabled?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_enable_streaming_connections_deprecated_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
 $ sudo grep streamingConnectionIdleTimeout /etc/kubernetes/kubelet.conf
 The output should return .
       Is it the case that the streaming connection timeouts are not disabled?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_worker_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_enable_streaming_connections_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
+The output should return .
+      Is it the case that the streaming connection timeouts are not disabled?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_enable_streaming_connections_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep streamingConnectionIdleTimeout; done
+The output should return .
+      Is it the case that the streaming connection timeouts are not disabled?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."imagefs.available"'; done
+and make sure it outputs {{.var_kubelet_evictionhard_imagefs_available}}.
+      Is it the case that &lt;tt&gt;imagefs.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_deprecated_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
 $ oc debug -q node/$NODE -- jq -r '.evictionHard."imagefs.available"' /host/etc/kubernetes/kubelet.conf
 and make sure it outputs a value.
       Is it the case that &lt;tt&gt;imagefs.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."imagefs.available"'; done
+and make sure it outputs {{.var_kubelet_evictionhard_imagefs_available}}.
+      Is it the case that &lt;tt&gt;imagefs.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_available_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."imagefs.available"'; done
+and make sure it outputs {{.var_kubelet_evictionhard_imagefs_available}}.
+      Is it the case that &lt;tt&gt;imagefs.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."imagefs.inodesFree"'; done
+and make sure it outputs {{.var_kubelet_evictionhard_imagefs_inodesfree}}.
+      Is it the case that &lt;tt&gt;imagefs.inodesFree&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_deprecated_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
 $ oc debug -q node/$NODE -- jq -r '.evictionHard."imagefs.inodesFree"' /host/etc/kubernetes/kubelet.conf
 and make sure it outputs a value.
       Is it the case that &lt;tt&gt;imagefs.inodesFree&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_worker_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."imagefs.inodesFree"'; done
+and make sure it outputs {{.var_kubelet_evictionhard_imagefs_inodesfree}}.
+      Is it the case that &lt;tt&gt;imagefs.inodesFree&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_imagefs_inodesfree_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."imagefs.inodesFree"'; done
+and make sure it outputs {{.var_kubelet_evictionhard_imagefs_inodesfree}}.
+      Is it the case that &lt;tt&gt;imagefs.inodesFree&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."memory.available"'; done
+and make sure it outputs {{.var_kubelet_evictionhard_memory_available}}.
+      Is it the case that &lt;tt&gt;memory.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_deprecated_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
 $ oc debug -q node/$NODE -- jq -r '.evictionHard."memory.available"' /host/etc/kubernetes/kubelet.conf
 and make sure it outputs a value.
       Is it the case that &lt;tt&gt;memory.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_worker_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."memory.available"'; done
+and make sure it outputs {{.var_kubelet_evictionhard_memory_available}}.
+      Is it the case that &lt;tt&gt;imagefs.inodesFree&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_memory_available_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."memory.available"'; done
+and make sure it outputs {{.var_kubelet_evictionhard_memory_available}}.
+      Is it the case that &lt;tt&gt;memory.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."nodefs.available"'; done
+and make sure it outputs {{.var_kubelet_evictionhard_nodefs_available}}.
+      Is it the case that &lt;tt&gt;nodefs.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_deprecated_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
 $ oc debug -q node/$NODE -- jq -r '.evictionHard."nodefs.available"' /host/etc/kubernetes/kubelet.conf
 and make sure it outputs a value.
       Is it the case that &lt;tt&gt;nodefs.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."nodefs.available"'; done
+and make sure it outputs {{.var_kubelet_evictionhard_nodefs_available}}.
+      Is it the case that &lt;tt&gt;nodefs.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_available_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."nodefs.available"'; done
+and make sure it outputs {{.var_kubelet_evictionhard_nodefs_available}}.
+      Is it the case that &lt;tt&gt;nodefs.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."nodefs.inodesFree"'; done
+and make sure it outputs {{.var_kubelet_evictionhard_nodefs_inodesfree}}.
+      Is it the case that &lt;tt&gt;nodefs.inodesFree&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_deprecated_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
 $ oc debug -q node/$NODE -- jq -r '.evictionHard."nodefs.inodesFree"' /host/etc/kubernetes/kubelet.conf
 and make sure it outputs a value.
       Is it the case that &lt;tt&gt;nodefs.inodesFree&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_worker_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."nodefs.inodesFree"'; done
+and make sure it outputs {{.var_kubelet_evictionhard_nodefs_inodesfree}}.
+      Is it the case that &lt;tt&gt;nodefs.inodesFree&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_hard_nodefs_inodesfree_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionHard."nodefs.inodesFree"'; done
+and make sure it outputs {{.var_kubelet_evictionhard_nodefs_inodesfree}}.
+      Is it the case that &lt;tt&gt;nodefs.inodesFree&lt;/tt&gt; is not set in &lt;tt&gt;evictionHard&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."imagefs.available"'; done
+and make sure it outputs {{.var_kubelet_evictionsoft_imagefs_available}}.
+      Is it the case that &lt;tt&gt;imagefs.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_deprecated_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
 $ oc debug -q node/$NODE -- jq -r '.evictionSoft."imagefs.available"' /host/etc/kubernetes/kubelet.conf
 and make sure it outputs a value.
       Is it the case that &lt;tt&gt;imagefs.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."imagefs.available"'; done
+and make sure it outputs {{.var_kubelet_evictionsoft_imagefs_available}}.
+      Is it the case that &lt;tt&gt;imagefs.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_available_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."imagefs.available"'; done
+and make sure it outputs {{.var_kubelet_evictionsoft_imagefs_available}}.
+      Is it the case that &lt;tt&gt;imagefs.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."imagefs.inodesFree"'; done
+and make sure it outputs {{.var_kubelet_evictionsoft_imagefs_inodesfree}}.
+      Is it the case that &lt;tt&gt;imagefs.inodesFree&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_deprecated_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
 $ oc debug -q node/$NODE -- jq -r '.evictionSoft."imagefs.inodesFree"' /host/etc/kubernetes/kubelet.conf
 and make sure it outputs a value.
       Is it the case that &lt;tt&gt;imagefs.inodesFree&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_worker_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."imagefs.inodesFree"'; done
+and make sure it outputs {{.var_kubelet_evictionsoft_imagefs_inodesfree}}.
+      Is it the case that &lt;tt&gt;imagefs.inodesFree&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_imagefs_inodesfree_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."imagefs.inodesFree"'; done
+and make sure it outputs {{.var_kubelet_evictionsoft_imagefs_inodesfree}}.
+      Is it the case that &lt;tt&gt;imagefs.inodesFree&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."memory.available"'; done
+and make sure it outputs {{.var_kubelet_evictionsoft_memory_available}}.
+      Is it the case that &lt;tt&gt;memory.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_deprecated_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
 $ oc debug -q node/$NODE -- jq -r '.evictionSoft."memory.available"' /host/etc/kubernetes/kubelet.conf
 and make sure it outputs a value.
       Is it the case that &lt;tt&gt;memory.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_worker_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."memory.available"'; done
+and make sure it outputs {{.var_kubelet_evictionsoft_memory_available}}.
+      Is it the case that &lt;tt&gt;memory.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_memory_available_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."memory.available"'; done
+and make sure it outputs {{.var_kubelet_evictionsoft_memory_available}}.
+      Is it the case that &lt;tt&gt;memory.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."nodefs.available"'; done
+and make sure it outputs {{.var_kubelet_evictionsoft_nodefs_available}}.
+      Is it the case that &lt;tt&gt;nodefs.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_deprecated_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
 $ oc debug -q node/$NODE -- jq -r '.evictionSoft."nodefs.available"' /host/etc/kubernetes/kubelet.conf
 and make sure it outputs a value.
       Is it the case that &lt;tt&gt;nodefs.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."nodefs.available"'; done
+and make sure it outputs {{.var_kubelet_evictionsoft_nodefs_available}}.
+      Is it the case that &lt;tt&gt;nodefs.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_available_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."nodefs.available"'; done
+and make sure it outputs {{.var_kubelet_evictionsoft_nodefs_available}}.
+      Is it the case that &lt;tt&gt;nodefs.available&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."nodefs.inodesFree"'; done
+and make sure it outputs {{.var_kubelet_evictionsoft_nodefs_inodesfree}}.
+      Is it the case that &lt;tt&gt;nodefs.inodesFree&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_deprecated_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
 $ oc debug -q node/$NODE -- jq -r '.evictionSoft."nodefs.inodesFree"' /host/etc/kubernetes/kubelet.conf
 and make sure it outputs a value.
       Is it the case that &lt;tt&gt;nodefs.inodesFree&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_read_only_port_secured_worker_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."nodefs.inodesFree"'; done
+and make sure it outputs {{.var_kubelet_evictionsoft_nodefs_inodesfree}}.
+      Is it the case that &lt;tt&gt;nodefs.inodesFree&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_eviction_thresholds_set_soft_nodefs_inodesfree_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1" | .evictionSoft."nodefs.inodesFree"'; done
+and make sure it outputs {{.var_kubelet_evictionsoft_nodefs_inodesfree}}.
+      Is it the case that &lt;tt&gt;nodefs.inodesFree&lt;/tt&gt; is not set in &lt;tt&gt;evictionSoft&lt;/tt&gt; section?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_read_only_port_secured_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep readOnlyPort; done
+and make sure it outputs 0.
+      Is it the case that readOnlyPort is not secured?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_read_only_port_secured_deprecated_question:question:1">
           <ocil:question_text>First, SSH to the relevant node.
 
 Open the Kubelet config file:
@@ -33697,18 +40326,63 @@ Verify that the "readOnlyPort" argument exists and is set to 0
       Is it the case that readOnlyPort is not secured?
       </ocil:question_text>
         </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kubelet_test_question:question:1">
+        <ocil:boolean_question id="ocil:ssg-kubelet_read_only_port_secured_master_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
-$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]'
-Verify that a client certificate is configured.
-      Is it the case that the kubelet certificate is not configured?
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep readOnlyPort; done
+and make sure it outputs 0.
+      Is it the case that readOnlyPort is not secured?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_read_only_port_secured_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep readOnlyPort; done
+and make sure it outputs 0.
+      Is it the case that readOnlyPort is not secured?
       </ocil:question_text>
         </ocil:boolean_question>
         <ocil:boolean_question id="ocil:ssg-kubelet_test_cipher_question:question:1">
           <ocil:question_text>Run the following command on the kubelet node(s):
-$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq -r '.apiServerArguments["kubelet-client-certificate"]'
-Verify that a client certificate is configured.
-      Is it the case that the kubelet certificate is not configured?
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep tlsCipherSuites; done
+Verify that the set of ciphers contains only the following:
+
+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+
+      Is it the case that TLS cipher suite configuration is not configured or contains insecure ciphers?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_test_cipher_master_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep tlsCipherSuites; done
+Verify that the set of ciphers contains only the following:
+
+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+
+      Is it the case that TLS cipher suite configuration is not configured or contains insecure ciphers?
+      </ocil:question_text>
+        </ocil:boolean_question>
+        <ocil:boolean_question id="ocil:ssg-kubelet_test_cipher_worker_question:question:1">
+          <ocil:question_text>Run the following command on the kubelet node(s):
+$ for NODE_NAME in $(oc get nodes -ojsonpath='{.items[*].metadata.name}'); do oc get --raw /api/v1/nodes/$NODE_NAME/proxy/configz | jq '.kubeletconfig|.kind="KubeletConfiguration"|.apiVersion="kubelet.config.k8s.io/v1beta1"' | grep tlsCipherSuites; done
+Verify that the set of ciphers contains only the following:
+
+TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
+TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+
+      Is it the case that TLS cipher suite configuration is not configured or contains insecure ciphers?
       </ocil:question_text>
         </ocil:boolean_question>
         <ocil:boolean_question id="ocil:ssg-audit_error_alert_exists_question:question:1">
@@ -33910,30 +40584,27 @@ If properly configured, the output should indicate the following permissions:
       </ocil:question_text>
         </ocil:boolean_question>
         <ocil:boolean_question id="ocil:ssg-partition_for_var_log_kube_apiserver_question:question:1">
-          <ocil:question_text>Run the following command to determine if /var/log/kube-apiserver
-is on its own partition or logical volume:
-$ mount | grep "on /var/log/kube-apiserver"
-If /var/log/kube-apiserver has its own partition or volume group, a line will be returned.
+          <ocil:question_text>Verify that a separate file system/partition has been created for /var/log/kube-apiserver with the following command:
 
-      Is it the case that no line is returned?
+$ mountpoint /var/log/kube-apiserver
+
+      Is it the case that "/var/log/kube-apiserver is not a mountpoint" is returned?
       </ocil:question_text>
         </ocil:boolean_question>
         <ocil:boolean_question id="ocil:ssg-partition_for_var_log_oauth_apiserver_question:question:1">
-          <ocil:question_text>Run the following command to determine if /var/log/oauth-apiserver
-is on its own partition or logical volume:
-$ mount | grep "on /var/log/oauth-apiserver"
-If /var/log/oauth-apiserver has its own partition or volume group, a line will be returned.
+          <ocil:question_text>Verify that a separate file system/partition has been created for /var/log/oauth-apiserver with the following command:
 
-      Is it the case that no line is returned?
+$ mountpoint /var/log/oauth-apiserver
+
+      Is it the case that "/var/log/oauth-apiserver is not a mountpoint" is returned?
       </ocil:question_text>
         </ocil:boolean_question>
         <ocil:boolean_question id="ocil:ssg-partition_for_var_log_openshift_apiserver_question:question:1">
-          <ocil:question_text>Run the following command to determine if /var/log/openshift-apiserver
-is on its own partition or logical volume:
-$ mount | grep "on /var/log/openshift-apiserver"
-If /var/log/openshift-apiserver has its own partition or volume group, a line will be returned.
+          <ocil:question_text>Verify that a separate file system/partition has been created for /var/log/openshift-apiserver with the following command:
 
-      Is it the case that no line is returned?
+$ mountpoint /var/log/openshift-apiserver
+
+      Is it the case that "/var/log/openshift-apiserver is not a mountpoint" is returned?
       </ocil:question_text>
         </ocil:boolean_question>
         <ocil:boolean_question id="ocil:ssg-file_groupowner_cni_conf_question:question:1">
@@ -36104,13 +42775,13 @@ If properly configured, the output should indicate the following permissions:
       </ocil:questions>
     </ocil:ocil>
   </ds:component>
-  <ds:component id="scap_org.open-scap_comp_ssg-ocp4-cpe-oval.xml" timestamp="2022-08-11T18:55:00">
+  <ds:component id="scap_org.open-scap_comp_ssg-ocp4-cpe-oval.xml" timestamp="2022-10-19T15:33:06">
     <oval-def:oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
       <oval-def:generator>
         <oval:product_name>combine_ovals.py from SCAP Security Guide</oval:product_name>
-        <oval:product_version>ssg: [0, 1, 64], python: 3.10.6</oval:product_version>
+        <oval:product_version>ssg: [0, 1, 65], python: 3.10.4</oval:product_version>
         <oval:schema_version>5.11</oval:schema_version>
-        <oval:timestamp>2022-08-11T18:54:56</oval:timestamp>
+        <oval:timestamp>2022-10-19T19:32:58</oval:timestamp>
       </oval-def:generator>
       <oval-def:definitions>
         <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_alinux2:def:1" version="1">
@@ -36229,20 +42900,6 @@ If properly configured, the output should indicate the following permissions:
             <oval-def:criterion comment="Debian11 is installed" test_ref="oval:ssg-test_debian_11:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_debian9:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Debian 9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:debian:debian_linux:9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Debian 9</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="current Debian version is Debian Stretch" operator="AND">
-            <oval-def:extend_definition comment="Debian is installed" definition_ref="oval:ssg-installed_OS_is_debian:def:1"/>
-            <oval-def:criterion comment="Debian9 is installed" test_ref="oval:ssg-test_debian_9:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
         <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_fedora:def:1" version="3">
           <oval-def:metadata>
             <oval-def:title>Installed operating system is Fedora</oval-def:title>
@@ -36719,6 +43376,20 @@ If properly configured, the output should indicate the following permissions:
             <oval-def:criterion comment="Focal is installed" test_ref="oval:ssg-test_ubuntu_focal:tst:1"/>
           </oval-def:criteria>
         </oval-def:definition>
+        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ubuntu2204:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Ubuntu 2204</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:reference ref_id="cpe:/o:canonical:ubuntu_linux:22.04" source="CPE"/>
+            <oval-def:description>The operating system installed on the system is Ubuntu 2204</oval-def:description>
+          </oval-def:metadata>
+          <oval-def:criteria comment="current Ubuntu version is Jammy" operator="AND">
+            <oval-def:extend_definition comment="Ubuntu is installed" definition_ref="oval:ssg-installed_OS_is_ubuntu:def:1"/>
+            <oval-def:criterion comment="Jammy is installed" test_ref="oval:ssg-test_ubuntu_jammy:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
         <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_uos20:def:1" version="1">
           <oval-def:metadata>
             <oval-def:title>UnionTech OS Server 20</oval-def:title>
@@ -37399,6 +44070,30 @@ If properly configured, the output should indicate the following permissions:
             <oval-def:extend_definition comment="If environment is not a container, it is machine" definition_ref="oval:ssg-installed_env_is_a_container:def:1" negate="true"/>
           </oval-def:criteria>
         </oval-def:definition>
+        <oval-def:definition class="inventory" id="oval:ssg-installed_env_mounts_tmp:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Partition /tmp exists</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="The path /tmp is a partition's mount point" test_ref="oval:ssg-test_partition_tmp_exists:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
+        <oval-def:definition class="inventory" id="oval:ssg-installed_env_mounts_var_tmp:def:1" version="1">
+          <oval-def:metadata>
+            <oval-def:title>Partition /var/tmp exists</oval-def:title>
+            <oval-def:affected family="unix">
+              <oval-def:platform>Red Hat OpenShift Container Platform 4</oval-def:platform>
+            </oval-def:affected>
+            <oval-def:description/>
+          </oval-def:metadata>
+          <oval-def:criteria>
+            <oval-def:criterion comment="The path /var/tmp is a partition's mount point" test_ref="oval:ssg-test_partition_var_tmp_exists:tst:1"/>
+          </oval-def:criteria>
+        </oval-def:definition>
         <oval-def:definition class="inventory" id="oval:ssg-krb5_server_older_than_1_17_18:def:1" version="1">
           <oval-def:metadata>
             <oval-def:title>Kerberos server is older than 1.17-18</oval-def:title>
@@ -37578,9 +44273,6 @@ If properly configured, the output should indicate the following permissions:
         <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Debian version" id="oval:ssg-test_debian_11:tst:1" version="1">
           <ind:object object_ref="oval:ssg-obj_debian_11:obj:1"/>
         </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Debian version" id="oval:ssg-test_debian_9:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_debian_9:obj:1"/>
-        </ind:textfilecontent54_test>
         <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="fedora-release RPM packages are installed" id="oval:ssg-test_fedora_release_rpm:tst:1" version="1">
           <linux:object object_ref="oval:ssg-object_fedora_release_rpm:obj:1"/>
         </linux:rpminfo_test>
@@ -37770,6 +44462,9 @@ If properly configured, the output should indicate the following permissions:
         <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu version" id="oval:ssg-test_ubuntu_focal:tst:1" version="1">
           <ind:object object_ref="oval:ssg-obj_ubuntu_focal:obj:1"/>
         </ind:textfilecontent54_test>
+        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu version" id="oval:ssg-test_ubuntu_jammy:tst:1" version="1">
+          <ind:object object_ref="oval:ssg-obj_ubuntu_jammy:obj:1"/>
+        </ind:textfilecontent54_test>
         <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="uos-release is version 20" id="oval:ssg-test_uos20:tst:1" version="1">
           <linux:object object_ref="oval:ssg-obj_uos20:obj:1"/>
           <linux:state state_ref="oval:ssg-state_uos20:ste:1"/>
@@ -37962,11 +44657,17 @@ If properly configured, the output should indicate the following permissions:
         <unix:file_test check="all" check_existence="all_exist" comment="Check if /run/.containerenv exists" id="oval:ssg-test_installed_env_is_a_podman_container:tst:1" version="1">
           <unix:object object_ref="oval:ssg-object_installed_env_is_a_podman_container:obj:1"/>
         </unix:file_test>
+        <linux:partition_test check="all" check_existence="all_exist" comment="Partition /tmp exists" id="oval:ssg-test_partition_tmp_exists:tst:1" version="1">
+          <linux:object object_ref="oval:ssg-object_partition_tmp_exists:obj:1"/>
+        </linux:partition_test>
+        <linux:partition_test check="all" check_existence="all_exist" comment="Partition /var/tmp exists" id="oval:ssg-test_partition_var_tmp_exists:tst:1" version="1">
+          <linux:object object_ref="oval:ssg-object_partition_var_tmp_exists:obj:1"/>
+        </linux:partition_test>
         <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="Kerberos server version is lesser than 1.17-18" id="oval:ssg-test_krb5_server_version_1_17_18:tst:1" version="1">
           <linux:object object_ref="oval:ssg-obj_krb5_server_version_1_17_18:obj:1"/>
           <linux:state state_ref="oval:ssg-state_krb5_server_version_1_17_18:ste:1"/>
         </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="Kerberos workstaton version is lesser than 1.17-18" id="oval:ssg-test_krb5_workstation_version_1_17_18:tst:1" version="1">
+        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="Kerberos workstation version is lesser than 1.17-18" id="oval:ssg-test_krb5_workstation_version_1_17_18:tst:1" version="1">
           <linux:object object_ref="oval:ssg-obj_krb5_workstation_version_1_17_18:obj:1"/>
           <linux:state state_ref="oval:ssg-state_krb5_workstation_version_1_17_18:ste:1"/>
         </linux:rpminfo_test>
@@ -38039,11 +44740,6 @@ If properly configured, the output should indicate the following permissions:
           <ind:pattern operation="pattern match">^11.[0-9]+$</ind:pattern>
           <ind:instance datatype="int">1</ind:instance>
         </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_debian_9:obj:1" version="1" comment="Check Debian version">
-          <ind:filepath>/etc/debian_version</ind:filepath>
-          <ind:pattern operation="pattern match">^9.[0-9]+$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
         <linux:rpminfo_object id="oval:ssg-object_fedora_release_rpm:obj:1" version="1">
           <linux:name operation="pattern match">fedora-release.*</linux:name>
         </linux:rpminfo_object>
@@ -38199,6 +44895,11 @@ If properly configured, the output should indicate the following permissions:
           <ind:pattern operation="pattern match">^DISTRIB_CODENAME=focal$</ind:pattern>
           <ind:instance datatype="int">1</ind:instance>
         </ind:textfilecontent54_object>
+        <ind:textfilecontent54_object id="oval:ssg-obj_ubuntu_jammy:obj:1" version="1" comment="Check Ubuntu version">
+          <ind:filepath>/etc/lsb-release</ind:filepath>
+          <ind:pattern operation="pattern match">^DISTRIB_CODENAME=jammy$</ind:pattern>
+          <ind:instance datatype="int">1</ind:instance>
+        </ind:textfilecontent54_object>
         <linux:rpminfo_object id="oval:ssg-obj_uos20:obj:1" version="1">
           <linux:name>uos-release</linux:name>
         </linux:rpminfo_object>
@@ -38321,6 +45022,12 @@ If properly configured, the output should indicate the following permissions:
         <unix:file_object comment="Check file /run/.containerenv" id="oval:ssg-object_installed_env_is_a_podman_container:obj:1" version="1">
           <unix:filepath datatype="string">/run/.containerenv</unix:filepath>
         </unix:file_object>
+        <linux:partition_object id="oval:ssg-object_partition_tmp_exists:obj:1" version="1">
+          <linux:mount_point>/tmp</linux:mount_point>
+        </linux:partition_object>
+        <linux:partition_object id="oval:ssg-object_partition_var_tmp_exists:obj:1" version="1">
+          <linux:mount_point>/var/tmp</linux:mount_point>
+        </linux:partition_object>
         <linux:rpminfo_object id="oval:ssg-obj_krb5_server_version_1_17_18:obj:1" version="1">
           <linux:name>krb5-server</linux:name>
         </linux:rpminfo_object>
@@ -38641,9 +45348,6 @@ If properly configured, the output should indicate the following permissions:
         </unix:uname_state>
       </oval-def:states>
       <oval-def:variables>
-        <oval-def:local_variable id="oval:ssg-hypershift_hosted_cluster_location:var:1" datatype="string" comment="The actual filepath of the file to scan." version="1">
-          <oval-def:literal_component>/kubernetes-api-resources/apis/apiextensions.k8s.io/v1/customresourcedefinitions/hostedclusters.hypershift.openshift.io</oval-def:literal_component>
-        </oval-def:local_variable>
         <oval-def:local_variable id="oval:ssg-ocp4_infra_dump_location:var:1" datatype="string" comment="The actual filepath of the infra file to scan." version="1">
           <oval-def:literal_component>/kubernetes-api-resources/apis/config.openshift.io/v1/infrastructures/cluster</oval-def:literal_component>
         </oval-def:local_variable>
@@ -38656,6 +45360,9 @@ If properly configured, the output should indicate the following permissions:
         <oval-def:local_variable id="oval:ssg-ocp4_dump_location:var:1" datatype="string" comment="The actual filepath of the file to scan." version="1">
           <oval-def:literal_component>/kubernetes-api-resources/apis/config.openshift.io/v1/clusteroperators/openshift-apiserver</oval-def:literal_component>
         </oval-def:local_variable>
+        <oval-def:local_variable id="oval:ssg-hypershift_hosted_cluster_location:var:1" datatype="string" comment="The actual filepath of the file to scan." version="1">
+          <oval-def:literal_component>/kubernetes-api-resources/apis/apiextensions.k8s.io/v1/customresourcedefinitions/hostedclusters.hypershift.openshift.io</oval-def:literal_component>
+        </oval-def:local_variable>
       </oval-def:variables>
     </oval-def:oval_definitions>
   </ds:component>
diff --git a/images/testcontent/kubelet_default/ssg-rhcos4-ds.xml b/images/testcontent/kubelet_default/ssg-rhcos4-ds.xml
deleted file mode 100644
index 994645a6d..000000000
--- a/images/testcontent/kubelet_default/ssg-rhcos4-ds.xml
+++ /dev/null
@@ -1,112545 +0,0 @@
-<?xml version="1.0"?>
-<ds:data-stream-collection xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" xmlns:cpe-dict="http://cpe.mitre.org/dictionary/2.0" xmlns:cpe-lang="http://cpe.mitre.org/language/2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:html="http://www.w3.org/1999/xhtml" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:ocil="http://scap.nist.gov/schema/ocil/2.0" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="scap_org.open-scap_collection_from_xccdf_ssg-rhcos4-xccdf-1.2.xml" schematron-version="1.3">
-  <ds:data-stream id="scap_org.open-scap_datastream_from_xccdf_ssg-rhcos4-xccdf-1.2.xml" scap-version="1.3" use-case="OTHER">
-    <ds:dictionaries>
-      <ds:component-ref id="scap_org.open-scap_cref_ssg-rhcos4-cpe-dictionary.xml" xlink:href="#scap_org.open-scap_comp_ssg-rhcos4-cpe-dictionary.xml">
-        <cat:catalog>
-          <cat:uri name="ssg-rhcos4-cpe-oval.xml" uri="#scap_org.open-scap_cref_ssg-rhcos4-cpe-oval.xml"/>
-        </cat:catalog>
-      </ds:component-ref>
-    </ds:dictionaries>
-    <ds:checklists>
-      <ds:component-ref id="scap_org.open-scap_cref_ssg-rhcos4-xccdf-1.2.xml" xlink:href="#scap_org.open-scap_comp_ssg-rhcos4-xccdf-1.2.xml">
-        <cat:catalog>
-          <cat:uri name="ssg-rhcos4-oval.xml" uri="#scap_org.open-scap_cref_ssg-rhcos4-oval.xml"/>
-          <cat:uri name="ssg-rhcos4-ocil.xml" uri="#scap_org.open-scap_cref_ssg-rhcos4-ocil.xml"/>
-        </cat:catalog>
-      </ds:component-ref>
-    </ds:checklists>
-    <ds:checks>
-      <ds:component-ref id="scap_org.open-scap_cref_ssg-rhcos4-oval.xml" xlink:href="#scap_org.open-scap_comp_ssg-rhcos4-oval.xml"/>
-      <ds:component-ref id="scap_org.open-scap_cref_ssg-rhcos4-ocil.xml" xlink:href="#scap_org.open-scap_comp_ssg-rhcos4-ocil.xml"/>
-      <ds:component-ref id="scap_org.open-scap_cref_ssg-rhcos4-cpe-oval.xml" xlink:href="#scap_org.open-scap_comp_ssg-rhcos4-cpe-oval.xml"/>
-    </ds:checks>
-  </ds:data-stream>
-  <ds:component id="scap_org.open-scap_comp_ssg-rhcos4-cpe-dictionary.xml" timestamp="2022-08-11T18:55:33">
-    <cpe-dict:cpe-list xsi:schemaLocation="http://cpe.mitre.org/dictionary/2.0 http://cpe.mitre.org/files/cpe-dictionary_2.1.xsd">
-      <cpe-dict:cpe-item name="cpe:/a:aarch64_arch">
-        <cpe-dict:title xml:lang="en-us">System architecture is AARCH64</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:audit">
-        <cpe-dict:title xml:lang="en-us">Package audit is installed</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-installed_env_has_audit_package:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:chrony">
-        <cpe-dict:title xml:lang="en-us">Package chrony is installed</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-installed_env_has_chrony_package:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:gdm">
-        <cpe-dict:title xml:lang="en-us">Package gdm is installed</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-installed_env_has_gdm_package:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:grub2">
-        <cpe-dict:title xml:lang="en-us">Package grub2 is installed</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-installed_env_has_grub2_package:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:login_defs">
-        <cpe-dict:title xml:lang="en-us">Package providing /etc/login.defs is installed</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-installed_env_has_login_defs:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:machine">
-        <cpe-dict:title xml:lang="en-us">Bare-metal or Virtual Machine</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-installed_env_is_a_machine:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:non-uefi">
-        <cpe-dict:title xml:lang="en-us">System boot mode is non-UEFI</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-system_boot_mode_is_non_uefi:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:not_s390x_arch">
-        <cpe-dict:title xml:lang="en-us">System architecture is not S390X</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:ntp">
-        <cpe-dict:title xml:lang="en-us">Package ntp is installed</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-installed_env_has_ntp_package:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:pam">
-        <cpe-dict:title xml:lang="en-us">Package pam is installed</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-installed_env_has_pam_package:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:polkit">
-        <cpe-dict:title xml:lang="en-us">Package polkit is installed</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-installed_env_has_polkit_package:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:postfix">
-        <cpe-dict:title xml:lang="en-us">Package postfix is installed</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-installed_env_has_postfix_package:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:s390x_arch">
-        <cpe-dict:title xml:lang="en-us">System architecture is S390X</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:sssd">
-        <cpe-dict:title xml:lang="en-us">Package sssd-common is installed</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-installed_env_has_sssd-common_package:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:sudo">
-        <cpe-dict:title xml:lang="en-us">Package sudo is installed</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-installed_env_has_sudo_package:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:systemd">
-        <cpe-dict:title xml:lang="en-us">Package systemd is installed</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-installed_env_has_systemd_package:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:tmux">
-        <cpe-dict:title xml:lang="en-us">Package tmux is installed</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-installed_env_has_tmux_package:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:uefi">
-        <cpe-dict:title xml:lang="en-us">System boot mode is UEFI</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-system_boot_mode_is_uefi:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:usbguard">
-        <cpe-dict:title xml:lang="en-us">Package usbguard is installed</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-installed_env_has_usbguard_package:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/a:wifi-iface">
-        <cpe-dict:title xml:lang="en-us">WiFi interface is present</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-installed_env_has_wifi_interface:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-      <cpe-dict:cpe-item name="cpe:/o:redhat:enterprise_linux_coreos:4">
-        <cpe-dict:title xml:lang="en-us">Red Hat Enterprise Linux CoreOS 4</cpe-dict:title>
-        <cpe-dict:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5" href="ssg-rhcos4-cpe-oval.xml">oval:ssg-installed_OS_is_rhcos4:def:1</cpe-dict:check>
-      </cpe-dict:cpe-item>
-    </cpe-dict:cpe-list>
-  </ds:component>
-  <ds:component id="scap_org.open-scap_comp_ssg-rhcos4-xccdf-1.2.xml" timestamp="2022-08-11T18:55:34">
-    <xccdf-1.2:Benchmark id="xccdf_org.ssgproject.content_benchmark_RHCOS-4" xsi:schemaLocation="http://checklists.nist.gov/xccdf/1.1 xccdf-1.1.4.xsd" style="SCAP_1.2" resolved="true" xml:lang="en-US">
-      <xccdf-1.2:status date="2022-08-11">draft</xccdf-1.2:status>
-      <xccdf-1.2:title>Guide to the Secure Configuration of Red Hat Enterprise Linux CoreOS 4</xccdf-1.2:title>
-      <xccdf-1.2:description>This guide presents a catalog of security-relevant
-configuration settings for Red Hat Enterprise Linux CoreOS 4. It is a rendering of
-content structured in the eXtensible Configuration Checklist Description Format (XCCDF)
-in order to support security automation.  The SCAP content is
-is available in the <html:code>scap-security-guide</html:code> package which is developed at
-
-    <html:a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</html:a>.
-<html:br/><html:br/>
-Providing system administrators with such guidance informs them how to securely
-configure systems under their control in a variety of network roles. Policy
-makers and baseline creators can use this catalog of settings, with its
-associated references to higher-level security control catalogs, in order to
-assist them in security baseline creation. This guide is a <html:em>catalog, not a
-checklist</html:em>, and satisfaction of every item is not likely to be possible or
-sensible in many operational scenarios. However, the XCCDF format enables
-granular selection and adjustment of settings, and their association with OVAL
-and OCIL content provides an automated checking capability. Transformations of
-this document, and its associated automated checking content, are capable of
-providing baselines that meet a diverse set of policy objectives. Some example
-XCCDF <html:em>Profiles</html:em>, which are selections of items that form checklists and
-can be used as baselines, are available with this guide. They can be
-processed, in an automated fashion, with tools that support the Security
-Content Automation Protocol (SCAP). The DISA STIG, which provides required
-settings for US Department of Defense systems, is one example of a baseline
-created from this guidance.
-</xccdf-1.2:description>
-      <xccdf-1.2:notice id="terms_of_use">Do not attempt to implement any of the settings in
-this guide without first testing them in a non-operational environment. The
-creators of this guidance assume no responsibility whatsoever for its use by
-other parties, and makes no guarantees, expressed or implied, about its
-quality, reliability, or any other characteristic.
-</xccdf-1.2:notice>
-      <xccdf-1.2:front-matter>The SCAP Security Guide Project<html:br/>
-
-    <html:a href="https://www.open-scap.org/security-policies/scap-security-guide">https://www.open-scap.org/security-policies/scap-security-guide</html:a>
-</xccdf-1.2:front-matter>
-      <xccdf-1.2:rear-matter>Red Hat and Red Hat Enterprise Linux are either registered
-trademarks or trademarks of Red Hat, Inc. in the United States and other
-countries. All other names are registered trademarks or trademarks of their
-respective companies.</xccdf-1.2:rear-matter>
-      <cpe-lang:platform-specification>
-        <cpe-lang:platform id="machine">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:machine"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="postfix">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:postfix"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="chrony_or_ntp">
-          <cpe-lang:logical-test operator="OR" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:chrony"/>
-            <cpe-lang:fact-ref name="cpe:/a:ntp"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="machine_and_chrony_or_ntp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:logical-test operator="OR" negate="false">
-              <cpe-lang:fact-ref name="cpe:/a:chrony"/>
-              <cpe-lang:fact-ref name="cpe:/a:ntp"/>
-            </cpe-lang:logical-test>
-            <cpe-lang:fact-ref name="cpe:/a:machine"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="chrony">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:chrony"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="ntp">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:ntp"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="sssd">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:sssd"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="not_s390x_arch">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:not_s390x_arch"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="usbguard">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:usbguard"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="gdm">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:gdm"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="pam">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:pam"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="tmux">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:tmux"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="systemd">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:systemd"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="grub2">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:grub2"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="login_defs">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:login_defs"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="audit">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:audit"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="non-uefi">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:non-uefi"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="uefi">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:uefi"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="s390x_arch">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:s390x_arch"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="aarch64_arch">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:aarch64_arch"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="wifi-iface">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:wifi-iface"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="polkit">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:polkit"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-        <cpe-lang:platform id="sudo">
-          <cpe-lang:logical-test operator="AND" negate="false">
-            <cpe-lang:fact-ref name="cpe:/a:sudo"/>
-          </cpe-lang:logical-test>
-        </cpe-lang:platform>
-      </cpe-lang:platform-specification>
-      <xccdf-1.2:platform idref="cpe:/o:redhat:enterprise_linux_coreos:4"/>
-      <xccdf-1.2:version update="https://github.com/ComplianceAsCode/content/releases/latest">0.1.64</xccdf-1.2:version>
-      <xccdf-1.2:metadata>
-        <dc:publisher>SCAP Security Guide Project</dc:publisher>
-        <dc:creator>SCAP Security Guide Project</dc:creator>
-        <dc:contributor>Frank J Cameron (CAM1244) &lt;cameron@ctc.com&gt;</dc:contributor>
-        <dc:contributor>0x66656c6978 &lt;0x66656c6978@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>H&#xE5;vard F. Aasen &lt;havard.f.aasen@pfft.no&gt;</dc:contributor>
-        <dc:contributor>Jack Adolph &lt;jack.adolph@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Edgar Aguilar &lt;edgar.aguilar@oracle.com&gt;</dc:contributor>
-        <dc:contributor>Gabe Alford &lt;redhatrises@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Firas AlShafei &lt;firas.alshafei@us.abb.com&gt;</dc:contributor>
-        <dc:contributor>Rodrigo Alvares &lt;ralvares@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Christopher Anderson &lt;cba@fedoraproject.org&gt;</dc:contributor>
-        <dc:contributor>angystardust &lt;angystardust@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>anivan-suse &lt;anastasija.ivanovic@suse.com&gt;</dc:contributor>
-        <dc:contributor>anixon-rh &lt;55244503+anixon-rh@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Ikko Ashimine &lt;eltociear@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Chuck Atkins &lt;chuck.atkins@kitware.com&gt;</dc:contributor>
-        <dc:contributor>ayfantis &lt;ayfantis@localhost.localdomain&gt;</dc:contributor>
-        <dc:contributor>Ryan Ballanger &lt;root@rballang-admin-2.fastenal.com&gt;</dc:contributor>
-        <dc:contributor>Alex Baranowski &lt;alex@euro-linux.com&gt;</dc:contributor>
-        <dc:contributor>Eduardo Barretto &lt;eduardo.barretto@canonical.com&gt;</dc:contributor>
-        <dc:contributor>Molly Jo Bault &lt;Molly.Jo.Bault@ballardtech.com&gt;</dc:contributor>
-        <dc:contributor>Andrew Becker &lt;A-Beck@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Gabriel Becker &lt;ggasparb@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Alexander Bergmann &lt;abergmann@suse.com&gt;</dc:contributor>
-        <dc:contributor>Dale Bewley &lt;dale@bewley.net&gt;</dc:contributor>
-        <dc:contributor>Jose Luis BG &lt;bgjoseluis@gmail.com&gt;</dc:contributor>
-        <dc:contributor>binyanling &lt;binyanling@uniontech.com&gt;</dc:contributor>
-        <dc:contributor>Joseph Bisch &lt;joseph.bisch@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Jeffrey Blank &lt;blank@eclipse.ncsc.mil&gt;</dc:contributor>
-        <dc:contributor>Olivier Bonhomme &lt;ptitoliv@ptitoliv.net&gt;</dc:contributor>
-        <dc:contributor>Lance Bragstad &lt;lbragstad@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Ted Brunell &lt;tbrunell@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Marcus Burghardt &lt;maburgha@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Matthew Burket &lt;mburket@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Blake Burkhart &lt;blake.burkhart@us.af.mil&gt;</dc:contributor>
-        <dc:contributor>Patrick Callahan &lt;pmc@patrickcallahan.com&gt;</dc:contributor>
-        <dc:contributor>George Campbell &lt;gcampbell@palantir.com&gt;</dc:contributor>
-        <dc:contributor>Nick Carboni &lt;ncarboni@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Carlos &lt;64919342+carlosmmatos@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>James Cassell &lt;james.cassell@ll.mit.edu&gt;</dc:contributor>
-        <dc:contributor>Frank Caviggia &lt;fcaviggi@ra.iad.redhat.com&gt;</dc:contributor>
-        <dc:contributor>Eric Christensen &lt;echriste@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Dan Clark &lt;danclark@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Jayson Cofell &lt;1051437+70k10@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Caleb Cooper &lt;coopercd@ornl.gov&gt;</dc:contributor>
-        <dc:contributor>Richard Maciel Costa &lt;richard.maciel.costa@canonical.com&gt;</dc:contributor>
-        <dc:contributor>Deric Crago &lt;deric.crago@gmail.com&gt;</dc:contributor>
-        <dc:contributor>crleekwc &lt;crleekwc@gmail.com&gt;</dc:contributor>
-        <dc:contributor>cyarbrough76 &lt;42849651+cyarbrough76@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Maura Dailey &lt;maura@eclipse.ncsc.mil&gt;</dc:contributor>
-        <dc:contributor>Klaas Demter &lt;demter@atix.de&gt;</dc:contributor>
-        <dc:contributor>dhanushkar-wso2 &lt;dhanushkar@wso2.com&gt;</dc:contributor>
-        <dc:contributor>Andrew DiPrinzio &lt;andrew.diprinzio@jhuapl.edu&gt;</dc:contributor>
-        <dc:contributor>dom &lt;dominique.blaze@devinci.fr&gt;</dc:contributor>
-        <dc:contributor>Jean-Baptiste Donnette &lt;jean-baptiste.donnette@epita.fr&gt;</dc:contributor>
-        <dc:contributor>Marco De Donno &lt;mdedonno1337@gmail.com&gt;</dc:contributor>
-        <dc:contributor>dperrone &lt;dperrone@redhat.com&gt;</dc:contributor>
-        <dc:contributor>drax &lt;applezip@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Sebastian Dunne &lt;sdunne@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Fran&#xE7;ois Duthilleul &lt;francoisduthilleul@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Greg Elin &lt;gregelin@gitmachines.com&gt;</dc:contributor>
-        <dc:contributor>eradot4027 &lt;jrtonmac@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Alexis Facques &lt;alexis.facques@mythalesgroup.io&gt;</dc:contributor>
-        <dc:contributor>Leah Fisher &lt;lfisher047@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Yavor Georgiev &lt;strandjata@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Alijohn Ghassemlouei &lt;alijohn@secureagc.com&gt;</dc:contributor>
-        <dc:contributor>Swarup Ghosh &lt;swghosh@redhat.com&gt;</dc:contributor>
-        <dc:contributor>ghylock &lt;ghylock@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Andrew Gilmore &lt;agilmore2@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Joshua Glemza &lt;jglemza@nasa.gov&gt;</dc:contributor>
-        <dc:contributor>Nick Gompper &lt;forestgomp@yahoo.com&gt;</dc:contributor>
-        <dc:contributor>Loren Gordon &lt;lorengordon@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Patrik Greco &lt;sikevux@sikevux.se&gt;</dc:contributor>
-        <dc:contributor>Steve Grubb &lt;sgrubb@redhat.com&gt;</dc:contributor>
-        <dc:contributor>guangyee &lt;gyee@suse.com&gt;</dc:contributor>
-        <dc:contributor>Marek Haicman &lt;mhaicman@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Vern Hart &lt;vern.hart@canonical.com&gt;</dc:contributor>
-        <dc:contributor>Alex Haydock &lt;alex@alexhaydock.co.uk&gt;</dc:contributor>
-        <dc:contributor>Rebekah Hayes &lt;rhayes@corp.rivierautilities.com&gt;</dc:contributor>
-        <dc:contributor>Trey Henefield &lt;thenefield@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Henning Henkel &lt;henning.henkel@helvetia.ch&gt;</dc:contributor>
-        <dc:contributor>hex2a &lt;hex2a@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>John Hooks &lt;jhooks@starscream.pa.jhbcomputers.com&gt;</dc:contributor>
-        <dc:contributor>Jakub Hrozek &lt;jhrozek@redhat.com&gt;</dc:contributor>
-        <dc:contributor>De Huo &lt;De.Huo@windriver.com&gt;</dc:contributor>
-        <dc:contributor>Robin Price II &lt;robin@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Yasir Imam &lt;yimam@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Jiri Jaburek &lt;jjaburek@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Keith Jackson &lt;keithkjackson@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Jeremiah Jahn &lt;jeremiah@goodinassociates.com&gt;</dc:contributor>
-        <dc:contributor>Jakub Jelen &lt;jjelen@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Jessicahfy &lt;Jessicahfy@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Stephan Joerrens &lt;Stephan.Joerrens@fiduciagad.de&gt;</dc:contributor>
-        <dc:contributor>Hunter Jones &lt;hjones2199@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Jono &lt;jono@ubuntu-18.localdomain&gt;</dc:contributor>
-        <dc:contributor>justchris1 &lt;justchris1@justchris1.email&gt;</dc:contributor>
-        <dc:contributor>Kai Kang &lt;kai.kang@windriver.com&gt;</dc:contributor>
-        <dc:contributor>Charles Kernstock &lt;charles.kernstock@ultra-ats.com&gt;</dc:contributor>
-        <dc:contributor>Yuli Khodorkovskiy &lt;ykhodorkovskiy@tresys.com&gt;</dc:contributor>
-        <dc:contributor>Sherine Khoury &lt;skhoury@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Nathan Kinder &lt;nkinder@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Lee Kinser &lt;lee.kinser@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Evgeny Kolesnikov &lt;ekolesni@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Peter 'Pessoft' Kol&#xED;nek &lt;github@pessoft.com&gt;</dc:contributor>
-        <dc:contributor>Luke Kordell &lt;luke.t.kordell@lmco.com&gt;</dc:contributor>
-        <dc:contributor>Malte Kraus &lt;malte.kraus@suse.com&gt;</dc:contributor>
-        <dc:contributor>Seth Kress &lt;seth.kress@dsainc.com&gt;</dc:contributor>
-        <dc:contributor>Felix Krohn &lt;felix.krohn@helvetia.ch&gt;</dc:contributor>
-        <dc:contributor>kspargur &lt;kspargur@kspargur.csb&gt;</dc:contributor>
-        <dc:contributor>Amit Kumar &lt;amitkuma@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Fen Labalme &lt;fen@civicactions.com&gt;</dc:contributor>
-        <dc:contributor>Ade Lee &lt;alee@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Christopher Lee &lt;Crleekwc@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Ian Lee &lt;lee1001@llnl.gov&gt;</dc:contributor>
-        <dc:contributor>Jarrett Lee &lt;jarrettl@umd.edu&gt;</dc:contributor>
-        <dc:contributor>Joseph Lenox &lt;joseph.lenox@collins.com&gt;</dc:contributor>
-        <dc:contributor>Jan Lieskovsky &lt;jlieskov@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Markus Linnala &lt;Markus.Linnala@knowit.fi&gt;</dc:contributor>
-        <dc:contributor>&#x160;imon Luka&#x161;&#xED;k &lt;slukasik@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Milan Lysonek &lt;mlysonek@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Fredrik Lys&#xE9;n &lt;fredrik@pipemore.se&gt;</dc:contributor>
-        <dc:contributor>Caitlin Macleod &lt;caitelatte@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Nick Maludy &lt;nmaludy@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Lokesh Mandvekar &lt;lsm5@fedoraproject.org&gt;</dc:contributor>
-        <dc:contributor>Matus Marhefka &lt;mmarhefk@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Jamie Lorwey Martin &lt;jlmartin@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Carlos Matos &lt;cmatos@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Robert McAllister &lt;rmcallis@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Karen McCarron &lt;kmccarro@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Michael McConachie &lt;michael@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Marcus Meissner &lt;meissner@suse.de&gt;</dc:contributor>
-        <dc:contributor>Khary Mendez &lt;kmendez@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Rodney Mercer &lt;rmercer@harris.com&gt;</dc:contributor>
-        <dc:contributor>mgjadoul &lt;mgjadoul@laptomatic.auth-o-matic.corp&gt;</dc:contributor>
-        <dc:contributor>Matt Micene &lt;nzwulfin@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Brian Millett &lt;bmillett@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Takuya Mishina &lt;tmishina@jp.ibm.com&gt;</dc:contributor>
-        <dc:contributor>Mixer9 &lt;35545791+Mixer9@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>mmosel &lt;mmosel@kde.example.com&gt;</dc:contributor>
-        <dc:contributor>Zbynek Moravec &lt;zmoravec@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Kazuo Moriwaka &lt;moriwaka@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Michael Moseley &lt;michael@eclipse.ncsc.mil&gt;</dc:contributor>
-        <dc:contributor>Renaud M&#xE9;trich &lt;rmetrich@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Joe Nall &lt;joe@nall.com&gt;</dc:contributor>
-        <dc:contributor>Neiloy &lt;neiloy@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Axel Nennker &lt;axel@nennker.de&gt;</dc:contributor>
-        <dc:contributor>Michele Newman &lt;mnewman@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Sean O'Keeffe &lt;seanokeeffe797@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Jiri Odehnal &lt;jodehnal@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Ilya Okomin &lt;ilya.okomin@oracle.com&gt;</dc:contributor>
-        <dc:contributor>Kaustubh Padegaonkar &lt;theTuxRacer@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Michael Palmiotto &lt;mpalmiotto@tresys.com&gt;</dc:contributor>
-        <dc:contributor>Eryx Paredes &lt;eryxp@lyft.com&gt;</dc:contributor>
-        <dc:contributor>Max R.D. Parmer &lt;maxp@trystero.is&gt;</dc:contributor>
-        <dc:contributor>Arnaud Patard &lt;apatard@hupstream.com&gt;</dc:contributor>
-        <dc:contributor>Jan Pazdziora &lt;jpazdziora@redhat.com&gt;</dc:contributor>
-        <dc:contributor>pcactr &lt;paul.c.arnold4.ctr@mail.mil&gt;</dc:contributor>
-        <dc:contributor>Kenneth Peeples &lt;kennethwpeeples@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Nathan Peters &lt;Nathaniel.Peters@ca.com&gt;</dc:contributor>
-        <dc:contributor>Frank Lin PIAT &lt;fpiat@klabs.be&gt;</dc:contributor>
-        <dc:contributor>Stefan Pietsch &lt;mail.ipv4v6+gh@gmail.com&gt;</dc:contributor>
-        <dc:contributor>piggyvenus &lt;piggyvenus@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Vojtech Polasek &lt;vpolasek@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Orion Poplawski &lt;orion@nwra.com&gt;</dc:contributor>
-        <dc:contributor>Nick Poyant &lt;npoyant@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Martin Preisler &lt;mpreisle@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Wesley Ceraso Prudencio &lt;wcerasop@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Raphael Sanchez Prudencio &lt;rsprudencio@redhat.com&gt;</dc:contributor>
-        <dc:contributor>T.O. Radzy Radzykewycz &lt;radzy@windriver.com&gt;</dc:contributor>
-        <dc:contributor>Kenyon Ralph &lt;kenyon@kenyonralph.com&gt;</dc:contributor>
-        <dc:contributor>Mike Ralph &lt;mralph@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Federico Ramirez &lt;federico.r.ramirez@oracle.com&gt;</dc:contributor>
-        <dc:contributor>rchikov &lt;rumen.chikov@suse.com&gt;</dc:contributor>
-        <dc:contributor>Rick Renshaw &lt;Richard_Renshaw@xtoenergy.com&gt;</dc:contributor>
-        <dc:contributor>Chris Reynolds &lt;c.reynolds82@gmail.com&gt;</dc:contributor>
-        <dc:contributor>rhayes &lt;rhayes@rivierautilities.com&gt;</dc:contributor>
-        <dc:contributor>Pat Riehecky &lt;riehecky@fnal.gov&gt;</dc:contributor>
-        <dc:contributor>rlucente-se-jboss &lt;rlucente@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Juan Antonio Osorio Robles &lt;juan.osoriorobles@eu.equinix.com&gt;</dc:contributor>
-        <dc:contributor>Matt Rogers &lt;mrogers@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Jesse Roland &lt;jesse.roland@onyxpoint.com&gt;</dc:contributor>
-        <dc:contributor>Joshua Roys &lt;roysjosh@gmail.com&gt;</dc:contributor>
-        <dc:contributor>rrenshaw &lt;bofh69@yahoo.com&gt;</dc:contributor>
-        <dc:contributor>Chris Ruffalo &lt;chris.ruffalo@gmail.com&gt;</dc:contributor>
-        <dc:contributor>rumch-se &lt;77793453+rumch-se@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Ray Shaw (Cont ARL/CISD) rvshaw &lt;rvshaw@esme.arl.army.mil&gt;</dc:contributor>
-        <dc:contributor>Earl Sampson &lt;ESampson@suse.com&gt;</dc:contributor>
-        <dc:contributor>sampsone &lt;esampson@suse.com&gt;</dc:contributor>
-        <dc:contributor>Willy Santos &lt;wsantos@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Nagarjuna Sarvepalli &lt;snagarju@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Anderson Sasaki &lt;33833274+ansasaki@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Gautam Satish &lt;gautams@hpe.com&gt;</dc:contributor>
-        <dc:contributor>Watson Sato &lt;wsato@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Satoru SATOH &lt;satoru.satoh@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Alexander Scheel &lt;ascheel@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Bryan Schneiders &lt;pschneiders@trisept.com&gt;</dc:contributor>
-        <dc:contributor>shaneboulden &lt;shane.boulden@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Vincent Shen &lt;47534281+Vincent056@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Dhriti Shikhar &lt;dhriti.shikhar.rokz@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Spencer Shimko &lt;sshimko@tresys.com&gt;</dc:contributor>
-        <dc:contributor>Mark Shoger &lt;mshoger@redhat.com&gt;</dc:contributor>
-        <dc:contributor>THOBY Simon &lt;Simon.THOBY@viveris.fr&gt;</dc:contributor>
-        <dc:contributor>Thomas Sj&#xF6;gren &lt;konstruktoid@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Francisco Slavin &lt;fslavin@tresys.com&gt;</dc:contributor>
-        <dc:contributor>David Smith &lt;dsmith@eclipse.ncsc.mil&gt;</dc:contributor>
-        <dc:contributor>Kevin Spargur &lt;kspargur@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Kenneth Stailey &lt;kstailey.lists@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Leland Steinke &lt;leland.j.steinke.ctr@mail.mil&gt;</dc:contributor>
-        <dc:contributor>Justin Stephenson &lt;jstephen@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Brian Stinson &lt;brian@bstinson.com&gt;</dc:contributor>
-        <dc:contributor>Jake Stookey &lt;jakestookey@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Jonathan Sturges &lt;jsturges@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Ian Tewksbury &lt;itewk@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Philippe Thierry &lt;phil@reseau-libre.net&gt;</dc:contributor>
-        <dc:contributor>Derek Thurston &lt;thegrit@gmail.com&gt;</dc:contributor>
-        <dc:contributor>tianzhenjia &lt;jiatianzhen@cmss.chinamobile.com&gt;</dc:contributor>
-        <dc:contributor>Greg Tinsley &lt;gtinsley@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Paul Tittle &lt;ptittle@cmf.nrl.navy.mil&gt;</dc:contributor>
-        <dc:contributor>tom &lt;tom@localhost.localdomain&gt;</dc:contributor>
-        <dc:contributor>tomas.hudik &lt;tomas.hudik@embedit.cz&gt;</dc:contributor>
-        <dc:contributor>Jeb Trayer &lt;jeb.d.trayer@uscg.mil&gt;</dc:contributor>
-        <dc:contributor>TrilokGeer &lt;tgeer@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Viktors Trubovics &lt;viktors.trubovics@suse.com&gt;</dc:contributor>
-        <dc:contributor>Nico Truzzolino &lt;nico.truzzolino@gmx.de&gt;</dc:contributor>
-        <dc:contributor>Brian Turek &lt;brian.turek@gmail.com&gt;</dc:contributor>
-        <dc:contributor>Mat&#x11B;j T&#xFD;&#x10D; &lt;matyc@redhat.com&gt;</dc:contributor>
-        <dc:contributor>VadimDor &lt;29509093+VadimDor@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Trevor Vaughan &lt;tvaughan@onyxpoint.com&gt;</dc:contributor>
-        <dc:contributor>vtrubovics &lt;82443408+vtrubovics@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Samuel Warren &lt;swarren@redhat.com&gt;</dc:contributor>
-        <dc:contributor>wcushen &lt;54533890+wcushen@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Shawn Wells &lt;shawn@shawndwells.io&gt;</dc:contributor>
-        <dc:contributor>Daniel E. White &lt;linuxdan@users.noreply.github.com&gt;</dc:contributor>
-        <dc:contributor>Bernhard M. Wiedemann &lt;bwiedemann@suse.de&gt;</dc:contributor>
-        <dc:contributor>Roy Williams &lt;roywilli@roywilli.redhat.com&gt;</dc:contributor>
-        <dc:contributor>Willumpie &lt;willumpie@xs4all.nl&gt;</dc:contributor>
-        <dc:contributor>Rob Wilmoth &lt;rwilmoth@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Lucas Yamanishi &lt;lucas.yamanishi@onyxpoint.com&gt;</dc:contributor>
-        <dc:contributor>Xirui Yang &lt;xirui.yang@oracle.com&gt;</dc:contributor>
-        <dc:contributor>yarunachalam &lt;yarunachalam@suse.com&gt;</dc:contributor>
-        <dc:contributor>Guang Yee &lt;guang.yee@suse.com&gt;</dc:contributor>
-        <dc:contributor>Achilleas John Yfantis &lt;ayfantis@redhat.com&gt;</dc:contributor>
-        <dc:contributor>YiLin.Li &lt;YiLin.Li@linux.alibaba.com&gt;</dc:contributor>
-        <dc:contributor>YuQing &lt;yyq0391@163.com&gt;</dc:contributor>
-        <dc:contributor>Kevin Zimmerman &lt;kevin.zimmerman@kitware.com&gt;</dc:contributor>
-        <dc:contributor>Luigi Mario Zuccarelli &lt;luzuccar@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Jan &#x10C;ern&#xFD; &lt;jcerny@redhat.com&gt;</dc:contributor>
-        <dc:contributor>Michal &#x160;ruba&#x159; &lt;msrubar@redhat.com&gt;</dc:contributor>
-        <dc:source>https://github.com/ComplianceAsCode/content/releases/latest</dc:source>
-      </xccdf-1.2:metadata>
-      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced">
-        <xccdf-1.2:title override="true">DRAFT - ANSSI-BP-028 (enhanced)</xccdf-1.2:title>
-        <xccdf-1.2:description override="true">This profile contains configurations that align to ANSSI-BP-028 at the enhanced hardening level.
-
-ANSSI is the French National Information Security Agency, and stands for Agence nationale de la s&#xE9;curit&#xE9; des syst&#xE8;mes d'information.
-ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
-
-A copy of the ANSSI-BP-028 can be found at the ANSSI website:
-https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/</xccdf-1.2:description>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_tmout" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_aide_build_database" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_shadow" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_group" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_grub2_uefi_password" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_nosuid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_direct_root_logins" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_aide_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_chrony_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_rsyslog_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_sendmail_removed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_sudo_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_home" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_srv" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_tmp" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_tmp" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_prefer_64bit_os" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudo_add_noexec" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudo_add_requiretty" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudoers_no_command_negation" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudoers_no_root_target" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rpm_verification" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_fips" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_certified-vendor" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_endpoint_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_endpoint_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_login_screen" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_media_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_network_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_screen_locking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_system_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sap_host" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_system-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-banners" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gui_login_banner" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-pam" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_locking_out_password_attempts" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality_pwquality" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-physical" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_screen_locking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_console_screen_locking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smart_card_login" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_account_expiration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_storage" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_root_paths" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_dac_actions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_execution_acl_commands" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_file_deletion_events" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_file_modification" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_login_events" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_time_rules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_policy_rules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apparmor" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_non-uefi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_bootloader-zipl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_kernel_build_config" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gcc_plugin" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_journald" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-firewalld" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_firewalld_activation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ruleset_modifications" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-ipsec" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-iptables" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_ipv6" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-susefirewall2" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-ufw" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-uncommon" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-wireless" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_wireless_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_var_log_dir" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mounting" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_local" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_enable_nx" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_poisoning" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_selinux-booleans" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apport" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apt" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_base" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_cron_and_at" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_restrict_at_cron_users" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_deprecated" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dns_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_fapolicyd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_http" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_imap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dovecot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_kerberos" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ldap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openldap_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openldap_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_harden_os" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_cfg" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_and_rpc" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfs_services" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_clients" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfsd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_obsolete" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_inetd_and_xinetd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nis" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_r_services" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_talk" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_telnet" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_tftp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_radius" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rng" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_routing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_quagga" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_samba" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_snmp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ssh_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sssd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sssd-ldap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_usbguard" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_xwindows" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_xwindows" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_rounds" selector="65536"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" selector="90"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen" selector="18"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ocredit" selector="1"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_dcredit" selector="1"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ucredit" selector="1"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_lcredit" selector="1"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" selector="900"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" selector="3"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" selector="900"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" selector="2"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_authselect_profile" selector="sssd"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_sudo_umask" selector="0027"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_sudo_passwd_timeout" selector="1_minute"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_sudo_dedicated_group" selector="sudogrp"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_polyinstantiation_enabled" selector="on"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_accept_redirects_value" selector="disabled"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value" selector="disabled"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" selector="targeted"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" selector="077"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_tmout" selector="10_min"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" selector="10_minutes"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_state" selector="enforcing"/>
-      </xccdf-1.2:Profile>
-      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_anssi_bp28_high">
-        <xccdf-1.2:title override="true">DRAFT - ANSSI-BP-028 (high)</xccdf-1.2:title>
-        <xccdf-1.2:description override="true">This profile contains configurations that align to ANSSI-BP-028 at the high hardening level.
-
-ANSSI is the French National Information Security Agency, and stands for Agence nationale de la s&#xE9;curit&#xE9; des syst&#xE8;mes d'information.
-ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
-
-A copy of the ANSSI-BP-028 can be found at the ANSSI website:
-https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/</xccdf-1.2:description>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_tmout" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_aide_build_database" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_shadow" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_group" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_grub2_uefi_password" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_nosuid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_direct_root_logins" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_aide_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_chrony_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_rsyslog_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_sendmail_removed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_setroubleshoot-plugins_removed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_setroubleshoot-server_removed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_sudo_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_home" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_srv" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_tmp" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_tmp" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_prefer_64bit_os" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudo_add_noexec" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudo_add_requiretty" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudoers_no_command_negation" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudoers_no_root_target" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rpm_verification" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_fips" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_certified-vendor" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_endpoint_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_endpoint_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_login_screen" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_media_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_network_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_screen_locking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_system_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sap_host" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_system-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-banners" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gui_login_banner" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-pam" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_locking_out_password_attempts" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality_pwquality" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-physical" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_screen_locking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_console_screen_locking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smart_card_login" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_account_expiration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_storage" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_root_paths" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_dac_actions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_execution_acl_commands" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_file_deletion_events" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_file_modification" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_login_events" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_time_rules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_policy_rules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apparmor" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_non-uefi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_bootloader-zipl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_kernel_build_config" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gcc_plugin" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_journald" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-firewalld" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_firewalld_activation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ruleset_modifications" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-ipsec" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-iptables" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_ipv6" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-susefirewall2" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-ufw" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-uncommon" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-wireless" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_wireless_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_var_log_dir" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mounting" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_local" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_enable_nx" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_poisoning" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_selinux-booleans" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apport" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apt" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_base" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_cron_and_at" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_restrict_at_cron_users" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_deprecated" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dns_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_fapolicyd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_http" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_imap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dovecot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_kerberos" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ldap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openldap_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openldap_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_harden_os" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_cfg" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_and_rpc" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfs_services" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_clients" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfsd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_obsolete" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_inetd_and_xinetd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nis" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_r_services" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_talk" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_telnet" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_tftp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_radius" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rng" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_routing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_quagga" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_samba" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_snmp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ssh_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sssd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sssd-ldap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_usbguard" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_xwindows" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_xwindows" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_rounds" selector="65536"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" selector="90"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen" selector="18"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ocredit" selector="1"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_dcredit" selector="1"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ucredit" selector="1"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_lcredit" selector="1"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" selector="900"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" selector="3"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" selector="900"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" selector="2"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_authselect_profile" selector="sssd"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_sudo_umask" selector="0027"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_sudo_passwd_timeout" selector="1_minute"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_sudo_dedicated_group" selector="sudogrp"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_polyinstantiation_enabled" selector="on"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_accept_redirects_value" selector="disabled"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value" selector="disabled"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" selector="077"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_tmout" selector="10_min"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" selector="10_minutes"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_selinuxuser_execheap" selector="off"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_deny_execmem" selector="on"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_selinuxuser_execstack" selector="off"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_secure_mode_insmod" selector="on"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" selector="targeted"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_state" selector="enforcing"/>
-      </xccdf-1.2:Profile>
-      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary">
-        <xccdf-1.2:title override="true">DRAFT - ANSSI-BP-028 (intermediary)</xccdf-1.2:title>
-        <xccdf-1.2:description override="true">This profile contains configurations that align to ANSSI-BP-028 at the intermediary hardening level.
-
-ANSSI is the French National Information Security Agency, and stands for Agence nationale de la s&#xE9;curit&#xE9; des syst&#xE8;mes d'information.
-ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
-
-A copy of the ANSSI-BP-028 can be found at the ANSSI website:
-https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/</xccdf-1.2:description>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_aide_build_database" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_etc_shadow" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_group" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_nosuid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_direct_root_logins" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_aide_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_chrony_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_rsyslog_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_sendmail_removed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_sudo_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_home" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_srv" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_tmp" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_tmp" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_prefer_64bit_os" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudo_add_noexec" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudo_add_requiretty" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudoers_no_command_negation" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudoers_no_root_target" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rpm_verification" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_fips" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_certified-vendor" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_endpoint_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_endpoint_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_login_screen" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_media_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_network_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_screen_locking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_system_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sap_host" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_system-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-banners" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gui_login_banner" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-pam" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_locking_out_password_attempts" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality_pwquality" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-physical" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_screen_locking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_console_screen_locking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smart_card_login" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_account_expiration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_storage" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_root_paths" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_user_umask" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_dac_actions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_execution_acl_commands" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_file_deletion_events" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_file_modification" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_login_events" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_time_rules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_policy_rules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apparmor" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_bootloader-grub2" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_non-uefi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_uefi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_bootloader-zipl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_kernel_build_config" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gcc_plugin" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_journald" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-firewalld" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_firewalld_activation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ruleset_modifications" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-ipsec" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-iptables" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_ipv6" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-susefirewall2" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-ufw" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-uncommon" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-wireless" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_wireless_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_var_log_dir" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mounting" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_local" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_enable_nx" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_poisoning" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_selinux-booleans" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apport" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apt" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_base" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_cron_and_at" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_restrict_at_cron_users" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_deprecated" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dns_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_fapolicyd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_http" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_imap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dovecot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_kerberos" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ldap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openldap_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openldap_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_harden_os" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_cfg" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_and_rpc" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfs_services" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_clients" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfsd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_obsolete" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_inetd_and_xinetd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nis" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_r_services" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_talk" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_telnet" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_tftp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_radius" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rng" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_routing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_quagga" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_samba" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_snmp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ssh_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sssd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sssd-ldap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_usbguard" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_xwindows" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_xwindows" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_rounds" selector="65536"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" selector="90"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen" selector="18"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ocredit" selector="1"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_dcredit" selector="1"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ucredit" selector="1"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_lcredit" selector="1"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" selector="900"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" selector="3"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" selector="900"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" selector="2"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_authselect_profile" selector="sssd"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_sudo_umask" selector="0027"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_sudo_passwd_timeout" selector="1_minute"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_sudo_dedicated_group" selector="sudogrp"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_polyinstantiation_enabled" selector="on"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_accept_redirects_value" selector="disabled"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value" selector="disabled"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_state" selector="enforcing"/>
-      </xccdf-1.2:Profile>
-      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_anssi_bp28_minimal">
-        <xccdf-1.2:title override="true">DRAFT - ANSSI-BP-028 (minimal)</xccdf-1.2:title>
-        <xccdf-1.2:description override="true">This profile contains configurations that align to ANSSI-BP-028 at the minimal hardening level.
-
-ANSSI is the French National Information Security Agency, and stands for Agence nationale de la s&#xE9;curit&#xE9; des syst&#xE8;mes d'information.
-ANSSI-BP-028 is a configuration recommendation for GNU/Linux systems.
-
-A copy of the ANSSI-BP-028 can be found at the ANSSI website:
-https://www.ssi.gouv.fr/administration/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/</xccdf-1.2:description>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_rsyslog_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_sendmail_removed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_integrity" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_software-integrity" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rpm_verification" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_aide" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_fips" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_crypto" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_certified-vendor" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_endpoint_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_endpoint_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disk_partitioning" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_login_screen" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_media_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_network_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_screen_locking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_system_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sap_host" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_system-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-banners" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gui_login_banner" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-pam" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_locking_out_password_attempts" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality_pwquality" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-physical" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_screen_locking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_console_screen_locking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smart_card_login" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_account_expiration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_storage" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_root_logins" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-session" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_root_paths" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_user_umask" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_auditing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_auditd_configure_rules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_dac_actions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_execution_acl_commands" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_file_deletion_events" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_file_modification" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_kernel_module_loading" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_login_events" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_privileged_commands" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_time_rules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_auditd_data_retention" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_policy_rules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apparmor" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_bootloader-grub2" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_non-uefi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_uefi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_bootloader-zipl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_kernel_build_config" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gcc_plugin" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_journald" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_log_rotation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-firewalld" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_firewalld_activation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ruleset_modifications" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-ipsec" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-iptables" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-ipv6" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_ipv6" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configuring_ipv6" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-kernel" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_host_parameters" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-susefirewall2" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-ufw" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-uncommon" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-wireless" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_wireless_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_files" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_important_account_files" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_var_log_dir" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mounting" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_partitions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_local" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_coredumps" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_enable_execshield_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_enable_nx" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_poisoning" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_selinux" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_selinux-booleans" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apport" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apt" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_base" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_cron_and_at" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_restrict_at_cron_users" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_deprecated" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dns_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_fapolicyd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_http" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_imap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dovecot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_kerberos" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ldap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openldap_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openldap_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_harden_os" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_cfg" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_and_rpc" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfs_services" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_clients" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfsd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ntp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_obsolete" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_inetd_and_xinetd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nis" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_r_services" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_talk" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_telnet" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_tftp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_radius" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rng" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_routing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_quagga" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_samba" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_snmp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ssh" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ssh_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ssh_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sssd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sssd-ldap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_usbguard" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_xwindows" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_xwindows" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_rounds" selector="65536"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" selector="90"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_minlen" selector="18"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ocredit" selector="1"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_dcredit" selector="1"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_ucredit" selector="1"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_lcredit" selector="1"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" selector="900"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" selector="3"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" selector="900"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" selector="2"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_authselect_profile" selector="sssd"/>
-      </xccdf-1.2:Profile>
-      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_e8">
-        <xccdf-1.2:title override="true">Australian Cyber Security Centre (ACSC) Essential Eight</xccdf-1.2:title>
-        <xccdf-1.2:description override="true">This profile contains configuration checks for Red Hat Enterprise Linux CoreOS
-that align to the Australian Cyber Security Centre (ACSC) Essential Eight.
-
-A copy of the Essential Eight in Linux Environments guide can be found at the
-ACSC website:
-
-https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers</xccdf-1.2:description>
-        <xccdf-1.2:reference>https://www.cyber.gov.au/acsc/view-all-content/publications/hardening-linux-workstations-and-servers</xccdf-1.2:reference>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_freq" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_local_events" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_log_format" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_name_format" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_write_logs" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_crypto_policy" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_auditd_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_print_last_log" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_software-integrity" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rpm_verification" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_aide" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_fips" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_certified-vendor" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_endpoint_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_endpoint_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disk_partitioning" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_login_screen" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_media_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_network_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_screen_locking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_system_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sap_host" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sudo" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_system-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_updating" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-banners" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gui_login_banner" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-pam" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_locking_out_password_attempts" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality_pwquality" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-physical" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_screen_locking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_console_screen_locking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smart_card_login" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_account_expiration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_expiration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-session" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_root_paths" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_user_umask" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_execution_acl_commands" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_file_deletion_events" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_file_modification" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_privileged_commands" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_policy_rules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apparmor" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_bootloader-grub2" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_non-uefi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_uefi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_bootloader-zipl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_kernel_build_config" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gcc_plugin" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_logging" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_journald" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_log_rotation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-firewalld" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_firewalld_activation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ruleset_modifications" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-ipsec" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-iptables" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-ipv6" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_ipv6" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configuring_ipv6" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-kernel" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_host_and_router_parameters" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_host_parameters" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-susefirewall2" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-ufw" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-uncommon" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-wireless" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_wireless_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_files" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_important_account_files" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_var_log_dir" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mounting" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_partitions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_local" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_coredumps" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_enable_nx" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_poisoning" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_selinux-booleans" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apport" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apt" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_base" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_cron_and_at" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_restrict_at_cron_users" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_deprecated" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dns_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_fapolicyd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_http" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_imap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dovecot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_kerberos" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ldap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openldap_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openldap_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mail" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_harden_os" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_cfg" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_and_rpc" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfs_services" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_clients" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfsd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ntp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_obsolete" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_inetd_and_xinetd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nis" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_r_services" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_talk" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_telnet" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_tftp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_radius" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rng" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_routing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_quagga" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_samba" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_snmp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ssh_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sssd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sssd-ldap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_usbguard" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_xwindows" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_xwindows" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_state" selector="enforcing"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" selector="targeted"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_flush" selector="incremental_async"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_system_crypto_policy" selector="default_nosha1"/>
-      </xccdf-1.2:Profile>
-      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_high">
-        <xccdf-1.2:title override="true">NIST 800-53 High-Impact Baseline for Red Hat Enterprise Linux CoreOS</xccdf-1.2:title>
-        <xccdf-1.2:description override="true">This compliance profile reflects the core set of High-Impact Baseline
-configuration settings for deployment of Red Hat Enterprise
-Linux CoreOS into U.S. Defense, Intelligence, and Civilian agencies.
-Development partners and sponsors include the U.S. National Institute
-of Standards and Technology (NIST), U.S. Department of Defense,
-the National Security Agency, and Red Hat.
-
-This baseline implements configuration requirements from the following
-sources:
-
-- NIST 800-53 control selections for High-Impact systems (NIST 800-53)
-
-For any differing configuration requirements, e.g. password lengths, the stricter
-security setting was chosen. Security Requirement Traceability Guides (RTMs) and
-sample System Security Configuration Guides are provided via the
-scap-security-guide-docs package.
-
-This profile reflects U.S. Government consensus content and is developed through
-the ComplianceAsCode initiative, championed by the National
-Security Agency. Except for differences in formatting to accommodate
-publishing processes, this profile mirrors ComplianceAsCode
-content as minor divergences, such as bugfixes, work through the
-consensus and release processes.</xccdf-1.2:description>
-        <xccdf-1.2:reference>https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/controls?version=5.1&amp;security_baseline=High</xccdf-1.2:reference>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_immutable" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_mac_modification" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_media_export" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_session_events" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chmod" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmod" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmodat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchownat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fremovexattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fsetxattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lchown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lremovexattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lsetxattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_creat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_trunc_write" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_rule_order" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_creat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_rule_order" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_removexattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_setxattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_freq" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_local_events" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_log_format" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_name_format" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_write_logs" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_banner_etc_issue" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_bios_disable_usb_boot" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_chronyd_client_only" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_crypto_policy" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coredump_disable_backtraces" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coredump_disable_storage" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_audit_option" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_disable_interactive_boot" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_enable_selinux_kernel_argument" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_vsyscall_kernel_argument" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_access_var_log_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_disable_users_coredumps" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_enable_fips_mode" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_sshd_config" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_config" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_can_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_direct_root_logins" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_netrc_files" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_tmux_in_shells" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_audit_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_iptables_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_sudo_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_usbguard_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_require_singleuser_auth" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_auditd_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_autofs_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_bluetooth_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_sshd_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_usbguard_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_limit_user_access" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_wireless_disable_in_bios" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_software-integrity" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rpm_verification" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_aide" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_certified-vendor" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_endpoint_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_endpoint_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_login_screen" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_media_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_network_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_screen_locking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_system_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sap_host" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_system-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_updating" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gui_login_banner" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-pam" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_locking_out_password_attempts" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality_pwquality" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smart_card_login" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_account_expiration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_expiration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-session" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_root_paths" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_user_umask" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_execution_acl_commands" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_policy_rules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apparmor" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_non-uefi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_uefi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_bootloader-zipl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_kernel_build_config" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gcc_plugin" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_journald" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-firewalld" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_firewalld_activation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ruleset_modifications" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-ipsec" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_ipv6" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-susefirewall2" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-ufw" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_important_account_files" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_var_log_dir" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_partitions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_local" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_enable_nx" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_selinux-booleans" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apport" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apt" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_base" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_cron_and_at" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_restrict_at_cron_users" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_deprecated" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dns_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_fapolicyd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_http" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_imap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dovecot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_kerberos" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ldap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openldap_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openldap_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mail" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_harden_os" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_cfg" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_and_rpc" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfs_services" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_clients" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfsd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_obsolete" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_inetd_and_xinetd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nis" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_r_services" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_talk" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_telnet" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_tftp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_radius" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rng" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_routing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_quagga" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_samba" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_snmp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ssh_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sssd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sssd-ldap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_xwindows" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_xwindows" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_flush" selector="incremental_async"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_space_left_action" selector="syslog"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_disk_error_action" selector="syslog"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_admin_space_left_action" selector="syslog"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_max_log_file_action" selector="rotate"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_disk_full_action" selector="syslog"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_system_crypto_policy" selector="fips"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_login_banner_text" selector="dod_banners"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" selector="targeted"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_state" selector="enforcing"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_sshd_set_keepalive" selector="0"/>
-        <xccdf-1.2:refine-rule idref="xccdf_org.ssgproject.content_rule_coreos_vsyscall_kernel_argument" role="unscored" severity="info"/>
-      </xccdf-1.2:Profile>
-      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_moderate">
-        <xccdf-1.2:title override="true">NIST 800-53 Moderate-Impact Baseline for Red Hat Enterprise Linux CoreOS</xccdf-1.2:title>
-        <xccdf-1.2:description override="true">This compliance profile reflects the core set of Moderate-Impact Baseline
-configuration settings for deployment of Red Hat Enterprise
-Linux CoreOS into U.S. Defense, Intelligence, and Civilian agencies.
-Development partners and sponsors include the U.S. National Institute
-of Standards and Technology (NIST), U.S. Department of Defense,
-the National Security Agency, and Red Hat.
-
-This baseline implements configuration requirements from the following
-sources:
-
-- NIST 800-53 control selections for Moderate-Impact systems (NIST 800-53)
-
-For any differing configuration requirements, e.g. password lengths, the stricter
-security setting was chosen. Security Requirement Traceability Guides (RTMs) and
-sample System Security Configuration Guides are provided via the
-scap-security-guide-docs package.
-
-This profile reflects U.S. Government consensus content and is developed through
-the ComplianceAsCode initiative, championed by the National
-Security Agency. Except for differences in formatting to accommodate
-publishing processes, this profile mirrors ComplianceAsCode
-content as minor divergences, such as bugfixes, work through the
-consensus and release processes.</xccdf-1.2:description>
-        <xccdf-1.2:reference>https://nvd.nist.gov/800-53/Rev4/impact/moderate</xccdf-1.2:reference>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_immutable" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_mac_modification" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_media_export" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_session_events" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chmod" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmod" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmodat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchownat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fremovexattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fsetxattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lchown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lremovexattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lsetxattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_creat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_trunc_write" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_rule_order" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_creat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_rule_order" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_removexattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_setxattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_freq" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_local_events" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_log_format" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_name_format" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_write_logs" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_banner_etc_issue" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_bios_disable_usb_boot" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_chronyd_client_only" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_crypto_policy" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coredump_disable_backtraces" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coredump_disable_storage" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_audit_option" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_disable_interactive_boot" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_enable_selinux_kernel_argument" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_vsyscall_kernel_argument" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_access_var_log_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_disable_users_coredumps" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_enable_fips_mode" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_sshd_config" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_config" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_can_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_direct_root_logins" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_netrc_files" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_tmux_in_shells" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_audit_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_iptables_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_sudo_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_usbguard_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_require_singleuser_auth" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_auditd_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_autofs_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_bluetooth_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_usbguard_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_limit_user_access" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_wireless_disable_in_bios" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_software-integrity" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rpm_verification" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_aide" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_certified-vendor" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_endpoint_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_endpoint_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_login_screen" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_media_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_network_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_screen_locking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_system_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sap_host" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_system-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_updating" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gui_login_banner" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-pam" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_locking_out_password_attempts" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality_pwquality" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smart_card_login" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_account_expiration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_expiration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-session" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_root_paths" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_user_umask" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_execution_acl_commands" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_policy_rules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apparmor" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_non-uefi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_uefi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_bootloader-zipl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_kernel_build_config" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gcc_plugin" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_journald" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-firewalld" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_firewalld_activation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ruleset_modifications" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-ipsec" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_ipv6" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-susefirewall2" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-ufw" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_important_account_files" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_var_log_dir" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_partitions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_local" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_enable_nx" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_selinux-booleans" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apport" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apt" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_base" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_cron_and_at" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_restrict_at_cron_users" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_deprecated" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dns_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_fapolicyd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_http" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_imap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dovecot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_kerberos" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ldap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openldap_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openldap_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mail" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_harden_os" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_cfg" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_and_rpc" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfs_services" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_clients" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfsd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_obsolete" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_inetd_and_xinetd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nis" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_r_services" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_talk" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_telnet" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_tftp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_radius" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rng" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_routing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_quagga" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_samba" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_snmp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ssh_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sssd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sssd-ldap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_xwindows" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_xwindows" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_flush" selector="incremental_async"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_space_left_action" selector="syslog"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_disk_error_action" selector="syslog"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_admin_space_left_action" selector="syslog"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_max_log_file_action" selector="rotate"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_disk_full_action" selector="syslog"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_system_crypto_policy" selector="fips"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_login_banner_text" selector="dod_banners"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" selector="targeted"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_state" selector="enforcing"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_sshd_set_keepalive" selector="0"/>
-        <xccdf-1.2:refine-rule idref="xccdf_org.ssgproject.content_rule_coreos_vsyscall_kernel_argument" role="unscored" severity="info"/>
-      </xccdf-1.2:Profile>
-      <xccdf-1.2:Profile id="xccdf_org.ssgproject.content_profile_nerc-cip">
-        <xccdf-1.2:title override="true">North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cybersecurity standards profile for Red Hat Enterprise Linux CoreOS</xccdf-1.2:title>
-        <xccdf-1.2:description override="true">This compliance profile reflects a set of security recommendations for
-the usage of Red Hat Enterprise Linux CoreOS in critical
-infrastructure in the energy sector. This follows the recommendations
-coming from the following CIP standards:
-
-- CIP-002-5
-- CIP-003-8
-- CIP-004-6
-- CIP-005-6
-- CIP-007-3
-- CIP-007-6
-- CIP-009-6</xccdf-1.2:description>
-        <xccdf-1.2:reference>https://www.nerc.com/pa/Stand/AlignRep/One%20Stop%20Shop.xlsx</xccdf-1.2:reference>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_immutable" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_mac_modification" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_media_export" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_session_events" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chmod" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmod" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmodat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchownat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fremovexattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fsetxattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lchown" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lremovexattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lsetxattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_creat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_trunc_write" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_rule_order" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_creat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_rule_order" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_removexattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_setxattr" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_freq" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_local_events" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_log_format" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_name_format" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_auditd_write_logs" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_banner_etc_issue" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_bios_disable_usb_boot" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_chronyd_client_only" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_crypto_policy" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coredump_disable_backtraces" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coredump_disable_storage" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_audit_option" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_disable_interactive_boot" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_enable_selinux_kernel_argument" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_coreos_vsyscall_kernel_argument" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_access_var_log_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_disable_users_coredumps" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_enable_fips_mode" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_owner_sshd_config" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_config" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_can_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_direct_root_logins" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_empty_passwords" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_netrc_files" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_no_tmux_in_shells" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_audit_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_iptables_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_sudo_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_package_usbguard_installed" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_require_singleuser_auth" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_selinux_policytype" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_selinux_state" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_auditd_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_autofs_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_bluetooth_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_service_usbguard_enabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_limit_user_access" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_wireless_disable_in_bios" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" selected="true"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_software-integrity" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rpm_verification" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_aide" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_certified-vendor" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_endpoint_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_endpoint_security_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mcafee_hbss_software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_login_screen" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_media_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_network_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_remote_access_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_screen_locking" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gnome_system_settings" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sap_host" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_system-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_updating" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gui_login_banner" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-pam" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_locking_out_password_attempts" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality_pamcracklib" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_quality_pwquality" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smart_card_login" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_account_expiration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_password_expiration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_accounts-session" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_root_paths" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_user_umask" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_audit_execution_acl_commands" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_policy_rules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apparmor" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_non-uefi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_uefi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_bootloader-zipl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_entropy" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_kernel_build_config" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_gcc_plugin" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_journald" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rsyslog_sending_messages" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-firewalld" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_firewalld_activation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ruleset_modifications" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-ipsec" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_activation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_icmp_disabled" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_ipv6" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-susefirewall2" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network-ufw" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_network_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_important_account_files" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_var_log_dir" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_within_important_dirs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_partitions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_permissions_local" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_daemon_umask" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_enable_nx" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_selinux-booleans" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apport" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_apt" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_avahi" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_avahi_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disable_avahi_group" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_base" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_cron_and_at" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_restrict_at_cron_users" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_deprecated" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp_client_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dhcp_server_configuration" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dhcp_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dns_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_isolation" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_chroot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_dedicated" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_protection" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_partition_with_views" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_docker" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_fapolicyd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_restrict_users" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ftp_use_vsftpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_http" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_installing_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_securing_httpd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_chroot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_configure_php_securely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_directory_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_core_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_basic_authentication" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_optional_components" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_modules_improve_security" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_secure_content" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_imap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_dovecot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_dovecot" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_kerberos" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ldap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openldap_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_openldap_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mail" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_harden_os" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_cfg" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_dos" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_and_rpc" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_netfs" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfs_services" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_clients" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_nfsd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_mounting_remote_filesystems" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nfs_configuring_servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_exports_restrictively" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_export_filesystems_read_only" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_obsolete" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_inetd_and_xinetd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_nis" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_r_services" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_talk" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_telnet" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_tftp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configure_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_proxy" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_squid" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_radius" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_rng" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_routing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_quagga" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_configuring_samba" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb_disable_printing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_samba" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_snmp" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_snmp_service" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_snmp_configure_server" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_ssh_client" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sssd" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_sssd-ldap" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_xwindows" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_disabling_xwindows" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_general-principles" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-least-privilege" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-minimize-software" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-separate-servers" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_principle-use-security-tools" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_how-to-use" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-formatting-conventions" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-read-sections-completely" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-reboot-required" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-root-shell-assumed" selected="false"/>
-        <xccdf-1.2:select idref="xccdf_org.ssgproject.content_group_intro-test-non-production" selected="false"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_flush" selector="incremental_async"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_space_left_action" selector="syslog"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_disk_error_action" selector="syslog"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_admin_space_left_action" selector="syslog"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_max_log_file_action" selector="rotate"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_auditd_disk_full_action" selector="syslog"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_system_crypto_policy" selector="fips"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_login_banner_text" selector="dod_banners"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" selector="targeted"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_selinux_state" selector="enforcing"/>
-        <xccdf-1.2:refine-value idref="xccdf_org.ssgproject.content_value_var_sshd_set_keepalive" selector="0"/>
-        <xccdf-1.2:refine-rule idref="xccdf_org.ssgproject.content_rule_coreos_vsyscall_kernel_argument" role="unscored" severity="info"/>
-      </xccdf-1.2:Profile>
-      <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_system">
-        <xccdf-1.2:title>System Settings</xccdf-1.2:title>
-        <xccdf-1.2:description>Contains rules that check correct system settings.</xccdf-1.2:description>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_software">
-          <xccdf-1.2:title>Installing and Maintaining Software</xccdf-1.2:title>
-          <xccdf-1.2:description>The following sections contain information on
-security-relevant choices during the initial operating system
-installation process and the setup of software
-updates.</xccdf-1.2:description>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_prefer_64bit_os" severity="medium">
-            <xccdf-1.2:title>Prefer to use a 64-bit Operating System when supported</xccdf-1.2:title>
-            <xccdf-1.2:description>Prefer installation of 64-bit operating systems when the CPU supports it.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation besides installing a 64-bit operating system.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R10)</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Use of a 64-bit operating system offers a few advantages, like a larger address space range for
-Address Space Layout Randomization (ASLR) and systematic presence of No eXecute and Execute Disable (NX/XD) protection bits.</xccdf-1.2:rationale>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-prefer_64bit_os:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-prefer_64bit_os_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_integrity">
-            <xccdf-1.2:title>System and Software Integrity</xccdf-1.2:title>
-            <xccdf-1.2:description>System and software integrity can be gained by installing antivirus, increasing
-system encryption strength with FIPS, verifying installed software, enabling SELinux,
-installing an Intrusion Prevention System, etc. However, installing or enabling integrity
-checking tools cannot <html:i>prevent</html:i> intrusions, but they can detect that an intrusion
-may have occurred. Requirements for integrity checking may be highly dependent on
-the environment in which the system will be used. Snapshot-based approaches such
-as AIDE may induce considerable overhead in the presence of frequent software updates.</xccdf-1.2:description>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_disable_prelink" severity="medium">
-              <xccdf-1.2:title>Disable Prelinking</xccdf-1.2:title>
-              <xccdf-1.2:description>The prelinking feature changes binaries in an attempt to decrease their startup
-time. In order to disable it, change or add the following line inside the file
-<html:code>/etc/sysconfig/prelink</html:code>:
-<html:pre>PRELINKING=no</html:pre>
-Next, run the following command to return binaries to a normal, non-prelinked state:
-<html:pre>$ sudo /usr/sbin/prelink -ua</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI06.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS04.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000803</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002450</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-11.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000120-VMM-000600</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000478-VMM-001980</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000396-VMM-001590</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Because the prelinking feature changes binaries, it can interfere with the
-operation of certain software and/or modes such as AIDE, FIPS, etc.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-disable_prelink:def:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_software-integrity">
-              <xccdf-1.2:title>Software Integrity Checking</xccdf-1.2:title>
-              <xccdf-1.2:description>Both the AIDE (Advanced Intrusion Detection Environment)
-software and the RPM package management system provide
-mechanisms for verifying the integrity of installed software.
-AIDE uses snapshots of file metadata (such as hashes) and compares these
-to current system files in order to detect changes.
-<html:br/><html:br/>
-The RPM package management system can conduct integrity
-checks by comparing information in its metadata database with
-files installed on the system.</xccdf-1.2:description>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_aide_scan_notification_email" type="string" interactive="true">
-                <xccdf-1.2:title>Integrity Scan Notification Email Address</xccdf-1.2:title>
-                <xccdf-1.2:description>Specify the email address for designated personnel if baseline
-configurations are changed in an unauthorized manner.</xccdf-1.2:description>
-                <xccdf-1.2:value>root@localhost</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_rpm_verification">
-                <xccdf-1.2:title>Verify Integrity with RPM</xccdf-1.2:title>
-                <xccdf-1.2:description>The RPM package management system includes the ability
-to verify the integrity of installed packages by comparing the
-installed files with information about the files taken from the
-package metadata stored in the RPM database. Although an attacker
-could corrupt the RPM database (analogous to attacking the AIDE
-database as described above), this check can still reveal
-modification of important files. To list which files on the system differ from what is expected by the RPM database:
-<html:pre>$ rpm -qVa</html:pre>
-See the man page for <html:code>rpm</html:code> to see a complete explanation of each column.</xccdf-1.2:description>
-                <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rpm_verify_ownership" severity="high">
-                  <xccdf-1.2:title>Verify and Correct Ownership with RPM</xccdf-1.2:title>
-                  <xccdf-1.2:description>The RPM package management system can check file ownership
-permissions of installed software packages, including many that are
-important to system security. After locating a file with incorrect
-permissions, which can be found with
-<html:pre>rpm -Va | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'</html:pre>
-run the following command to determine which package owns it:
-<html:pre>$ rpm -qf <html:i>FILENAME</html:i></html:pre>
-Next, run the following command to reset its permissions to
-the correct values:
-<html:pre>$ sudo rpm --setugids <html:i>PACKAGENAME</html:i></html:pre></xccdf-1.2:description>
-                  <xccdf-1.2:warning category="general">Profiles may require that specific files be owned by root while the default owner defined
-by the vendor is different.
-Such files will be reported as a finding and need to be evaluated according to your policy
-and deployment environment.</xccdf-1.2:warning>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.8</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001494</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001496</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(1)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(6)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-11.5</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000256-GPOS-00097</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000257-GPOS-00098</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000278-GPOS-00108</xccdf-1.2:reference>
-                  <xccdf-1.2:rationale>Ownership of binaries and configuration files that is incorrect
-could allow an unauthorized user to gain privileges that they should
-not have. The ownership set by the vendor should be maintained. Any
-deviations from this baseline should be investigated.</xccdf-1.2:rationale>
-                  <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82686-7</xccdf-1.2:ident>
-                  <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                    <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-rpm_verify_ownership:def:1"/>
-                  </xccdf-1.2:check>
-                  <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                    <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-rpm_verify_ownership_ocil:questionnaire:1"/>
-                  </xccdf-1.2:check>
-                </xccdf-1.2:Rule>
-                <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rpm_verify_permissions" severity="high">
-                  <xccdf-1.2:title>Verify and Correct File Permissions with RPM</xccdf-1.2:title>
-                  <xccdf-1.2:description>The RPM package management system can check file access permissions
-of installed software packages, including many that are important
-to system security.
-Verify that the file permissions of system files
-and commands match vendor values. Check the file permissions
-with the following command:
-<html:pre>$ sudo rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'</html:pre>
-Output indicates files that do not match vendor defaults.
-After locating a file with incorrect permissions,
-run the following command to determine which package owns it:
-<html:pre>$ rpm -qf <html:i>FILENAME</html:i></html:pre>
-<html:br/>
-Next, run the following command to reset its permissions to
-the correct values:
-<html:pre>$ sudo rpm --setperms <html:i>PACKAGENAME</html:i></html:pre></xccdf-1.2:description>
-                  <xccdf-1.2:warning category="general">Profiles may require that specific files have stricter file permissions than defined by the
-vendor.
-Such files will be reported as a finding and need to be evaluated according to your policy
-and deployment environment.</xccdf-1.2:warning>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.8</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001493</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001494</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001495</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001496</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(d)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(c)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(1)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7(6)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-11.5</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000256-GPOS-00097</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000257-GPOS-00098</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000258-GPOS-00099</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000278-GPOS-00108</xccdf-1.2:reference>
-                  <xccdf-1.2:rationale>Permissions on system binaries and configuration files that are too generous
-could allow an unauthorized user to gain privileges that they should not have.
-The permissions set by the vendor should be maintained. Any deviations from
-this baseline should be investigated.</xccdf-1.2:rationale>
-                  <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82687-5</xccdf-1.2:ident>
-                  <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                    <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-rpm_verify_permissions:def:1"/>
-                  </xccdf-1.2:check>
-                  <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                    <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-rpm_verify_permissions_ocil:questionnaire:1"/>
-                  </xccdf-1.2:check>
-                </xccdf-1.2:Rule>
-              </xccdf-1.2:Group>
-              <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_aide">
-                <xccdf-1.2:title>Verify Integrity with AIDE</xccdf-1.2:title>
-                <xccdf-1.2:description>AIDE conducts integrity checks by comparing information about
-files with previously-gathered information. Ideally, the AIDE database is
-created immediately after initial system configuration, and then again after any
-software update.  AIDE is highly configurable, with further configuration
-information located in <html:code>/usr/share/doc/aide-<html:i>VERSION</html:i></html:code>.</xccdf-1.2:description>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_aide_installed" severity="medium">
-                  <xccdf-1.2:title>Install AIDE</xccdf-1.2:title>
-                  <xccdf-1.2:description>The <html:code>aide</html:code> package can be installed with the following command:
-<html:pre/></xccdf-1.2:description>
-                  <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R51)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI01.06</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI02.01</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI06.01</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS04.07</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002696</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002699</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001744</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="">1034</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="">1288</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="">1341</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="">1417</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.2.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-11.5</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000363-GPOS-00150</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</xccdf-1.2:reference>
-                  <xccdf-1.2:rationale>The AIDE package must be installed if it is to be available for integrity checking.</xccdf-1.2:rationale>
-                  <xccdf-1.2:platform idref="#machine"/>
-                  <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                    <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_aide_installed:def:1"/>
-                  </xccdf-1.2:check>
-                  <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                    <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_aide_installed_ocil:questionnaire:1"/>
-                  </xccdf-1.2:check>
-                </xccdf-1.2:Rule>
-                <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_aide_build_database" severity="medium">
-                  <xccdf-1.2:title>Build and Test AIDE Database</xccdf-1.2:title>
-                  <xccdf-1.2:description>Run the following command to generate a new database:
-
-<html:pre>$ sudo /usr/sbin/aide --init</html:pre>
-
-By default, the database will be written to the file
-
-<html:code>/var/lib/aide/aide.db.new.gz</html:code>.
-
-Storing the database, the configuration file <html:code>/etc/aide.conf</html:code>, and the binary
-<html:code>/usr/sbin/aide</html:code>
-(or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.
-The newly-generated database can be installed as follows:
-
-<html:pre>$ sudo cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz</html:pre>
-
-To initiate a manual check, run the following command:
-<html:pre>$ sudo /usr/sbin/aide --check</html:pre>
-If this check produces any unexpected output, investigate.</xccdf-1.2:description>
-                  <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R51)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI01.06</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI02.01</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI06.01</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS04.07</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.2.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-11.5</xccdf-1.2:reference>
-                  <xccdf-1.2:rationale>For AIDE to be effective, an initial database of "known-good" information about files
-must be captured and it should be able to be verified against the installed files.</xccdf-1.2:rationale>
-                  <xccdf-1.2:platform idref="#machine"/>
-                  <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                    <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-aide_build_database:def:1"/>
-                  </xccdf-1.2:check>
-                  <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                    <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-aide_build_database_ocil:questionnaire:1"/>
-                  </xccdf-1.2:check>
-                </xccdf-1.2:Rule>
-              </xccdf-1.2:Group>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_fips">
-              <xccdf-1.2:title>Federal Information Processing Standard (FIPS)</xccdf-1.2:title>
-              <xccdf-1.2:description>The Federal Information Processing Standard (FIPS) is a computer security standard which
-is developed by the U.S. Government and industry working groups to validate the quality
-of cryptographic modules. The FIPS standard provides four security levels to ensure
-adequate coverage of different industries, implementation of cryptographic modules, and
-organizational sizes and requirements.
-<html:br/><html:br/>
-FIPS 140-2 is the current standard for validating that mechanisms used to access cryptographic modules
-utilize authentication that meets industry and government requirements. For government systems, this allows
-Security Levels 1, 2, 3, or 4 for use on Red Hat Enterprise Linux CoreOS 4.
-<html:br/><html:br/>
-See <html:b><html:a href="http://csrc.nist.gov/publications/PubsFIPS.html">http://csrc.nist.gov/publications/PubsFIPS.html</html:a></html:b> for more information.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_dracut-fips-aesni_installed" severity="medium">
-                <xccdf-1.2:title>Install the dracut-fips-aesni Package</xccdf-1.2:title>
-                <xccdf-1.2:description>To enable FIPS on system that support the Advanced Encryption Standard (AES) or New
-Instructions (AES-NI) engine, the system requires that the <html:code>dracut-fips-aesni</html:code>
-package be installed.
-The <html:code>dracut-fips-aesni</html:code> package can be installed with the following command:
-<html:pre/></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">The system needs to be rebooted for these changes to take effect.</xccdf-1.2:warning>
-                <xccdf-1.2:warning category="regulatory">System Crypto Modules must be provided by a vendor that undergoes
-FIPS-140 certifications.
-FIPS-140 is applicable to all Federal agencies that use
-cryptographic-based security systems to protect sensitive information
-in computer and telecommunication systems (including voice systems) as
-defined in Section 5131 of the Information Technology Management Reform
-Act of 1996, Public Law 104-106. This standard shall be used in
-designing and implementing cryptographic modules that Federal
-departments and agencies operate or are operated for them under
-contract. See <html:b><html:a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf">https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</html:a></html:b>
-To meet this, the system has to have cryptographic software provided by
-a vendor that has undergone this certification. This means providing
-documentation, test results, design information, and independent third
-party review by an accredited lab. While open source software is
-capable of meeting this, it does not meet FIPS-140 unless the vendor
-submits to this process.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000068</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000803</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002450</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000033-GPOS-00014</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000396-GPOS-00176</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000478-GPOS-00223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000120-VMM-000600</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000478-VMM-001980</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000396-VMM-001590</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
-protect data. The operating system must implement cryptographic modules adhering to the higher
-standards approved by the federal government since this provides assurance they have been tested
-and validated.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_dracut-fips-aesni_installed:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_dracut-fips-aesni_installed_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_dracut-fips_installed" severity="medium">
-                <xccdf-1.2:title>Install the dracut-fips Package</xccdf-1.2:title>
-                <xccdf-1.2:description>To enable FIPS, the system requires that the <html:code>dracut-fips</html:code>
-package be installed.
-The <html:code>dracut-fips</html:code> package can be installed with the following command:
-<html:pre/></xccdf-1.2:description>
-                <xccdf-1.2:warning category="regulatory">System Crypto Modules must be provided by a vendor that undergoes
-FIPS-140 certifications.
-FIPS-140 is applicable to all Federal agencies that use
-cryptographic-based security systems to protect sensitive information
-in computer and telecommunication systems (including voice systems) as
-defined in Section 5131 of the Information Technology Management Reform
-Act of 1996, Public Law 104-106. This standard shall be used in
-designing and implementing cryptographic modules that Federal
-departments and agencies operate or are operated for them under
-contract. See <html:b><html:a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf">https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</html:a></html:b>
-To meet this, the system has to have cryptographic software provided by
-a vendor that has undergone this certification. This means providing
-documentation, test results, design information, and independent third
-party review by an accredited lab. While open source software is
-capable of meeting this, it does not meet FIPS-140 unless the vendor
-submits to this process.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000068</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000803</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002450</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000033-GPOS-00014</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000396-GPOS-00176</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000478-GPOS-00223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000120-VMM-000600</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000478-VMM-001980</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000396-VMM-001590</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
-protect data. The operating system must implement cryptographic modules adhering to the higher
-standards approved by the federal government since this provides assurance they have been tested
-and validated.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_dracut-fips_installed:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_dracut-fips_installed_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_enable_dracut_fips_module" severity="high">
-                <xccdf-1.2:title>Enable Dracut FIPS Module</xccdf-1.2:title>
-                <xccdf-1.2:description>To enable FIPS mode, run the following command:
-<html:pre>fips-mode-setup --enable</html:pre>
-To enable FIPS, the system requires that the <html:code>fips</html:code> module is added in <html:code>dracut</html:code> configuration.
-Check if <html:code>/etc/dracut.conf.d/40-fips.conf</html:code> contain <html:code>add_dracutmodules+=" fips "</html:code></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">The system needs to be rebooted for these changes to take effect.</xccdf-1.2:warning>
-                <xccdf-1.2:warning category="regulatory">System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications.
-FIPS-140 is applicable to all Federal agencies that use cryptographic-based security
-systems to protect sensitive information in computer and telecommunication systems
-(including voice systems) as defined in Section 5131 of the Information Technology
-Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing
-and implementing cryptographic modules that Federal departments and agencies operate or are
-operated for them under contract.
-See <html:b><html:a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf">https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</html:a></html:b>
-To meet this, the system has to have cryptographic software provided by a vendor that has
-undergone this certification. This means providing documentation, test results, design
-information, and independent third party review by an accredited lab. While open source
-software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to
-this process.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000068</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000803</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002450</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1446</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_RBG_EXT.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000478-GPOS-00223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000120-VMM-000600</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000478-VMM-001980</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000396-VMM-001590</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
-protect data. The operating system must implement cryptographic modules adhering to the higher
-standards approved by the federal government since this provides assurance they have been tested
-and validated.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82548-9</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-enable_dracut_fips_module:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-enable_dracut_fips_module_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_enable_fips_mode" severity="high">
-                <xccdf-1.2:title>Enable FIPS Mode</xccdf-1.2:title>
-                <xccdf-1.2:description>To enable FIPS mode, run the following command:
-<html:pre>fips-mode-setup --enable</html:pre>
-<html:br/>
-The <html:code>fips-mode-setup</html:code> command will configure the system in
-FIPS mode by automatically configuring the following:
-<html:ul><html:li>Setting the kernel FIPS mode flag (<html:code>/proc/sys/crypto/fips_enabled</html:code>) to <html:code>1</html:code></html:li><html:li>Creating <html:code>/etc/system-fips</html:code></html:li><html:li>Setting the system crypto policy in <html:code>/etc/crypto-policies/config</html:code> to <html:code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_system_crypto_policy" use="legacy"/></html:code></html:li><html:li>Loading the Dracut <html:code>fips</html:code> module</html:li></html:ul></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">The system needs to be rebooted for these changes to take effect.</xccdf-1.2:warning>
-                <xccdf-1.2:warning category="regulatory">This rule DOES NOT CHECK if the components of the operating system are FIPS certified.
-You can find the list of FIPS certified modules at 
-<html:a href="https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search">https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search</html:a>.
-This rule checks if the system is running in FIPS mode. See the rule description for more information about what it means.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000068</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000803</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002450</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1446</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(6)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(4)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_CKM.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_CKM.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_TLSC_EXT.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_RBG_EXT.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000478-GPOS-00223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000396-GPOS-00176</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000120-VMM-000600</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000478-VMM-001980</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000396-VMM-001590</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
-protect data. The operating system must implement cryptographic modules adhering to the higher
-standards approved by the federal government since this provides assurance they have been tested
-and validated.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82540-6</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-var_system_crypto_policy:var:1" value-id="xccdf_org.ssgproject.content_value_var_system_crypto_policy"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-enable_fips_mode:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-enable_fips_mode_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_etc_system_fips_exists" severity="high">
-                <xccdf-1.2:title>Ensure '/etc/system-fips' exists</xccdf-1.2:title>
-                <xccdf-1.2:description>On a system where FIPS mode is enabled, <html:code>/etc/system-fips</html:code> must exist.
-To enable FIPS mode, run the following command:
-<html:pre>fips-mode-setup --enable</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">The system needs to be rebooted for these changes to take effect.</xccdf-1.2:warning>
-                <xccdf-1.2:warning category="regulatory">System Crypto Modules must be provided by a vendor that undergoes
-FIPS-140 certifications.
-FIPS-140 is applicable to all Federal agencies that use
-cryptographic-based security systems to protect sensitive information
-in computer and telecommunication systems (including voice systems) as
-defined in Section 5131 of the Information Technology Management Reform
-Act of 1996, Public Law 104-106. This standard shall be used in
-designing and implementing cryptographic modules that Federal
-departments and agencies operate or are operated for them under
-contract. See <html:b><html:a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf">https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</html:a></html:b>
-To meet this, the system has to have cryptographic software provided by
-a vendor that has undergone this certification. This means providing
-documentation, test results, design information, and independent third
-party review by an accredited lab. While open source software is
-capable of meeting this, it does not meet FIPS-140 unless the vendor
-submits to this process.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000068</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000803</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002450</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000120-VMM-000600</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000478-VMM-001980</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000396-VMM-001590</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
-protect data. The operating system must implement cryptographic modules adhering to the higher
-standards approved by the federal government since this provides assurance they have been tested
-and validated.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-etc_system_fips_exists:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-etc_system_fips_exists_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_grub2_enable_fips_mode" severity="high">
-                <xccdf-1.2:title>Enable FIPS Mode in GRUB2</xccdf-1.2:title>
-                <xccdf-1.2:description>To ensure FIPS mode is enabled, install package <html:code>dracut-fips</html:code>, and rebuild <html:code>initramfs</html:code> by running the following commands:
-<html:pre>
-dracut -f</html:pre>
-After the <html:code>dracut</html:code> command has been run, add the argument <html:code>fips=1</html:code> to the default
-GRUB 2 command line for the Linux operating system in
-<html:code>/etc/default/grub</html:code>, in the manner below:
-<html:pre>GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=VolGroup/LogVol06 rd.lvm.lv=VolGroup/lv_swap rhgb quiet rd.shell=0 fips=1"</html:pre>
-Finally, rebuild the <html:code>grub.cfg</html:code> file by using the
-<html:pre>grub2-mkconfig -o</html:pre> command as follows:
-<html:ul><html:li>On BIOS-based machines, issue the following command as <html:code>root</html:code>:
-<html:pre>~]# grub2-mkconfig -o /boot/grub2/grub.cfg</html:pre></html:li><html:li>On UEFI-based machines, issue the following command as <html:code>root</html:code>:
-<html:pre>~]# grub2-mkconfig -o /boot/grub2/grub.cfg</html:pre></html:li></html:ul></xccdf-1.2:description>
-                <xccdf-1.2:warning category="functionality">Running <html:pre>dracut -f</html:pre> will overwrite the existing initramfs file.</xccdf-1.2:warning>
-                <xccdf-1.2:warning category="general">The system needs to be rebooted for these changes to take effect.</xccdf-1.2:warning>
-                <xccdf-1.2:warning category="regulatory">System Crypto Modules must be provided by a vendor that undergoes
-FIPS-140 certifications.
-FIPS-140 is applicable to all Federal agencies that use
-cryptographic-based security systems to protect sensitive information
-in computer and telecommunication systems (including voice systems) as
-defined in Section 5131 of the Information Technology Management Reform
-Act of 1996, Public Law 104-106. This standard shall be used in
-designing and implementing cryptographic modules that Federal
-departments and agencies operate or are operated for them under
-contract. See <html:b><html:a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf">https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</html:a></html:b>
-To meet this, the system has to have cryptographic software provided by
-a vendor that has undergone this certification. This means providing
-documentation, test results, design information, and independent third
-party review by an accredited lab. While open source software is
-capable of meeting this, it does not meet FIPS-140 unless the vendor
-submits to this process.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000068</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000803</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001199</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002450</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002476</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000033-GPOS-00014</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000185-GPOS-00079</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000396-GPOS-00176</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000405-GPOS-00184</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000478-GPOS-00223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000120-VMM-000600</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000478-VMM-001980</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000396-VMM-001590</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
-protect data. The operating system must implement cryptographic modules adhering to the higher
-standards approved by the federal government since this provides assurance they have been tested
-and validated.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-grub2_enable_fips_mode:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-grub2_enable_fips_mode_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled" severity="high">
-                <xccdf-1.2:title>Set kernel parameter 'crypto.fips_enabled' to 1</xccdf-1.2:title>
-                <xccdf-1.2:description>System running in FIPS mode is indicated by kernel parameter
-<html:code>'crypto.fips_enabled'</html:code>. This parameter should be set to <html:code>1</html:code> in FIPS mode.
-To enable FIPS mode, run the following command:
-<html:pre>fips-mode-setup --enable</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">The system needs to be rebooted for these changes to take effect.</xccdf-1.2:warning>
-                <xccdf-1.2:warning category="regulatory">System Crypto Modules must be provided by a vendor that undergoes FIPS-140 certifications.
-FIPS-140 is applicable to all Federal agencies that use cryptographic-based security
-systems to protect sensitive information in computer and telecommunication systems
-(including voice systems) as defined in Section 5131 of the Information Technology
-Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing
-and implementing cryptographic modules that Federal departments and agencies operate or are
-operated for them under contract.
-See <html:b><html:a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf">https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</html:a></html:b>
-To meet this, the system has to have cryptographic software provided by a vendor that has
-undergone this certification. This means providing documentation, test results, design
-information, and independent third party review by an accredited lab. While open source
-software is capable of meeting this, it does not meet FIPS-140 unless the vendor submits to
-this process.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000068</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000803</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000877</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001453</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002418</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002450</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002890</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-003123</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000033-GPOS-00014</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000125-GPOS-00065</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000250-GPOS-00093</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000393-GPOS-00173</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000394-GPOS-00174</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000396-GPOS-00176</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000423-GPOS-00187</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000478-GPOS-00223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000120-VMM-000600</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000478-VMM-001980</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000396-VMM-001590</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
-protect data. The operating system must implement cryptographic modules adhering to the higher
-standards approved by the federal government since this provides assurance they have been tested
-and validated.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_crypto_fips_enabled_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_crypto">
-              <xccdf-1.2:title>System Cryptographic Policies</xccdf-1.2:title>
-              <xccdf-1.2:description>Linux has the capability to centrally configure cryptographic polices. The command
-<html:code>update-crypto-policies</html:code> is used to set the policy applicable for the various
-cryptographic back-ends, such as SSL/TLS libraries. The configured cryptographic
-policies will be the default policy used by these backends unless the application
-user configures them otherwise. When the system has been configured to use the
-centralized cryptographic policies, the administrator is assured that any application
-that utilizes the supported backends will follow a policy that adheres to the
-configured profile.
-
-Currently the supported backends are:
-<html:ul><html:li>GnuTLS library</html:li><html:li>OpenSSL library</html:li><html:li>NSS library</html:li><html:li>OpenJDK</html:li><html:li>Libkrb5</html:li><html:li>BIND</html:li><html:li>OpenSSH</html:li></html:ul>
-Applications and languages which rely on any of these backends will follow the
-system policies as well. Examples are apache httpd, nginx, php, and others.</xccdf-1.2:description>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_ssh_client_rekey_limit_size" type="string" interactive="true">
-                <xccdf-1.2:title>SSH client RekeyLimit - size</xccdf-1.2:title>
-                <xccdf-1.2:description>Specify the size component of the rekey limit. This limit signifies amount
-of data. After this amount of data is transferred through the connection,
-the session key is renegotiated. The number is followed by K, M or G for
-kilobytes, megabytes or gigabytes. Note that the RekeyLimit can be also
-configured according to elapsed time.</xccdf-1.2:description>
-                <xccdf-1.2:value>512M</xccdf-1.2:value>
-                <xccdf-1.2:value selector="512M">512M</xccdf-1.2:value>
-                <xccdf-1.2:value selector="1G">1G</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_ssh_client_rekey_limit_time" type="string" interactive="true">
-                <xccdf-1.2:title>SSH client RekeyLimit - time</xccdf-1.2:title>
-                <xccdf-1.2:description>Specify the time component of the rekey limit. The session key is
-renegotiated after the defined amount of time passes. The number is followed
-by units such as H or M for hours or minutes. Note that the RekeyLimit can
-be also configured according to amount of transfered data.</xccdf-1.2:description>
-                <xccdf-1.2:value>1h</xccdf-1.2:value>
-                <xccdf-1.2:value selector="1hour">1h</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_system_crypto_policy" type="string">
-                <xccdf-1.2:title>The system-provided crypto policies</xccdf-1.2:title>
-                <xccdf-1.2:description>Specify the crypto policy for the system.</xccdf-1.2:description>
-                <xccdf-1.2:value>DEFAULT</xccdf-1.2:value>
-                <xccdf-1.2:value selector="default_policy">DEFAULT</xccdf-1.2:value>
-                <xccdf-1.2:value selector="default_nosha1">DEFAULT:NO-SHA1</xccdf-1.2:value>
-                <xccdf-1.2:value selector="fips">FIPS</xccdf-1.2:value>
-                <xccdf-1.2:value selector="fips_ospp">FIPS:OSPP</xccdf-1.2:value>
-                <xccdf-1.2:value selector="legacy">LEGACY</xccdf-1.2:value>
-                <xccdf-1.2:value selector="future">FUTURE</xccdf-1.2:value>
-                <xccdf-1.2:value selector="next">NEXT</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy" severity="high">
-                <xccdf-1.2:title>Configure BIND to use System Crypto Policy</xccdf-1.2:title>
-                <xccdf-1.2:description>Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
-BIND is supported by crypto policy, but the BIND configuration may be
-set up to ignore it.
-
-To check that Crypto Policies settings are configured correctly, ensure that the <html:code>/etc/named.conf</html:code>
-includes the appropriate configuration:
-In the <html:code>options</html:code> section of <html:code>/etc/named.conf</html:code>, make sure that the following line
-is not commented out or superseded by later includes:
-<html:code>include "/etc/crypto-policies/back-ends/bind.config";</html:code></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000423-GPOS-00187</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000426-GPOS-00190</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Overriding the system crypto policy makes the behavior of the BIND service violate expectations,
-and makes system configuration more fragmented.</xccdf-1.2:rationale>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82544-8</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-configure_bind_crypto_policy:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-configure_bind_crypto_policy_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_configure_crypto_policy" severity="high">
-                <xccdf-1.2:title>Configure System Cryptography Policy</xccdf-1.2:title>
-                <xccdf-1.2:description>To configure the system cryptography policy to use ciphers only from the <html:code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_system_crypto_policy" use="legacy"/></html:code>
-policy, create a <html:code>MachineConfig</html:code> as follows:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 50-master-configure-crypto-policy
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-        - name: configure-crypto-policy.service
-          enabled: true
-          contents: |
-            [Unit]
-            Before=kubelet.service
-            [Service]
-            Type=oneshot
-            ExecStart=update-crypto-policies --set <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_system_crypto_policy" use="legacy"/>
-            RemainAfterExit=yes
-            [Install]
-            WantedBy=multi-user.target
-</html:pre>
-<html:p>
-This will configure the crypto policy appropriately in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p>
-
-The rule checks if settings for selected crypto policy are configured as expected. Configuration files in the <html:code>/etc/crypto-policies/back-ends</html:code> are either symlinks to correct files provided by Crypto-policies package or they are regular files in case crypto policy customizations are applied.
-Crypto policies may be customized by crypto policy modules, in which case it is delimited from the base policy using a colon.</xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">The system needs to be rebooted for these changes to take effect.</xccdf-1.2:warning>
-                <xccdf-1.2:warning category="regulatory">System Crypto Modules must be provided by a vendor that undergoes
-FIPS-140 certifications.
-FIPS-140 is applicable to all Federal agencies that use
-cryptographic-based security systems to protect sensitive information
-in computer and telecommunication systems (including voice systems) as
-defined in Section 5131 of the Information Technology Management Reform
-Act of 1996, Public Law 104-106. This standard shall be used in
-designing and implementing cryptographic modules that Federal
-departments and agencies operate or are operated for them under
-contract. See <html:b><html:a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf">https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</html:a></html:b>
-To meet this, the system has to have cryptographic software provided by
-a vendor that has undergone this certification. This means providing
-documentation, test results, design information, and independent third
-party review by an accredited lab. While open source software is
-capable of meeting this, it does not meet FIPS-140 unless the vendor
-submits to this process.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1446</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(6)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_COP.1(4)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_CKM.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_CKM.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_TLSC_EXT.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000396-GPOS-00176</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000393-GPOS-00173</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000394-GPOS-00174</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Centralized cryptographic policies simplify applying secure ciphers across an operating system and
-the applications that run on that operating system. Use of weak or untested encryption algorithms
-undermines the purposes of utilizing encryption to protect data.</xccdf-1.2:rationale>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82541-4</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-var_system_crypto_policy:var:1" value-id="xccdf_org.ssgproject.content_value_var_system_crypto_policy"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-configure_crypto_policy:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-configure_crypto_policy_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy" severity="high">
-                <xccdf-1.2:title>Configure Kerberos to use System Crypto Policy</xccdf-1.2:title>
-                <xccdf-1.2:description>Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
-Kerberos is supported by crypto policy, but it's configuration may be
-set up to ignore it.
-To check that Crypto Policies settings for Kerberos are configured correctly, examine that there is a symlink at
-/etc/krb5.conf.d/crypto-policies targeting /etc/cypto-policies/back-ends/krb5.config.
-If the symlink exists, Kerberos is configured to use the system-wide crypto policy settings.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="">0418</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1055</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1402</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
-and makes system configuration more fragmented.</xccdf-1.2:rationale>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82547-1</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-configure_kerberos_crypto_policy:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-configure_kerberos_crypto_policy_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy" severity="high">
-                <xccdf-1.2:title>Configure Libreswan to use System Crypto Policy</xccdf-1.2:title>
-                <xccdf-1.2:description>Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
-Libreswan is supported by system crypto policy, but the Libreswan configuration may be
-set up to ignore it.
-
-To check that Crypto Policies settings are configured correctly, ensure that the <html:code>/etc/ipsec.conf</html:code>
-includes the appropriate configuration file.
-In <html:code>/etc/ipsec.conf</html:code>, make sure that the following line
-is not commented out or superseded by later includes:
-<html:code>include /etc/crypto-policies/back-ends/libreswan.config</html:code></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(6)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_IPSEC_EXT.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_IPSEC_EXT.1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000033-GPOS-00014</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Overriding the system crypto policy makes the behavior of the Libreswan
-service violate expectations, and makes system configuration more
-fragmented.</xccdf-1.2:rationale>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82546-3</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-configure_libreswan_crypto_policy:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-configure_libreswan_crypto_policy_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy" severity="medium">
-                <xccdf-1.2:title>Configure OpenSSL library to use System Crypto Policy</xccdf-1.2:title>
-                <xccdf-1.2:description>Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
-OpenSSL is supported by crypto policy, but the OpenSSL configuration may be
-set up to ignore it.
-To check that Crypto Policies settings are configured correctly, you have to examine the OpenSSL config file
-available under <html:code>/etc/pki/tls/openssl.cnf</html:code>.
-This file has the <html:code>ini</html:code> format, and it enables crypto policy support
-if there is a <html:code>[ crypto_policy ]</html:code> section that contains the <html:code>.include /etc/crypto-policies/back-ends/opensslcnf.config</html:code> directive.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001453</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(6)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000250-GPOS-00093</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
-and makes system configuration more fragmented.</xccdf-1.2:rationale>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82545-5</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-configure_openssl_crypto_policy:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-configure_openssl_crypto_policy_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy" severity="medium">
-                <xccdf-1.2:title>Configure SSH to use System Crypto Policy</xccdf-1.2:title>
-                <xccdf-1.2:description>Crypto Policies provide a centralized control over crypto algorithms usage of many packages.
-SSH is supported by crypto policy, but the SSH configuration may be
-set up to ignore it.
-To check that Crypto Policies settings are configured correctly, ensure that
-the <html:code>CRYPTO_POLICY</html:code> variable is either commented or not set at all
-in the <html:code>/etc/sysconfig/sshd</html:code>.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001453</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(6)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSH_EXT.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSHS_EXT.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSHC_EXT.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000250-GPOS-00093</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
-and makes system configuration more fragmented.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-configure_ssh_crypto_policy:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_harden_openssl_crypto_policy" severity="medium">
-                <xccdf-1.2:title>Harden OpenSSL Crypto Policy</xccdf-1.2:title>
-                <xccdf-1.2:description>Crypto Policies are means of enforcing certain cryptographic settings for
-selected applications including OpenSSL. OpenSSL is by default configured to
-modify its configuration based on currently configured Crypto Policy.
-However, in certain cases it might be needed to override the Crypto Policy
-specific to OpenSSL and leave rest of the Crypto Policy intact. This can
-be done by dropping a file named <html:code>opensslcnf-xxx.config</html:code>, replacing
-<html:code>xxx</html:code> with arbitrary identifier, into
-<html:code>/etc/crypto-policies/local.d</html:code>. This has to be followed by running
-<html:code>update-crypto-policies</html:code> so that changes are applied. Changes are
-propagated into <html:code>/etc/crypto-policies/back-ends/opensslcnf.config</html:code>.
-This rule checks if this file contains predefined <html:code>Ciphersuites</html:code>
-variable configured with predefined value.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-8(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_TLSC_EXT.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000396-GPOS-00176</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000424-GPOS-00188</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000478-GPOS-00223</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The Common Criteria requirements specify that certain parameters for OpenSSL
-are configured e.g. cipher suites. Currently particular requirements
-specified by CC are stricter compared to any existing Crypto Policy.</xccdf-1.2:rationale>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84285-6</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-harden_openssl_crypto_policy:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-harden_openssl_crypto_policy_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_harden_ssh_client_crypto_policy" severity="medium">
-                <xccdf-1.2:title>Harden SSH client Crypto Policy</xccdf-1.2:title>
-                <xccdf-1.2:description>Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH client.
-To override the system wide crypto policy for Openssh client, place a file in the <html:code>/etc/ssh/ssh_config.d/</html:code> so that it is loaded before the <html:code>05-redhat.conf</html:code>. In this case it is file named <html:code>02-ospp.conf</html:code> containing parameters which need to be changed with respect to the crypto policy.
-This rule checks if the file exists and if it contains required parameters and values which modify the Crypto Policy.
-During the parsing process, as soon as Openssh client parses some configuration option and its value, it remembers it and ignores any subsequent overrides. The customization mechanism provided by crypto policies appends eventual customizations at the end of the system wide crypto policy. Therefore, if the crypto policy customization overrides some parameter which is already configured in the system wide crypto policy, the SSH client will not honor that customized parameter.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(6)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSHC_EXT.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000033-GPOS-00014</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000250-GPOS-00093</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000393-GPOS-00173</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000394-GPOS-00174</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The Common Criteria requirements specify how certain parameters for OpenSSH Client are configured. Particular parameters are RekeyLimit, GSSAPIAuthentication, Ciphers, PubkeyAcceptedKeyTypes, MACs and KexAlgorithms. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.</xccdf-1.2:rationale>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82543-0</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-harden_ssh_client_crypto_policy:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-harden_ssh_client_crypto_policy_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_harden_sshd_crypto_policy" severity="medium">
-                <xccdf-1.2:title>Harden SSHD Crypto Policy</xccdf-1.2:title>
-                <xccdf-1.2:description>Crypto Policies are means of enforcing certain cryptographic settings for selected applications including OpenSSH server.
-The SSHD service is by default configured to modify its configuration based on currently configured Crypto-Policy. However, in certain cases it might be needed to override the Crypto Policy specific to OpenSSH Server and leave rest of the Crypto Policy intact.
-This can be done by dropping a file named <html:code>opensshserver-xxx.config</html:code>, replacing <html:code>xxx</html:code> with arbitrary identifier, into <html:code>/etc/crypto-policies/local.d</html:code>. This has to be followed by running <html:code>update-crypto-policies</html:code> so that changes are applied.
-Changes are propagated into <html:code>/etc/crypto-policies/back-ends/opensshserver.config</html:code>. This rule checks if this file contains predefined <html:code>CRYPTO_POLICY</html:code> environment variable configured with predefined value.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(6)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSHS_EXT.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000250-GPOS-00093</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000033-GPOS-00014</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The Common Criteria requirements specify that certain parameters for OpenSSH Server are configured e.g. supported ciphers, accepted host key algorithms, public key types, key exchange algorithms, HMACs and GSSAPI key exchange is disabled. Currently particular requirements specified by CC are stricter compared to any existing Crypto Policy.</xccdf-1.2:rationale>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82542-2</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-harden_sshd_crypto_policy:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-harden_sshd_crypto_policy_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_certified-vendor">
-              <xccdf-1.2:title>Operating System Vendor Support and Certification</xccdf-1.2:title>
-              <xccdf-1.2:description>The assurance of a vendor to provide operating system support and maintenance
-for their product is an important criterion to ensure product stability and
-security over the life of the product. A certified product that follows the
-necessary standards and government certification requirements guarantees that
-known software vulnerabilities will be remediated, and proper guidance for
-protecting and securing the operating system will be given.</xccdf-1.2:description>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_installed_OS_is_FIPS_certified" severity="high">
-                <xccdf-1.2:title>The Installed Operating System Is FIPS 140-2 Certified</xccdf-1.2:title>
-                <xccdf-1.2:description>To enable processing of sensitive information the operating system must
-provide certified cryptographic modules compliant with FIPS 140-2
-standard.</xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">There is no remediation besides switching to a different operating system.</xccdf-1.2:warning>
-                <xccdf-1.2:warning category="regulatory">System Crypto Modules must be provided by a vendor that undergoes
-FIPS-140 certifications.
-FIPS-140 is applicable to all Federal agencies that use
-cryptographic-based security systems to protect sensitive information
-in computer and telecommunication systems (including voice systems) as
-defined in Section 5131 of the Information Technology Management Reform
-Act of 1996, Public Law 104-106. This standard shall be used in
-designing and implementing cryptographic modules that Federal
-departments and agencies operate or are operated for them under
-contract. See <html:b><html:a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf">https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf</html:a></html:b>
-To meet this, the system has to have cryptographic software provided by
-a vendor that has undergone this certification. This means providing
-documentation, test results, design information, and independent third
-party review by an accredited lab. While open source software is
-capable of meeting this, it does not meet FIPS-140 unless the vendor
-submits to this process.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000803</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002450</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000120-VMM-000600</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000478-VMM-001980</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000396-VMM-001590</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS
-PUB 140-2) is a computer security standard. The standard specifies security
-requirements for cryptographic modules used to protect sensitive
-unclassified information.  Refer to the full FIPS 140-2 standard at
-
-    <html:a href="http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf">http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf</html:a>
-for further details on the requirements.
-FIPS 140-2 validation is required by U.S. law when information systems use
-cryptography to protect sensitive government information. In order to
-achieve FIPS 140-2 certification, cryptographic modules are subject to
-extensive testing by independent laboratories, accredited by National
-Institute of Standards and Technology (NIST).</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-installed_OS_is_FIPS_certified:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-installed_OS_is_FIPS_certified_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_endpoint_security_software">
-              <xccdf-1.2:title>Endpoint Protection Software</xccdf-1.2:title>
-              <xccdf-1.2:description>Endpoint protection security software that is not provided or supported
-
-by Red Hat can be installed to provide complementary or duplicative
-
-security capabilities to those provided by the base platform.  Add-on
-software may not be appropriate for some specialized systems.</xccdf-1.2:description>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_configure_user_data_backups" severity="medium">
-                <xccdf-1.2:title>Configure Backups of User Data</xccdf-1.2:title>
-                <xccdf-1.2:description>The operating system must conduct backups of user data contained
-in the operating system. The operating system provides utilities for
-automating backups of user data. Commercial and open-source products
-are also available.</xccdf-1.2:description>
-                <xccdf-1.2:rationale>Operating system backup is a critical step in maintaining data assurance and
-availability. User-level information is data generated by information system
-and/or application users. Backups shall be consistent with organizational
-recovery time and recovery point objectives.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-configure_user_data_backups_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_mcafee_security_software">
-                <xccdf-1.2:title>McAfee Endpoint Security Software</xccdf-1.2:title>
-                <xccdf-1.2:description>In DoD environments, McAfee Host-based Security System (HBSS) and
-VirusScan Enterprise for Linux (VSEL) is required to be installed on all systems.</xccdf-1.2:description>
-                <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mcafee_antivirus_definition_expire" type="number">
-                  <xccdf-1.2:title>The age of McAfee defintion file before requiring updating</xccdf-1.2:title>
-                  <xccdf-1.2:description>Specify the amount of time (in seconds) before McAfee definition files need to be
-updated.</xccdf-1.2:description>
-                  <xccdf-1.2:value>2592000</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="1_day">86400</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="1_week">604800</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="30_days">2592000</xccdf-1.2:value>
-                </xccdf-1.2:Value>
-                <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_mcafee_endpoint_security_software">
-                  <xccdf-1.2:title>McAfee Endpoint Security for Linux (ENSL)</xccdf-1.2:title>
-                  <xccdf-1.2:description>McAfee Endpoint Security for Linux (ENSL) is a suite of software applications
-used to monitor, detect, and defend computer networks and systems.</xccdf-1.2:description>
-                  <xccdf-1.2:platform idref="#machine"/>
-                </xccdf-1.2:Group>
-                <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_mcafee_hbss_software">
-                  <xccdf-1.2:title>McAfee Host-Based Intrusion Detection Software (HBSS)</xccdf-1.2:title>
-                  <xccdf-1.2:description>McAfee Host-based Security System (HBSS) is a suite of software applications
-used to monitor, detect, and defend computer networks and systems.</xccdf-1.2:description>
-                  <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_MFEhiplsm_installed" severity="medium">
-                    <xccdf-1.2:title>Install the Host Intrusion Prevention System (HIPS) Module</xccdf-1.2:title>
-                    <xccdf-1.2:description>Install the McAfee Host Intrusion Prevention System (HIPS) Module if it is absolutely
-necessary. If SELinux is enabled, do not install or enable this module.</xccdf-1.2:description>
-                    <xccdf-1.2:warning category="functionality">Installing and enabling this module conflicts with SELinux.
-Per DoD/DISA guidance, SELinux takes precedence over this module.</xccdf-1.2:warning>
-                    <xccdf-1.2:warning category="general">Due to McAfee HIPS being 3rd party software, automated
-remediation is not available for this configuration check.</xccdf-1.2:warning>
-                    <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO07.06</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO08.04</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.06</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.01</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.02</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.03</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.04</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.02</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.04</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.05</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.04</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS04.05</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.01</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.01</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA03.03</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA03.04</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001233</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001263</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.12</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.7</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.9</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.2</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.9</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.2</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.4</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.3</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.9</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.8</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.2</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.3</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.6</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.2.2</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.2.3</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">Clause 16.1.2</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">Clause 7.4</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-2</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-4</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-5</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-6</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.DP-2</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.DP-3</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.DP-4</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.DP-5</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.RA-1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-8</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.CO-3</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-11.4</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000191-GPOS-00080</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000196</xccdf-1.2:reference>
-                    <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                    <xccdf-1.2:rationale>Without a host-based intrusion detection tool, there is no system-level defense
-when an intruder gains access to a system or network. Additionally, a host-based
-intrusion prevention tool can provide methods to immediately lock out detected
-intrusion attempts.</xccdf-1.2:rationale>
-                    <xccdf-1.2:conflicts idref="xccdf_org.ssgproject.content_rule_selinux_state"/>
-                    <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                      <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_MFEhiplsm_installed:def:1"/>
-                    </xccdf-1.2:check>
-                    <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                      <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1"/>
-                    </xccdf-1.2:check>
-                  </xccdf-1.2:Rule>
-                </xccdf-1.2:Group>
-              </xccdf-1.2:Group>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_disk_partitioning">
-            <xccdf-1.2:title>Disk Partitioning</xccdf-1.2:title>
-            <xccdf-1.2:description>To ensure separation and protection of data, there
-are top-level system directories which should be placed on their
-own physical partition or logical volume. The installer's default
-partitioning scheme creates separate logical volumes for
-<html:code>/</html:code>, <html:code>/boot</html:code>, and <html:code>swap</html:code>.
-<html:ul><html:li>If starting with any of the default layouts, check the box to
-\"Review and modify partitioning.\" This allows for the easy creation
-of additional logical volumes inside the volume group already
-created, though it may require making <html:code>/</html:code>'s logical volume smaller to
-create space. In general, using logical volumes is preferable to
-using partitions because they can be more easily adjusted
-later.</html:li><html:li>If creating a custom layout, create the partitions mentioned in
-the previous paragraph (which the installer will require anyway),
-as well as separate ones described in the following sections.</html:li></html:ul>
-If a system has already been installed, and the default
-partitioning
-scheme was used, it is possible but nontrivial to
-modify it to create separate logical volumes for the directories
-listed above. The Logical Volume Manager (LVM) makes this possible.
-See the LVM HOWTO at 
-    <html:a href="http://tldp.org/HOWTO/LVM-HOWTO/">http://tldp.org/HOWTO/LVM-HOWTO/</html:a>
-for more detailed information on LVM.</xccdf-1.2:description>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_encrypt_partitions" severity="high">
-              <xccdf-1.2:title>Encrypt Partitions</xccdf-1.2:title>
-              <xccdf-1.2:description>Red Hat Enterprise Linux CoreOS 4 natively supports partition encryption through the
-Linux Unified Key Setup-on-disk-format (LUKS) technology. The easiest way to
-encrypt a partition is during installation time.
-<html:br/><html:br/>
-For manual installations, select the <html:code>Encrypt</html:code> checkbox during
-partition creation to encrypt the partition. When this
-option is selected the system will prompt for a passphrase to use in
-decrypting the partition. The passphrase will subsequently need to be entered manually
-every time the system boots.
-
-<html:br/><html:br/>
-For automated/unattended installations, it is possible to use Kickstart by adding
-the <html:code>--encrypted</html:code> and <html:code>--passphrase=</html:code> options to the definition of each partition to be
-encrypted. For example, the following line would encrypt the root partition:
-<html:pre>part / --fstype=ext4 --size=100 --onpart=hda1 --encrypted --passphrase=<html:i>PASSPHRASE</html:i></html:pre>
-Any <html:i>PASSPHRASE</html:i> is stored in the Kickstart in plaintext, and the Kickstart
-must then be protected accordingly.
-Omitting the <html:code>--passphrase=</html:code> option from the partition definition will cause the
-installer to pause and interactively ask for the passphrase during installation.
-<html:br/><html:br/>
-By default, the <html:code>Anaconda</html:code> installer uses <html:code>aes-xts-plain64</html:code> cipher
-with a minimum <html:code>512</html:code> bit key size which should be compatible with FIPS enabled.
-
-<html:br/><html:br/>
-Detailed information on encrypting partitions using LUKS or LUKS ciphers can be found on
-the Red Hat Enterprise Linux CoreOS 4 Documentation web site:<html:br/>
-
-    
-    <html:a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/encrypting-block-devices-using-luks_security-hardening</html:a>
-.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI06.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS04.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001199</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002475</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002476</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(iv)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(b)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-28(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000405-GPOS-00184</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000185-GPOS-00079</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000404-GPOS-00183</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000404-VMM-001650</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000405-VMM-001660</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The risk of a system's physical compromise, particularly mobile systems such as
-laptops, places its data at risk of compromise.  Encrypting this data mitigates
-the risk of its loss if the system is lost.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-encrypt_partitions_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_partition_for_home" severity="low">
-              <xccdf-1.2:title>Ensure /home Located On Separate Partition</xccdf-1.2:title>
-              <xccdf-1.2:description>If user home directories will be stored locally, create a separate partition
-for <html:code>/home</html:code> at installation time (or migrate it later using LVM). If
-<html:code>/home</html:code> will be mounted from another system such as an NFS server, then
-creating a separate partition is not necessary at installation time, and the
-mountpoint can instead be configured later.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001208</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Ensuring that <html:code>/home</html:code> is mounted on its own partition enables the
-setting of more restrictive mount options, and also helps ensure that
-users cannot trivially fill partitions used for log or audit data storage.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82739-4</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-partition_for_home:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-partition_for_home_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_partition_for_srv" severity="unknown">
-              <xccdf-1.2:title>Ensure /srv Located On Separate Partition</xccdf-1.2:title>
-              <xccdf-1.2:description>If a file server (FTP, TFTP...) is hosted locally, create a separate partition
-for <html:code>/srv</html:code> at installation time (or migrate it later using LVM). If
-<html:code>/srv</html:code> will be mounted from another system such as an NFS server, then
-creating a separate partition is not necessary at installation time, and the
-mountpoint can instead be configured later.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Srv deserves files for local network file server such as FTP. Ensuring
-that <html:code>/srv</html:code> is mounted on its own partition enables the setting of
-more restrictive mount options, and also helps ensure that
-users cannot trivially fill partitions used for log or audit data storage.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-partition_for_srv:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-partition_for_srv_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_partition_for_tmp" severity="low">
-              <xccdf-1.2:title>Ensure /tmp Located On Separate Partition</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>/tmp</html:code> directory is a world-writable directory used
-for temporary file storage. Ensure it has its own partition or
-logical volume at installation time, or migrate it using LVM.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The <html:code>/tmp</html:code> partition is used as temporary storage by many programs.
-Placing <html:code>/tmp</html:code> in its own partition enables the setting of more
-restrictive mount options, which can help protect programs which use it.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-partition_for_tmp:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-partition_for_tmp_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_partition_for_var" severity="low">
-              <xccdf-1.2:title>Ensure /var Located On Separate Partition</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>/var</html:code> directory is used by daemons and other system
-services to store frequently-changing data. Ensure that <html:code>/var</html:code> has its own partition
-or logical volume at installation time, or migrate it using LVM.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000341-VMM-001220</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Ensuring that <html:code>/var</html:code> is mounted on its own partition enables the
-setting of more restrictive mount options. This helps protect
-system services such as daemons or other programs which use it.
-It is not uncommon for the <html:code>/var</html:code> directory to contain
-world-writable directories installed by other software packages.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-partition_for_var:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-partition_for_var_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_partition_for_var_log" severity="low">
-              <xccdf-1.2:title>Ensure /var/log Located On Separate Partition</xccdf-1.2:title>
-              <xccdf-1.2:description>System logs are stored in the <html:code>/var/log</html:code> directory.
-<html:p>
-Partitioning Red Hat CoreOS is a Day 1 operation and cannot
-be changed afterwards. For documentation on how to add a
-MachineConfig manifest that specifies a separate <html:code>/var/log</html:code>
-partition, follow:
-
-    <html:a href="https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic">https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic</html:a>
-</html:p>
-<html:p>
-Note that the Red Hat OpenShift documentation often references a block
-device, such as <html:code>/dev/vda</html:code>. The name of the available block devices depends
-on the underlying infrastructure (bare metal vs cloud), and often the specific
-instance type. For example in AWS, some instance types have NVMe drives
-(<html:code>/dev/nvme*</html:code>), others use <html:code>/dev/xvda*</html:code>.
-
-You will need to look for relevant documentation for your infrastructure around this.
-In many cases, the simplest thing is to boot a single machine with an Ignition
-configuration that just gives you SSH access, and inspect the block devices via
-e.g. the <html:code>lsblk</html:code> command.
-
-For physical hardware, a good best practice is to reference devices via the
-<html:code>/dev/disk/by-id/</html:code> or <html:code>/dev/disk/by-path</html:code> links.
-</html:p></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R47)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Placing <html:code>/var/log</html:code> in its own partition
-enables better separation between log files
-and other files in <html:code>/var/</html:code>.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82737-8</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-partition_for_var_log_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_partition_for_var_log_audit" severity="low">
-              <xccdf-1.2:title>Ensure /var/log/audit Located On Separate Partition</xccdf-1.2:title>
-              <xccdf-1.2:description>Audit logs are stored in the <html:code>/var/log/audit</html:code> directory.
-<html:p>
-Partitioning Red Hat CoreOS is a Day 1 operation and cannot
-be changed afterwards. For documentation on how to add a
-MachineConfig manifest that specifies a separate <html:code>/var/log/audit</html:code>
-partition, follow:
-
-    <html:a href="https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic">https://docs.openshift.com/container-platform/latest/installing/installing_platform_agnostic/installing-platform-agnostic.html#installation-user-infra-machines-advanced_disk_installing-platform-agnostic</html:a>
-</html:p>
-<html:p>
-Note that the Red Hat OpenShift documentation often references a block
-device, such as <html:code>/dev/vda</html:code>. The name of the available block devices depends
-on the underlying infrastructure (bare metal vs cloud), and often the specific
-instance type. For example in AWS, some instance types have NVMe drives
-(<html:code>/dev/nvme*</html:code>), others use <html:code>/dev/xvda*</html:code>.
-
-You will need to look for relevant documentation for your infrastructure around this.
-In many cases, the simplest thing is to boot a single machine with an Ignition
-configuration that just gives you SSH access, and inspect the block devices via
-e.g. the <html:code>lsblk</html:code> command.
-
-For physical hardware, a good best practice is to reference devices via the
-<html:code>/dev/disk/by-id/</html:code> or <html:code>/dev/disk/by-path</html:code> links.
-</html:p>
-
-Make absolutely certain that it is large enough to store all
-audit logs that will be created by the auditing daemon.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001849</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000341-GPOS-00132</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000341-VMM-001220</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Placing <html:code>/var/log/audit</html:code> in its own partition
-enables better separation between audit files
-and other files, and helps ensure that
-auditing cannot be halted due to the partition running out
-of space.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82738-6</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-partition_for_var_log_audit_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_partition_for_var_tmp" severity="medium">
-              <xccdf-1.2:title>Ensure /var/tmp Located On Separate Partition</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>/var/tmp</html:code> directory is a world-writable directory used
-for temporary file storage. Ensure it has its own partition or
-logical volume at installation time, or migrate it using LVM.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The <html:code>/var/tmp</html:code> partition is used as temporary storage by many programs.
-Placing <html:code>/var/tmp</html:code> in its own partition enables the setting of more
-restrictive mount options, which can help protect programs which use it.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82734-5</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-partition_for_var_tmp:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-partition_for_var_tmp_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_gnome">
-            <xccdf-1.2:title>GNOME Desktop Environment</xccdf-1.2:title>
-            <xccdf-1.2:description>GNOME is a graphical desktop environment bundled with many Linux distributions that
-allow users to easily interact with the operating system graphically rather than
-textually. The GNOME Graphical Display Manager (GDM) provides login, logout, and user
-switching contexts as well as display server management.
-<html:br/><html:br/>
-GNOME is developed by the GNOME Project and is considered the default
-
-Red Hat Graphical environment.
-
-<html:br/><html:br/>
-For more information on GNOME and the GNOME Project, see <html:b><html:a href="https://www.gnome.org">https://www.gnome.org</html:a></html:b>.</xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#gdm"/>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_gnome_login_screen">
-              <xccdf-1.2:title>Configure GNOME Login Screen</xccdf-1.2:title>
-              <xccdf-1.2:description>In the default GNOME desktop, the login is displayed after system boot
-and can display user accounts, allow users to reboot the system, and allow users to
-login automatically and/or with a guest account. The login screen should be configured
-to prevent such behavior.
-<html:br/><html:br/>
-
-For more information about enforcing preferences in the GNOME3 environment using the DConf
-configuration system, see <html:b><html:a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/desktop_migration_and_administration_guide</html:a>/&gt;</html:b> and the man page <html:code>dconf(1)</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#gdm"/>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_gnome_gdm_disable_xdmcp" severity="high">
-                <xccdf-1.2:title>Disable XDMCP in GDM</xccdf-1.2:title>
-                <xccdf-1.2:description>XDMCP is an unencrypted protocol, and therefore, presents a security risk, see e.g.
-<html:a href="https://help.gnome.org/admin/gdm/stable/security.html.en_GB#xdmcpsecurity">XDMCP Gnome docs</html:a>.
-
-To disable XDMCP support in Gnome, set <html:code>Enable</html:code> to <html:code>false</html:code> under the <html:code>[xdmcp]</html:code> configuration section in <html:code>/etc/gdm/custom.conf</html:code>. For example:
-<html:pre>
-[xdmcp]
-Enable=false
-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:rationale>XDMCP provides unencrypted remote access through the Gnome Display Manager (GDM) which does
-not provide for the confidentiality and integrity of user passwords or the
-remote session. If a privileged user were to login using XDMCP, the
-privileged user password could be compromised due to typed XEvents
-and keystrokes will traversing over the network in clear text.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#gdm"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-gnome_gdm_disable_xdmcp:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-gnome_gdm_disable_xdmcp_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_gnome_media_settings">
-              <xccdf-1.2:title>GNOME Media Settings</xccdf-1.2:title>
-              <xccdf-1.2:description>GNOME media settings that apply to the graphical interface.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#gdm"/>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_gnome_network_settings">
-              <xccdf-1.2:title>GNOME Network Settings</xccdf-1.2:title>
-              <xccdf-1.2:description>GNOME network settings that apply to the graphical interface.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#gdm"/>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_gnome_remote_access_settings">
-              <xccdf-1.2:title>GNOME Remote Access Settings</xccdf-1.2:title>
-              <xccdf-1.2:description>GNOME remote access settings that apply to the graphical interface.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#gdm"/>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_gnome_screen_locking">
-              <xccdf-1.2:title>Configure GNOME Screen Locking</xccdf-1.2:title>
-              <xccdf-1.2:description>In the default GNOME3 desktop, the screen can be locked
-by selecting the user name in the far right corner of the main panel and
-selecting <html:b>Lock</html:b>.
-<html:br/><html:br/>
-The following sections detail commands to enforce idle activation of the screensaver,
-screen locking, a blank-screen screensaver, and an idle activation time.
-<html:br/><html:br/>
-Because users should be trained to lock the screen when they
-step away from the computer, the automatic locking feature is only
-meant as a backup.
-<html:br/><html:br/>
-The root account can be screen-locked; however, the root account should
-<html:i>never</html:i> be used to log into an X Windows environment and should only
-be used to for direct login via console in emergency circumstances.
-<html:br/><html:br/>
-For more information about enforcing preferences in the GNOME3 environment using the DConf
-configuration system, see <html:b><html:a href="http://wiki.gnome.org/dconf">http://wiki.gnome.org/dconf</html:a></html:b> and
-the man page <html:code>dconf(1)</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#gdm"/>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_inactivity_timeout_value" type="number">
-                <xccdf-1.2:title>Screensaver Inactivity timeout</xccdf-1.2:title>
-                <xccdf-1.2:description>Choose allowed duration (in seconds) of inactive graphical sessions</xccdf-1.2:description>
-                <xccdf-1.2:value selector="10_minutes">600</xccdf-1.2:value>
-                <xccdf-1.2:value selector="15_minutes">900</xccdf-1.2:value>
-                <xccdf-1.2:value selector="30_minutes">1800</xccdf-1.2:value>
-                <xccdf-1.2:value selector="5_minutes">300</xccdf-1.2:value>
-                <xccdf-1.2:value>900</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_screensaver_lock_delay" type="number">
-                <xccdf-1.2:title>Screensaver Lock Delay</xccdf-1.2:title>
-                <xccdf-1.2:description>Choose allowed duration (in seconds) after a screensaver becomes active before displaying an authentication prompt</xccdf-1.2:description>
-                <xccdf-1.2:value selector="10_seconds">10</xccdf-1.2:value>
-                <xccdf-1.2:value selector="5_seconds">5</xccdf-1.2:value>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="immediate">0</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_gnome_system_settings">
-              <xccdf-1.2:title>GNOME System Settings</xccdf-1.2:title>
-              <xccdf-1.2:description>GNOME provides configuration and functionality to a graphical desktop environment
-that changes grahical configurations or allow a user to perform
-actions that users normally would not be able to do in non-graphical mode such as
-remote access configuration, power policies, Geo-location, etc.
-Configuring such settings in GNOME will prevent accidential graphical configuration
-changes by users from taking place.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#gdm"/>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_sap_host">
-            <xccdf-1.2:title>SAP Specific Requirement</xccdf-1.2:title>
-            <xccdf-1.2:description>SAP (Systems, Applications and Products in Data Processing) is enterprise
-software to manage business operations and customer relations. The
-following section contains SAP specific requirement that is not part
-of standard or common OS setting.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_sudo">
-            <xccdf-1.2:title>Sudo</xccdf-1.2:title>
-            <xccdf-1.2:description><html:code>Sudo</html:code>, which stands for "su 'do'", provides the ability to delegate authority
-to certain users, groups of users, or system administrators. When configured for system
-users and/or groups, <html:code>Sudo</html:code> can allow a user or group to execute privileged commands
-that normally only <html:code>root</html:code> is allowed to execute.
-<html:br/><html:br/>
-For more information on <html:code>Sudo</html:code> and addition <html:code>Sudo</html:code> configuration options, see
-<html:b><html:a href="https://www.sudo.ws">https://www.sudo.ws</html:a></html:b>.</xccdf-1.2:description>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sudo_dedicated_group" type="string" interactive="true">
-              <xccdf-1.2:title>Group name dedicated to the use of sudo</xccdf-1.2:title>
-              <xccdf-1.2:description>Specify the name of the group that should own /usr/bin/sudo.</xccdf-1.2:description>
-              <xccdf-1.2:value>root</xccdf-1.2:value>
-              <xccdf-1.2:value selector="sudogrp">sudogrp</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sudo_logfile" type="string" interactive="true">
-              <xccdf-1.2:title>Sudo - logfile value</xccdf-1.2:title>
-              <xccdf-1.2:description>Specify the sudo logfile to use. The default value used here matches the example
-location from CIS, which uses /var/log/sudo.log.</xccdf-1.2:description>
-              <xccdf-1.2:value>/var/log/sudo.log</xccdf-1.2:value>
-              <xccdf-1.2:value selector="var_log_sudo_log">/var/log/sudo.log</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sudo_passwd_timeout" type="string">
-              <xccdf-1.2:title>Sudo - passwd_timeout value</xccdf-1.2:title>
-              <xccdf-1.2:description>Defines the number of minutes before the <html:code>sudo</html:code> password prompt times out.
-Defining 0 means no timeout. The default timeout value is 5 minutes.</xccdf-1.2:description>
-              <xccdf-1.2:value>5</xccdf-1.2:value>
-              <xccdf-1.2:value selector="infinite">0</xccdf-1.2:value>
-              <xccdf-1.2:value selector="1_minute">1</xccdf-1.2:value>
-              <xccdf-1.2:value selector="2_minutes">2</xccdf-1.2:value>
-              <xccdf-1.2:value selector="3_minutes">3</xccdf-1.2:value>
-              <xccdf-1.2:value selector="5_minutes">5</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sudo_timestamp_timeout" type="string">
-              <xccdf-1.2:title>Sudo - timestamp_timeout value</xccdf-1.2:title>
-              <xccdf-1.2:description>Defines the number of minutes that can elapse before <html:code>sudo</html:code> will ask for a passwd again.
-If set to a value less than 0 the user's time stamp will never expire. Defining 0 means always prompt for a 
-password. The default timeout value is 5 minutes.</xccdf-1.2:description>
-              <xccdf-1.2:value>5</xccdf-1.2:value>
-              <xccdf-1.2:value selector="always_prompt">0</xccdf-1.2:value>
-              <xccdf-1.2:value selector="1_minute">1</xccdf-1.2:value>
-              <xccdf-1.2:value selector="2_minutes">2</xccdf-1.2:value>
-              <xccdf-1.2:value selector="3_minutes">3</xccdf-1.2:value>
-              <xccdf-1.2:value selector="5_minutes">5</xccdf-1.2:value>
-              <xccdf-1.2:value selector="15_minutes">15</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sudo_umask" type="string">
-              <xccdf-1.2:title>Sudo - umask value</xccdf-1.2:title>
-              <xccdf-1.2:description>Specify the sudo umask to use. The actual umask value that is used is the union
-of the user's umask and the sudo umask.
-The default sudo umask is 0022. This guarantess sudo never lowers the umask when
-running a command.</xccdf-1.2:description>
-              <xccdf-1.2:value>0022</xccdf-1.2:value>
-              <xccdf-1.2:value selector="0022">0022</xccdf-1.2:value>
-              <xccdf-1.2:value selector="0027">0027</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_sudo_installed" severity="medium">
-              <xccdf-1.2:title>Install sudo Package</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>sudo</html:code> package can be installed with the following command:
-<html:pre/></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R19)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1382</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1384</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1386</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</xccdf-1.2:reference>
-              <xccdf-1.2:rationale><html:code>sudo</html:code> is a program designed to allow a system administrator to give
-limited root privileges to users and log root activity. The basic philosophy
-is to give as few privileges as possible but still allow system users to
-get their work done.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82523-2</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_sudo_installed:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_sudo_installed_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sudo_add_noexec" severity="high">
-              <xccdf-1.2:title>Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC</xccdf-1.2:title>
-              <xccdf-1.2:description>The sudo <html:code>NOEXEC</html:code> tag, when specified, prevents user executed
-commands from executing other commands, like a shell for example.
-This should be enabled by making sure that the <html:code>NOEXEC</html:code> tag exists in
-<html:code>/etc/sudoers</html:code> configuration file or any sudo configuration snippets
-in <html:code>/etc/sudoers.d/</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R58)</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Restricting the capability of sudo allowed commands to execute sub-commands
-prevents users from running programs with privileges they wouldn't have otherwise.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sudo_add_noexec:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sudo_add_noexec_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sudo_add_requiretty" severity="medium">
-              <xccdf-1.2:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</xccdf-1.2:title>
-              <xccdf-1.2:description>The sudo <html:code>requiretty</html:code> tag, when specified, will only execute sudo
-commands from users logged in to a real tty.
-This should be enabled by making sure that the <html:code>requiretty</html:code> tag exists in
-<html:code>/etc/sudoers</html:code> configuration file or any sudo configuration snippets
-in <html:code>/etc/sudoers.d/</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R58)</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Restricting the use cases in which a user is allowed to execute sudo commands
-reduces the attack surface.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sudo_add_requiretty:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sudo_add_use_pty" severity="medium">
-              <xccdf-1.2:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty</xccdf-1.2:title>
-              <xccdf-1.2:description>The sudo <html:code>use_pty</html:code> tag, when specified, will only execute sudo
-commands from users logged in to a real tty.
-This should be enabled by making sure that the <html:code>use_pty</html:code> tag exists in
-<html:code>/etc/sudoers</html:code> configuration file or any sudo configuration snippets
-in <html:code>/etc/sudoers.d/</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R58)</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Requiring that sudo commands be run in a pseudo-terminal can prevent an attacker from retaining
-access to the user's terminal after the main program has finished executing.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sudo_add_use_pty:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sudo_add_use_pty_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sudo_custom_logfile" severity="low">
-              <xccdf-1.2:title>Ensure Sudo Logfile Exists - sudo logfile</xccdf-1.2:title>
-              <xccdf-1.2:description>A custom log sudo file can be configured with the 'logfile' tag. This rule configures
-a sudo custom logfile at the default location suggested by CIS, which uses
-/var/log/sudo.log.</xccdf-1.2:description>
-              <xccdf-1.2:rationale>A sudo log file simplifies auditing of sudo commands.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_sudo_logfile:var:1" value-id="xccdf_org.ssgproject.content_value_var_sudo_logfile"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sudo_custom_logfile:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sudo_custom_logfile_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sudo_remove_no_authenticate" severity="medium">
-              <xccdf-1.2:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate</xccdf-1.2:title>
-              <xccdf-1.2:description>The sudo <html:code>!authenticate</html:code> option, when specified, allows a user to execute commands using
-sudo without having to authenticate. This should be disabled by making sure that the
-<html:code>!authenticate</html:code> option does not exist in <html:code>/etc/sudoers</html:code> configuration file or
-any sudo configuration snippets in <html:code>/etc/sudoers.d/</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R59)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002038</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00156</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00157</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00158</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000373-VMM-001470</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000373-VMM-001480</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000373-VMM-001490</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-<html:br/><html:br/>
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sudo_remove_no_authenticate:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sudo_remove_nopasswd" severity="medium">
-              <xccdf-1.2:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</xccdf-1.2:title>
-              <xccdf-1.2:description>The sudo <html:code>NOPASSWD</html:code> tag, when specified, allows a user to execute
-commands using sudo without having to authenticate. This should be disabled
-by making sure that the <html:code>NOPASSWD</html:code> tag does not exist in
-<html:code>/etc/sudoers</html:code> configuration file or any sudo configuration snippets
-in <html:code>/etc/sudoers.d/</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R59)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002038</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00156</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00157</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00158</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000373-VMM-001470</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000373-VMM-001480</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000373-VMM-001490</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-<html:br/><html:br/>
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sudo_remove_nopasswd:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sudo_require_authentication" severity="medium">
-              <xccdf-1.2:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</xccdf-1.2:title>
-              <xccdf-1.2:description>The sudo <html:code>NOPASSWD</html:code> and <html:code>!authenticate</html:code> option, when
-specified, allows a user to execute commands using sudo without having to
-authenticate. This should be disabled by making sure that
-<html:code>NOPASSWD</html:code> and/or <html:code>!authenticate</html:code> do not exist in
-<html:code>/etc/sudoers</html:code> configuration file or any sudo configuration snippets
-in <html:code>/etc/sudoers.d/</html:code>."</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002038</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00156</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-<html:br/><html:br/>
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sudo_require_authentication:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sudo_vdsm_nopasswd" severity="medium">
-              <xccdf-1.2:title>Only the VDSM User Can Use sudo NOPASSWD</xccdf-1.2:title>
-              <xccdf-1.2:description>The sudo <html:code>NOPASSWD</html:code> tag, when specified, allows a user to execute commands using sudo without having to authenticate. Only the <html:code>vdsm</html:code> user should have this capability in any sudo configuration snippets in <html:code>/etc/sudoers.d/</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:rationale>Without re-authentication, users may access resources or perform tasks for which they
-do not have authorization.
-<html:br/><html:br/>
-When operating systems provide the capability to escalate a functional capability, it
-is critical that the user re-authenticate.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sudo_vdsm_nopasswd:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sudoers_explicit_command_args" severity="medium">
-              <xccdf-1.2:title>Explicit arguments in sudo specifications</xccdf-1.2:title>
-              <xccdf-1.2:description>All commands in the sudoers file must strictly specify the arguments allowed to be used for a given user.
-If the command is supposed to be executed only without arguments, pass "" as an argument in the corresponding user specification.</xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">This rule doesn't come with a remediation, as absence of arguments in the user spec doesn't mean that the command is intended to be executed with no arguments.</xccdf-1.2:warning>
-              <xccdf-1.2:warning category="general">The rule can produce false findings when an argument contains a comma - sudoers syntax allows comma escaping using backslash, but the check doesn't support that. For example, <html:code>root ALL=(ALL) echo 1\,2</html:code> allows root to execute <html:code>echo 1,2</html:code>, but the check would interpret it as two commands <html:code>echo 1\</html:code> and <html:code>2</html:code>.</xccdf-1.2:warning>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R63)</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Any argument can modify quite significantly the behavior of a program, whether regarding the
-realized operation (read, write, delete, etc.) or accessed resources (path in a file system tree). To
-avoid any possibility of misuse of a command by a user, the ambiguities must be removed at the
-level of its specification.
-
-For example, on some systems, the kernel messages are only accessible by root.
-If a user nevertheless must have the privileges to read them, the argument of the dmesg command has to be restricted
-in order to prevent the user from flushing the buffer through the -c option:
-<html:pre>
-user ALL = dmesg ""
-</html:pre></xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#sudo"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sudoers_explicit_command_args:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sudoers_explicit_command_args_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sudoers_no_command_negation" severity="medium">
-              <xccdf-1.2:title>Don't define allowed commands in sudoers by means of exclusion</xccdf-1.2:title>
-              <xccdf-1.2:description>Policies applied by sudo through the sudoers file should not involve negation.
-
-Each user specification in the <html:code>sudoers</html:code> file contains a comma-delimited list of command specifications.
-The definition can make use glob patterns, as well as of negations.
-Indirect definition of those commands by means of exclusion of a set of commands is trivial to bypass, so it is not allowed to use such constructs.</xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">This rule doesn't come with a remediation, as negations indicate design issues with the sudoers user specifications design. Just removing negations doesn't increase the security - you typically have to rethink the definition of allowed commands to fix the issue.</xccdf-1.2:warning>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R61)</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Specifying access right using negation is inefficient and can be easily circumvented.
-For example, it is expected that a specification like <html:pre>
-# To avoid absolutely , this rule can be easily circumvented!
-user ALL = ALL ,!/ bin/sh
-</html:pre> prevents the execution of the shell
-but that&#x2019;s not the case: just copy the binary <html:code>/bin/sh</html:code> to a different name to make it executable
-again through the rule keyword <html:code>ALL</html:code>.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#sudo"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sudoers_no_command_negation:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sudoers_no_command_negation_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sudoers_no_root_target" severity="medium">
-              <xccdf-1.2:title>Don't target root user in the sudoers file</xccdf-1.2:title>
-              <xccdf-1.2:description>The targeted users of a user specification should be, as much as possible, non privileged users (i.e.: non-root).
-
-User specifications have to explicitly list the runas spec (i.e. the list of target users that can be impersonated), and <html:code>ALL</html:code> or <html:code>root</html:code> should not be used.</xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">This rule doesn't come with a remediation, as the exact requirement allows exceptions, and removing lines from the sudoers file can make the system non-administrable.</xccdf-1.2:warning>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R60)</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>It is common that the command to be executed does not require superuser rights (editing a file
-whose the owner is not root, sending a signal to an unprivileged process,etc.). In order to limit
-any attempt of privilege escalation through a command, it is better to apply normal user rights.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#sudo"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sudoers_no_root_target:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sudoers_no_root_target_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_system-tools">
-            <xccdf-1.2:title>System Tooling / Utilities</xccdf-1.2:title>
-            <xccdf-1.2:description>The following checks evaluate the system for recommended base packages -- both for installation
-and removal.</xccdf-1.2:description>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_gnutls-utils_installed" severity="medium">
-              <xccdf-1.2:title>Ensure gnutls-utils is installed</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>gnutls-utils</html:code> package can be installed with the following command:
-<html:pre/></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_X509_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_X509_EXT.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
-protocols and technologies around them. It provides a simple C language
-application programming interface (API) to access the secure communications
-protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
-other required structures.
-This package contains command line TLS client and server and certificate
-manipulation tools.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_gnutls-utils_installed:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_nss-tools_installed" severity="medium">
-              <xccdf-1.2:title>Ensure nss-tools is installed</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nss-tools</html:code> package can be installed with the following command:
-<html:pre/></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Network Security Services (NSS) is a set of libraries designed to
-support cross-platform development of security-enabled client and
-server applications. Install the <html:code>nss-tools</html:code> package
-to install command-line tools to manipulate the NSS certificate
-and key database.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_nss-tools_installed:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_updating">
-            <xccdf-1.2:title>Updating Software</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code/> command line tool is used to install and
-update software packages. The system also provides a graphical
-software update tool in the <html:b>System</html:b> menu, in the <html:b>Administration</html:b> submenu,
-called <html:b>Software Update</html:b>.
-<html:br/><html:br/>
-Red Hat Enterprise Linux CoreOS 4 systems contain an installed software catalog called
-the RPM database, which records metadata of installed packages. Consistently using
-<html:code/> or the graphical <html:b>Software Update</html:b> for all software installation
-allows for insight into the current inventory of installed software on the system.
-<html:br/><html:br/></xccdf-1.2:description>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_ensure_redhat_gpgkey_installed" severity="high">
-              <xccdf-1.2:title>Ensure Red Hat GPG Key Installed</xccdf-1.2:title>
-              <xccdf-1.2:description>To ensure the system can cryptographically verify base software packages
-come from Red Hat (and to connect to the Red Hat Network to receive them),
-the Red Hat GPG key must properly be installed. To install the Red Hat GPG
-key, run:
-<html:pre>$ sudo subscription-manager register</html:pre>
-
-If the system is not connected to the Internet or an RHN Satellite, then
-install the Red Hat GPG key from trusted media such as the Red Hat
-installation CD-ROM or DVD. Assuming the disc is mounted in
-<html:code>/media/cdrom</html:code>, use the following command as the root user to import
-it into the keyring:
-<html:pre>$ sudo rpm --import /media/cdrom/RPM-GPG-KEY</html:pre>
-
-Alternatively, the key may be pre-loaded during the RHEL installation. In
-such cases, the key can be installed by running the following command:
-<html:pre>sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R15)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI06.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001749</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(c)(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-12(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_TUD_EXT.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000366-VMM-001430</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000370-VMM-001460</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000404-VMM-001650</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Changes to software components can have significant effects on the overall
-security of the operating system. This requirement ensures the software has
-not been tampered with and that it has been provided by a trusted vendor.
-The Red Hat GPG key is necessary to cryptographically verify packages are
-from Red Hat.</xccdf-1.2:rationale>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82754-3</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-ensure_redhat_gpgkey_installed:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-ensure_redhat_gpgkey_installed_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_accounts">
-          <xccdf-1.2:title>Account and Access Control</xccdf-1.2:title>
-          <xccdf-1.2:description>In traditional Unix security, if an attacker gains
-shell access to a certain login account, they can perform any action
-or access any file to which that account has access. Therefore,
-making it more difficult for unauthorized people to gain shell
-access to accounts, particularly to privileged accounts, is a
-necessary part of securing a system. This section introduces
-mechanisms for restricting access to accounts under
-Red Hat Enterprise Linux CoreOS 4.</xccdf-1.2:description>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_authselect_profile" type="string">
-            <xccdf-1.2:title>Authselect  profile</xccdf-1.2:title>
-            <xccdf-1.2:description>Specify the authselect profile to select</xccdf-1.2:description>
-            <xccdf-1.2:value>minimal</xccdf-1.2:value>
-            <xccdf-1.2:value selector="minimal">minimal</xccdf-1.2:value>
-            <xccdf-1.2:value selector="sssd">sssd</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_accounts-banners">
-            <xccdf-1.2:title>Warning Banners for System Accesses</xccdf-1.2:title>
-            <xccdf-1.2:description>Each system should expose as little information about
-itself as possible.
-<html:br/><html:br/>
-System banners, which are typically displayed just before a
-login prompt, give out information about the service or the host's
-operating system. This might include the distribution name and the
-system kernel version, and the particular version of a network
-service. This information can assist intruders in gaining access to
-the system as it can reveal whether the system is running
-vulnerable software. Most network services can be configured to
-limit what information is displayed.
-<html:br/><html:br/>
-Many organizations implement security policies that require a
-system banner provide notice of the system's ownership, provide
-warning to unauthorized users, and remind authorized users of their
-consent to monitoring.</xccdf-1.2:description>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_login_banner_text" type="string">
-              <xccdf-1.2:title>Login Banner Verbiage</xccdf-1.2:title>
-              <xccdf-1.2:description>Enter an appropriate login banner for your organization. Please note that new lines must
-be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'.</xccdf-1.2:description>
-              <xccdf-1.2:value selector="cis_banners">^(Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.|^(?!.*(\\|fedora|rhel|sle|ubuntu)).*)$</xccdf-1.2:value>
-              <xccdf-1.2:value selector="cis_default">^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$</xccdf-1.2:value>
-              <xccdf-1.2:value selector="dod_banners">^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\)\,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including\,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to\,[\s\n]+penetration[\s\n]+testing\,[\s\n]+COMSEC[\s\n]+monitoring\,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense\,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\)\,[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\)\,[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time\,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using\,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on\,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private\,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring\,[\s\n]+interception\,[\s\n]+and[\s\n]+search\,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.\,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above\,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM\,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications\,[\s\n]+or[\s\n]+work[\s\n]+product\,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys\,[\s\n]+psychotherapists\,[\s\n]+or[\s\n]+clergy\,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&amp;[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$</xccdf-1.2:value>
-              <xccdf-1.2:value selector="dod_default">^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\)\,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including\,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to\,[\s\n]+penetration[\s\n]+testing\,[\s\n]+COMSEC[\s\n]+monitoring\,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense\,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\)\,[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\)\,[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time\,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using\,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on\,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private\,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring\,[\s\n]+interception\,[\s\n]+and[\s\n]+search\,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.\,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above\,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM\,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications\,[\s\n]+or[\s\n]+work[\s\n]+product\,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys\,[\s\n]+psychotherapists\,[\s\n]+or[\s\n]+clergy\,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$</xccdf-1.2:value>
-              <xccdf-1.2:value selector="dod_short">^I've[\s\n]+read[\s\n]+\&amp;[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$</xccdf-1.2:value>
-              <xccdf-1.2:value selector="dss_odaa_default">^Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication\,[\s\n]+transmission\,[\s\n]+processing\,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U\.S\.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems\,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations\,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity\,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes\.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes\,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information\,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user\,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use\,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action\.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.$</xccdf-1.2:value>
-              <xccdf-1.2:value selector="usgcb_default">^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$</xccdf-1.2:value>
-              <xccdf-1.2:value>^Authorized[\s\n]+uses[\s\n]+only\.[\s\n]+All[\s\n]+activity[\s\n]+may[\s\n]+be[\s\n]+monitored[\s\n]+and[\s\n]+reported\.$</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_banner_etc_issue" severity="medium">
-              <xccdf-1.2:title>Modify the System Login Banner</xccdf-1.2:title>
-              <xccdf-1.2:description>
-To configure the system login banner create a file under
-<html:code>/etc/issue.d</html:code>
-
-
-The DoD required text is either:
-<html:br/><html:br/>
-<html:code>You are accessing a U.S. Government (USG) Information System (IS) that
-is provided for USG-authorized use only. By using this IS (which includes
-any device attached to this IS), you consent to the following conditions:
-<html:br/>-The USG routinely intercepts and monitors communications on this IS
-for purposes including, but not limited to, penetration testing, COMSEC
-monitoring, network operations and defense, personnel misconduct (PM), law
-enforcement (LE), and counterintelligence (CI) investigations.
-<html:br/>-At any time, the USG may inspect and seize data stored on this IS.
-<html:br/>-Communications using, or data stored on, this IS are not private,
-are subject to routine monitoring, interception, and search, and may be
-disclosed or used for any USG-authorized purpose.
-<html:br/>-This IS includes security measures (e.g., authentication and access
-controls) to protect USG interests -- not for your personal benefit or
-privacy.
-<html:br/>-Notwithstanding the above, using this IS does not constitute consent
-to PM, LE or CI investigative searching or monitoring of the content of
-privileged communications, or work product, related to personal
-representation or services by attorneys, psychotherapists, or clergy, and
-their assistants. Such communications and work product are private and
-confidential. See User Agreement for details.</html:code>
-<html:br/><html:br/>
-OR:
-<html:br/><html:br/>
-<html:code>I've read &amp; consent to terms in IS user agreem't.</html:code>
-
-<html:p>
-To address this, please create a <html:code>Machineconfig</html:code> object with the
-appropriate text in a drop-in file in <html:code>/etc/issue.d/</html:code>. Do not try to
-edit <html:code>/etc/issue</html:code> directly as this is a symlink provided by the
-Operating System.
-</html:p>
-<html:p>
-For example, if you're using the DoD required text, the manifest would
-look as follows:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-etc-issue
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,You%20are%20accessing%20a%20U.S.%20Government%20%28USG%29%20Information%20System%20%28IS%29%20that%20is%20%0Aprovided%20for%20USG-authorized%20use%20only.%20By%20using%20this%20IS%20%28which%20includes%20any%20%0Adevice%20attached%20to%20this%20IS%29%2C%20you%20consent%20to%20the%20following%20conditions%3A%0A%0A-The%20USG%20routinely%20intercepts%20and%20monitors%20communications%20on%20this%20IS%20for%20%0Apurposes%20including%2C%20but%20not%20limited%20to%2C%20penetration%20testing%2C%20COMSEC%20monitoring%2C%20%0Anetwork%20operations%20and%20defense%2C%20personnel%20misconduct%20%28PM%29%2C%20law%20enforcement%20%0A%28LE%29%2C%20and%20counterintelligence%20%28CI%29%20investigations.%0A%0A-At%20any%20time%2C%20the%20USG%20may%20inspect%20and%20seize%20data%20stored%20on%20this%20IS.%0A%0A-Communications%20using%2C%20or%20data%20stored%20on%2C%20this%20IS%20are%20not%20private%2C%20are%20subject%20%0Ato%20routine%20monitoring%2C%20interception%2C%20and%20search%2C%20and%20may%20be%20disclosed%20or%20used%20%0Afor%20any%20USG-authorized%20purpose.%0A%0A-This%20IS%20includes%20security%20measures%20%28e.g.%2C%20authentication%20and%20access%20controls%29%20%0Ato%20protect%20USG%20interests--not%20for%20your%20personal%20benefit%20or%20privacy.%0A%0A-Notwithstanding%20the%20above%2C%20using%20this%20IS%20does%20not%20constitute%20consent%20to%20PM%2C%20LE%20%0Aor%20CI%20investigative%20searching%20or%20monitoring%20of%20the%20content%20of%20privileged%20%0Acommunications%2C%20or%20work%20product%2C%20related%20to%20personal%20representation%20or%20services%20%0Aby%20attorneys%2C%20psychotherapists%2C%20or%20clergy%2C%20and%20their%20assistants.%20Such%20%0Acommunications%20and%20work%20product%20are%20private%20and%20confidential.%20See%20User%20%0AAgreement%20for%20details.
-        mode: 0644
-        path: /etc/issue.d/legal-notice
-        overwrite: true
-</html:pre>
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000048</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000050</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001384</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001385</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001386</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001387</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001388</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000023-GPOS-00006</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000228-GPOS-00088</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000023-VMM-000060</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000024-VMM-000070</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Display of a standardized and approved use notification before granting
-access to the operating system ensures privacy and security notification
-verbiage used is consistent with applicable federal laws, Executive Orders,
-directives, policies, regulations, standards, and guidance.
-<html:br/><html:br/>
-System use notifications are required only for access via login interfaces
-with human users and are not required when such human interfaces do not
-exist.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82555-4</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-login_banner_text:var:1" value-id="xccdf_org.ssgproject.content_value_login_banner_text"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-banner_etc_issue:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-banner_etc_issue_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue" severity="medium">
-              <xccdf-1.2:title>Verify Group Ownership of System Login Banner</xccdf-1.2:title>
-              <xccdf-1.2:description>
-To properly set the group owner of <html:code>/etc/issue</html:code>, run the command:
-<html:pre>$ sudo chgrp root /etc/issue</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:rationale>Display of a standardized and approved use notification before granting
-access to the operating system ensures privacy and security notification
-verbiage used is consistent with applicable federal laws, Executive Orders,
-directives, policies, regulations, standards, and guidance.<html:br/>
-Proper group ownership will ensure that only root user can modify the banner.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_groupowner_etc_issue:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_groupowner_etc_issue_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_etc_issue" severity="medium">
-              <xccdf-1.2:title>Verify ownership of System Login Banner</xccdf-1.2:title>
-              <xccdf-1.2:description>
-To properly set the owner of <html:code>/etc/issue</html:code>, run the command:
-<html:pre>$ sudo chown root /etc/issue </html:pre></xccdf-1.2:description>
-              <xccdf-1.2:rationale>Display of a standardized and approved use notification before granting
-access to the operating system ensures privacy and security notification
-verbiage used is consistent with applicable federal laws, Executive Orders,
-directives, policies, regulations, standards, and guidance.<html:br/>
-Proper ownership will ensure that only root user can modify the banner.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_owner_etc_issue:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_owner_etc_issue_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_etc_issue" severity="medium">
-              <xccdf-1.2:title>Verify permissions on System Login Banner</xccdf-1.2:title>
-              <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/issue</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/issue</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:rationale>Display of a standardized and approved use notification before granting
-access to the operating system ensures privacy and security notification
-verbiage used is consistent with applicable federal laws, Executive Orders,
-directives, policies, regulations, standards, and guidance.<html:br/>
-Proper permissions will ensure that only root user can modify the banner.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_etc_issue:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_etc_issue_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_gui_login_banner">
-              <xccdf-1.2:title>Implement a GUI Warning Banner</xccdf-1.2:title>
-              <xccdf-1.2:description>In the default graphical environment, users logging
-directly into the system are greeted with a login screen provided
-by the GNOME Display Manager (GDM). The warning banner should be
-displayed in this graphical environment for these users.
-The following sections describe how to configure the GDM login
-banner.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#gdm"/>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_accounts-pam">
-            <xccdf-1.2:title>Protect Accounts by Configuring PAM</xccdf-1.2:title>
-            <xccdf-1.2:description>PAM, or Pluggable Authentication Modules, is a system
-which implements modular authentication for Linux programs. PAM provides
-a flexible and configurable architecture for authentication, and it should be configured
-to minimize exposure to unnecessary risk. This section contains
-guidance on how to accomplish that.
-<html:br/><html:br/>
-PAM is implemented as a set of shared objects which are
-loaded and invoked whenever an application wishes to authenticate a
-user. Typically, the application must be running as root in order
-to take advantage of PAM, because PAM's modules often need to be able
-to access sensitive stores of account information, such as /etc/shadow.
-Traditional privileged network listeners
-(e.g. sshd) or SUID programs (e.g. sudo) already meet this
-requirement. An SUID root application, userhelper, is provided so
-that programs which are not SUID or privileged themselves can still
-take advantage of PAM.
-<html:br/><html:br/>
-PAM looks in the directory <html:code>/etc/pam.d</html:code> for
-application-specific configuration information. For instance, if
-the program login attempts to authenticate a user, then PAM's
-libraries follow the instructions in the file <html:code>/etc/pam.d/login</html:code>
-to determine what actions should be taken.
-<html:br/><html:br/>
-One very important file in <html:code>/etc/pam.d</html:code> is
-<html:code>/etc/pam.d/system-auth</html:code>. This file, which is included by
-many other PAM configuration files, defines 'default' system authentication
-measures. Modifying this file is a good way to make far-reaching
-authentication changes, for instance when implementing a
-centralized authentication service.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="functionality">Be careful when making changes to PAM's configuration files.
-The syntax for these files is complex, and modifications can
-have unexpected consequences. The default configurations shipped
-with applications should be sufficient for most users.</xccdf-1.2:warning>
-            <xccdf-1.2:warning category="functionality">Running <html:code>authconfig</html:code> or <html:code>system-config-authentication</html:code>
-will re-write the PAM configuration files, destroying any manually
-made changes and replacing them with a series of system defaults.
-One reference to the configuration file syntax can be found at
-
-<html:a href="https://fossies.org/linux/Linux-PAM-docs/doc/sag/Linux-PAM_SAG.pdf">https://fossies.org/linux/Linux-PAM-docs/doc/sag/Linux-PAM_SAG.pdf</html:a>.</xccdf-1.2:warning>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_password_hashing_algorithm" type="string">
-              <xccdf-1.2:title>Password Hashing algorithm</xccdf-1.2:title>
-              <xccdf-1.2:description>Specify the system default encryption algorithm for encrypting passwords.
-Defines the value set as ENCRYPT_METHOD in /etc/login.defs.</xccdf-1.2:description>
-              <xccdf-1.2:value>SHA512</xccdf-1.2:value>
-              <xccdf-1.2:value selector="SHA512">SHA512</xccdf-1.2:value>
-              <xccdf-1.2:value selector="SHA256">SHA256</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_password_pam_unix_remember" type="number">
-              <xccdf-1.2:title>remember</xccdf-1.2:title>
-              <xccdf-1.2:description>The last n passwords for each user are saved in
-<html:code>/etc/security/opasswd</html:code> in order to force password change history and
-keep the user from alternating between the same password too
-frequently.</xccdf-1.2:description>
-              <xccdf-1.2:value selector="0">0</xccdf-1.2:value>
-              <xccdf-1.2:value selector="10">10</xccdf-1.2:value>
-              <xccdf-1.2:value selector="24">24</xccdf-1.2:value>
-              <xccdf-1.2:value selector="2">2</xccdf-1.2:value>
-              <xccdf-1.2:value selector="4">4</xccdf-1.2:value>
-              <xccdf-1.2:value selector="5">5</xccdf-1.2:value>
-              <xccdf-1.2:value>5</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_disallow_bypass_password_sudo" severity="medium">
-              <xccdf-1.2:title>Disallow Configuration to Bypass Password Requirements for Privilege Escalation</xccdf-1.2:title>
-              <xccdf-1.2:description>Verify the operating system is not configured to bypass password requirements for privilege
-escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command:
-<html:pre>$ sudo grep pam_succeed_if /etc/pam.d/sudo</html:pre>
-If any occurrences of "pam_succeed_if" is returned from the command, this is a finding.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002038</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00156</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00157</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000373-GPOS-00158</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Without re-authentication, users may access resources or perform tasks for which they do not
-have authorization. When operating systems provide the capability to escalate a functional
-capability, it is critical the user re-authenticate.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#pam"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-disallow_bypass_password_sudo:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-disallow_bypass_password_sudo_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_display_login_attempts" severity="low">
-              <xccdf-1.2:title>Ensure PAM Displays Last Logon/Access Notification</xccdf-1.2:title>
-              <xccdf-1.2:description>To configure the system to notify users of last logon/access
-using <html:code>pam_lastlog</html:code>, add or correct the <html:code>pam_lastlog</html:code>
-settings in
-<html:code>/etc/pam.d/postlogin</html:code> to read as follows:
-<html:pre>session     required pam_lastlog.so showfailed</html:pre>
-And make sure that the <html:code>silent</html:code> option is not set for
-<html:code>pam_lastlog</html:code> module.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0582</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0584</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">05885</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0586</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0846</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0957</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-9(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Users need to be aware of activity that occurs regarding
-their account. Providing users with information regarding the number
-of unsuccessful attempts that were made to login to their account
-allows the user to determine if any unauthorized activity has occurred
-and gives them an opportunity to notify administrators.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#pam"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-display_login_attempts:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-display_login_attempts_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_locking_out_password_attempts">
-              <xccdf-1.2:title>Set Lockouts for Failed Password Attempts</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>pam_faillock</html:code> PAM module provides the capability to
-lock out user accounts after a number of failed login attempts. Its
-documentation is available in
-<html:code>/usr/share/doc/pam-VERSION/txts/README.pam_faillock</html:code>.
-<html:br/><html:br/></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">Locking out user accounts presents the
-risk of a denial-of-service attack. The lockout policy
-must weigh whether the risk of such a
-denial-of-service attack outweighs the benefits of thwarting
-password guessing attacks.</xccdf-1.2:warning>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" type="number">
-                <xccdf-1.2:title>fail_deny</xccdf-1.2:title>
-                <xccdf-1.2:description>Number of failed login attempts before account lockout</xccdf-1.2:description>
-                <xccdf-1.2:value selector="10">10</xccdf-1.2:value>
-                <xccdf-1.2:value selector="3">3</xccdf-1.2:value>
-                <xccdf-1.2:value selector="5">5</xccdf-1.2:value>
-                <xccdf-1.2:value selector="6">6</xccdf-1.2:value>
-                <xccdf-1.2:value>3</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_dir" type="string">
-                <xccdf-1.2:title>faillock directory</xccdf-1.2:title>
-                <xccdf-1.2:description>The directory where the user files with the failure records are kept</xccdf-1.2:description>
-                <xccdf-1.2:value selector="ol8">/var/log/faillock</xccdf-1.2:value>
-                <xccdf-1.2:value>/var/log/faillock</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_fail_interval" type="number">
-                <xccdf-1.2:title>fail_interval</xccdf-1.2:title>
-                <xccdf-1.2:description>Interval for counting failed login attempts before account lockout</xccdf-1.2:description>
-                <xccdf-1.2:value selector="100000000">100000000</xccdf-1.2:value>
-                <xccdf-1.2:value selector="1800">1800</xccdf-1.2:value>
-                <xccdf-1.2:value selector="3600">3600</xccdf-1.2:value>
-                <xccdf-1.2:value selector="86400">86400</xccdf-1.2:value>
-                <xccdf-1.2:value selector="900">900</xccdf-1.2:value>
-                <xccdf-1.2:value>900</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" type="number">
-                <xccdf-1.2:title>fail_unlock_time</xccdf-1.2:title>
-                <xccdf-1.2:description>Seconds before automatic unlocking or permanently locking after excessive failed logins</xccdf-1.2:description>
-                <xccdf-1.2:value selector="1800">1800</xccdf-1.2:value>
-                <xccdf-1.2:value selector="3600">3600</xccdf-1.2:value>
-                <xccdf-1.2:value selector="600">600</xccdf-1.2:value>
-                <xccdf-1.2:value selector="604800">604800</xccdf-1.2:value>
-                <xccdf-1.2:value selector="86400">86400</xccdf-1.2:value>
-                <xccdf-1.2:value selector="900">900</xccdf-1.2:value>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="never">0</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_password_pam_delay" type="number">
-                <xccdf-1.2:title>faildelay_delay</xccdf-1.2:title>
-                <xccdf-1.2:description>Delay next login attempt after a failed login</xccdf-1.2:description>
-                <xccdf-1.2:value selector="0">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="4000000">4000000</xccdf-1.2:value>
-                <xccdf-1.2:value>4000000</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_password_pam_remember" type="number">
-                <xccdf-1.2:title>pwhistory_remember</xccdf-1.2:title>
-                <xccdf-1.2:description>Prevent password re-use using password history lookup</xccdf-1.2:description>
-                <xccdf-1.2:value selector="0">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="5">5</xccdf-1.2:value>
-                <xccdf-1.2:value selector="6">6</xccdf-1.2:value>
-                <xccdf-1.2:value selector="7">7</xccdf-1.2:value>
-                <xccdf-1.2:value selector="8">8</xccdf-1.2:value>
-                <xccdf-1.2:value selector="9">9</xccdf-1.2:value>
-                <xccdf-1.2:value>5</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_password_pam_remember_control_flag" type="string">
-                <xccdf-1.2:title>PAM pwhistory remember - control flag</xccdf-1.2:title>
-                <xccdf-1.2:description>Specify the control flag required for password remember requirement.</xccdf-1.2:description>
-                <xccdf-1.2:value selector="required">required</xccdf-1.2:value>
-                <xccdf-1.2:value selector="optional">optional</xccdf-1.2:value>
-                <xccdf-1.2:value selector="requisite">requisite</xccdf-1.2:value>
-                <xccdf-1.2:value selector="sufficient">sufficient</xccdf-1.2:value>
-                <xccdf-1.2:value selector="binding">binding</xccdf-1.2:value>
-                <xccdf-1.2:value>requisite</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_password_pam_tally2" type="number">
-                <xccdf-1.2:title>tally2</xccdf-1.2:title>
-                <xccdf-1.2:description>Number of failed login attempts</xccdf-1.2:description>
-                <xccdf-1.2:value selector="1">1</xccdf-1.2:value>
-                <xccdf-1.2:value selector="2">2</xccdf-1.2:value>
-                <xccdf-1.2:value selector="3">3</xccdf-1.2:value>
-                <xccdf-1.2:value selector="4">4</xccdf-1.2:value>
-                <xccdf-1.2:value selector="5">5</xccdf-1.2:value>
-                <xccdf-1.2:value>3</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit" severity="medium">
-                <xccdf-1.2:title>Account Lockouts Must Be Logged</xccdf-1.2:title>
-                <xccdf-1.2:description>PAM faillock locks an account due to excessive password failures, this event must be logged.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000044</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7 (a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-account_passwords_pam_faillock_audit:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-account_passwords_pam_faillock_audit_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_dir" severity="medium">
-                <xccdf-1.2:title>Account Lockouts Must Persist</xccdf-1.2:title>
-                <xccdf-1.2:description>By setting a `dir` in the faillock configuration account lockouts will persist across reboots.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000044</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7 (a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000021-GPOS-00005</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Having lockouts persist across reboots ensures that account is only unlocked by an administrator.
-If the lockouts did not persist across reboots an attack could simply reboot the system to continue brute force attacks against the accounts on the system.
-</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_password_quality">
-              <xccdf-1.2:title>Set Password Quality Requirements</xccdf-1.2:title>
-              <xccdf-1.2:description>The default <html:code>pam_pwquality</html:code> PAM module provides strength
-checking for passwords. It performs a number of checks, such as
-making sure passwords are not similar to dictionary words, are of
-at least a certain length, are not the previous password reversed,
-and are not simply a change of case from the previous password. It
-can also require passwords to be in certain character classes. The
-<html:code>pam_pwquality</html:code> module is the preferred way of configuring
-password requirements.
-<html:br/><html:br/>
-The man pages <html:code>pam_pwquality(8)</html:code>
-provide information on the capabilities and configuration of
-each.</xccdf-1.2:description>
-              <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_password_quality_pamcracklib">
-                <xccdf-1.2:title>Set Password Quality Requirements, if using
-pam_cracklib</xccdf-1.2:title>
-                <xccdf-1.2:description>The <html:code>pam_cracklib</html:code> PAM module can be configured to meet
-requirements for a variety of policies.
-<html:br/><html:br/>
-For example, to configure <html:code>pam_cracklib</html:code> to require at least one uppercase
-character, lowercase character, digit, and other (special)
-character, locate the following line in <html:code>/etc/pam.d/system-auth</html:code>:
-<html:pre>password requisite pam_cracklib.so try_first_pass retry=3</html:pre>
-and then alter it to read:
-<html:pre>password required pam_cracklib.so try_first_pass retry=3 maxrepeat=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1 difok=4</html:pre>
-If no such line exists, add one as the first line of the password section in <html:code>/etc/pam.d/system-auth</html:code>.
-The arguments can be modified to ensure compliance with
-your organization's security policy. Discussion of each parameter follows.</xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that the password quality requirements are not enforced for the
-root account for some reason.</xccdf-1.2:warning>
-              </xccdf-1.2:Group>
-              <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_password_quality_pwquality">
-                <xccdf-1.2:title>Set Password Quality Requirements with pam_pwquality</xccdf-1.2:title>
-                <xccdf-1.2:description>The <html:code>pam_pwquality</html:code> PAM module can be configured to meet
-requirements for a variety of policies.
-<html:br/><html:br/>
-For example, to configure <html:code>pam_pwquality</html:code> to require at least one uppercase
-character, lowercase character, digit, and other (special)
-character, make sure that <html:code>pam_pwquality</html:code> exists in <html:code>/etc/pam.d/system-auth</html:code>:
-<html:pre>password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=</html:pre>
-If no such line exists, add one as the first line of the password section in <html:code>/etc/pam.d/system-auth</html:code>.
-Next, modify the settings in <html:code>/etc/security/pwquality.conf</html:code> to match the following:
-<html:pre>difok = 4
-minlen = 14
-dcredit = -1
-ucredit = -1
-lcredit = -1
-ocredit = -1
-maxrepeat = 3</html:pre>
-The arguments can be modified to ensure compliance with
-your organization's security policy. Discussion of each parameter follows.</xccdf-1.2:description>
-                <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_password_pam_dcredit" type="number">
-                  <xccdf-1.2:title>dcredit</xccdf-1.2:title>
-                  <xccdf-1.2:description>Minimum number of digits in password</xccdf-1.2:description>
-                  <xccdf-1.2:value selector="0">0</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="1">-1</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="2">-2</xccdf-1.2:value>
-                  <xccdf-1.2:value>-1</xccdf-1.2:value>
-                </xccdf-1.2:Value>
-                <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_password_pam_dictcheck" type="number">
-                  <xccdf-1.2:title>dictcheck</xccdf-1.2:title>
-                  <xccdf-1.2:description>Prevent the use of dictionary words for passwords.</xccdf-1.2:description>
-                  <xccdf-1.2:value selector="1">1</xccdf-1.2:value>
-                  <xccdf-1.2:value>1</xccdf-1.2:value>
-                </xccdf-1.2:Value>
-                <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_password_pam_difok" type="number">
-                  <xccdf-1.2:title>difok</xccdf-1.2:title>
-                  <xccdf-1.2:description>Minimum number of characters not present in old
-password</xccdf-1.2:description>
-                  <xccdf-1.2:value selector="15">15</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="1">1</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="2">2</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="3">3</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="4">4</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="5">5</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="6">6</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="7">7</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="8">8</xccdf-1.2:value>
-                  <xccdf-1.2:value>8</xccdf-1.2:value>
-                </xccdf-1.2:Value>
-                <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_password_pam_lcredit" type="number">
-                  <xccdf-1.2:title>lcredit</xccdf-1.2:title>
-                  <xccdf-1.2:description>Minimum number of lower case in password</xccdf-1.2:description>
-                  <xccdf-1.2:value selector="0">0</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="1">-1</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="2">-2</xccdf-1.2:value>
-                  <xccdf-1.2:value>-1</xccdf-1.2:value>
-                </xccdf-1.2:Value>
-                <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_password_pam_maxclassrepeat" type="number">
-                  <xccdf-1.2:title>maxclassrepeat</xccdf-1.2:title>
-                  <xccdf-1.2:description>Maximum Number of Consecutive Repeating Characters in a Password From the Same Character Class</xccdf-1.2:description>
-                  <xccdf-1.2:value selector="1">1</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="2">2</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="3">3</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="4">4</xccdf-1.2:value>
-                  <xccdf-1.2:value>4</xccdf-1.2:value>
-                </xccdf-1.2:Value>
-                <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_password_pam_maxrepeat" type="number">
-                  <xccdf-1.2:title>maxrepeat</xccdf-1.2:title>
-                  <xccdf-1.2:description>Maximum Number of Consecutive Repeating Characters in a Password</xccdf-1.2:description>
-                  <xccdf-1.2:value selector="1">1</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="2">2</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="3">3</xccdf-1.2:value>
-                  <xccdf-1.2:value>3</xccdf-1.2:value>
-                </xccdf-1.2:Value>
-                <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_password_pam_minclass" type="number">
-                  <xccdf-1.2:title>minclass</xccdf-1.2:title>
-                  <xccdf-1.2:description>Minimum number of categories of characters that must exist in a password</xccdf-1.2:description>
-                  <xccdf-1.2:value selector="1">1</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="2">2</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="3">3</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="4">4</xccdf-1.2:value>
-                  <xccdf-1.2:value>3</xccdf-1.2:value>
-                </xccdf-1.2:Value>
-                <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_password_pam_minlen" type="number">
-                  <xccdf-1.2:title>minlen</xccdf-1.2:title>
-                  <xccdf-1.2:description>Minimum number of characters in password</xccdf-1.2:description>
-                  <xccdf-1.2:value selector="10">10</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="12">12</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="14">14</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="15">15</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="18">18</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="20">20</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="6">6</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="7">7</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="8">8</xccdf-1.2:value>
-                  <xccdf-1.2:value>15</xccdf-1.2:value>
-                </xccdf-1.2:Value>
-                <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_password_pam_ocredit" type="number">
-                  <xccdf-1.2:title>ocredit</xccdf-1.2:title>
-                  <xccdf-1.2:description>Minimum number of other (special characters) in
-password</xccdf-1.2:description>
-                  <xccdf-1.2:value selector="0">0</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="1">-1</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="2">-2</xccdf-1.2:value>
-                  <xccdf-1.2:value>-1</xccdf-1.2:value>
-                </xccdf-1.2:Value>
-                <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_password_pam_retry" type="number">
-                  <xccdf-1.2:title>retry</xccdf-1.2:title>
-                  <xccdf-1.2:description>Number of retry attempts before erroring out</xccdf-1.2:description>
-                  <xccdf-1.2:value selector="1">1</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="2">2</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="3">3</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="4">4</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="5">5</xccdf-1.2:value>
-                  <xccdf-1.2:value>3</xccdf-1.2:value>
-                </xccdf-1.2:Value>
-                <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_password_pam_ucredit" type="number">
-                  <xccdf-1.2:title>ucredit</xccdf-1.2:title>
-                  <xccdf-1.2:description>Minimum number of upper case in password</xccdf-1.2:description>
-                  <xccdf-1.2:value selector="0">0</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="1">-1</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="2">-2</xccdf-1.2:value>
-                  <xccdf-1.2:value>-1</xccdf-1.2:value>
-                </xccdf-1.2:Value>
-              </xccdf-1.2:Group>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_set_password_hashing_algorithm">
-              <xccdf-1.2:title>Set Password Hashing Algorithm</xccdf-1.2:title>
-              <xccdf-1.2:description>The system's default algorithm for storing password hashes in
-<html:code>/etc/shadow</html:code> is SHA-512. This can be configured in several
-locations.</xccdf-1.2:description>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_accounts-physical">
-            <xccdf-1.2:title>Protect Physical Console Access</xccdf-1.2:title>
-            <xccdf-1.2:description>It is impossible to fully protect a system from an
-attacker with physical access, so securing the space in which the
-system is located should be considered a necessary step. However,
-there are some steps which, if taken, make it more difficult for an
-attacker to quickly or undetectably modify a system from its
-console.</xccdf-1.2:description>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_debug-shell_disabled" severity="medium">
-              <xccdf-1.2:title>Disable debug-shell SystemD Service</xccdf-1.2:title>
-              <xccdf-1.2:description>SystemD's <html:code>debug-shell</html:code> service is intended to
-diagnose SystemD related boot issues with various <html:code>systemctl</html:code>
-commands. Once enabled and following a system reboot, the root shell
-will be available on <html:code>tty9</html:code> which is access by pressing
-<html:code>CTRL-ALT-F9</html:code>. The <html:code>debug-shell</html:code> service should only be used
-for SystemD related issues and should otherwise be disabled.
-<html:br/><html:br/>
-By default, the <html:code>debug-shell</html:code> SystemD service is already disabled.
-
-The <html:code>debug-shell</html:code> service can be disabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-debug-shell-disable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: debug-shell.service
-</html:pre>
-<html:p>
-This will disable the <html:code>debug-shell</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>This prevents attackers with physical access from trivially bypassing security
-on the machine through valid troubleshooting configurations and gaining root
-access when the system is rebooted.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82496-1</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:ignition" id="service_debug-shell_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: debug-shell.service
-        enabled: false
-        mask: true
-      - name: debug-shell.socket
-        enabled: false
-        mask: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="service_debug-shell_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: debug-shell.service
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_debug-shell_disabled:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_coreos_disable_interactive_boot" severity="medium">
-              <xccdf-1.2:title>Verify that Interactive Boot is Disabled</xccdf-1.2:title>
-              <xccdf-1.2:description>Red Hat Enterprise Linux CoreOS 4 systems support an "interactive boot" option that can
-be used to prevent services from being started. On a Red Hat Enterprise Linux CoreOS 4
-system, interactive boot can be enabled by providing a <html:code>1</html:code>,
-<html:code>yes</html:code>, <html:code>true</html:code>, or <html:code>on</html:code> value to the
-<html:code>systemd.confirm_spawn</html:code> kernel argument.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000213</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-2(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Using interactive boot, the console user could disable auditing, firewalls,
-or other services, weakening system security.</xccdf-1.2:rationale>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83548-8</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-coreos_disable_interactive_boot:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-coreos_disable_interactive_boot_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction" severity="high">
-              <xccdf-1.2:title>Disable Ctrl-Alt-Del Burst Action</xccdf-1.2:title>
-              <xccdf-1.2:description>By default, <html:code>SystemD</html:code> will reboot the system if the <html:code>Ctrl-Alt-Del</html:code>
-key sequence is pressed Ctrl-Alt-Delete more than 7 times in 2 seconds.
-<html:br/><html:br/>
-To configure the system to ignore the <html:code>CtrlAltDelBurstAction</html:code>
-
-setting, create a <html:code>MachineConfig</html:code> similar to the following:
-<html:pre>
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-disable-ctrlaltdel-burstaction
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,CtrlAltDelBurstAction%3Dnone
-        mode: 0644
-        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
-        overwrite: true
-EOF
-</html:pre>
-<html:p>
-This will add the relevant configuration to <html:code>/etc/systemd/system.conf.d/</html:code>,
-thus configuring Systemd apropriately.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-              <xccdf-1.2:warning category="functionality">Disabling the <html:code>Ctrl-Alt-Del</html:code> key sequence
-in <html:code>/etc/init/control-alt-delete.conf</html:code> DOES NOT disable the <html:code>Ctrl-Alt-Del</html:code>
-key sequence if running in <html:code>runlevel 6</html:code> (e.g. in GNOME, KDE, etc.)! The
-<html:code>Ctrl-Alt-Del</html:code> key sequence will only be disabled if running in
-the non-graphical <html:code>runlevel 3</html:code>.</xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
-can reboot the system. If accidentally pressed, as could happen in
-the case of mixed OS environment, this can create the risk of short-term
-loss of availability of systems due to unintentional reboot.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#systemd"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82495-3</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="disable_ctrlaltdel_burstaction">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,CtrlAltDelBurstAction%3Dnone
-        mode: 0644
-        path: /etc/systemd/system.conf.d/disable_ctrlaltdelete_burstaction.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-disable_ctrlaltdel_burstaction:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-disable_ctrlaltdel_burstaction_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot" severity="high">
-              <xccdf-1.2:title>Disable Ctrl-Alt-Del Reboot Activation</xccdf-1.2:title>
-              <xccdf-1.2:description>By default, <html:code>SystemD</html:code> will reboot the system if the <html:code>Ctrl-Alt-Del</html:code>
-key sequence is pressed.
-<html:br/><html:br/>
-To configure the system to ignore the <html:code>Ctrl-Alt-Del</html:code> key sequence from the
-
-command line instead of rebooting the system, create a <html:code>MachineConfig</html:code>
-similar to the following:
-<html:pre>
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-disable-ctrlaltdel-reboot
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: ctrl-alt-del.target
-        mask: true
-EOF
-</html:pre>
-<html:p>
-This will mask the <html:code>ctrl-alt-del.target</html:code> systemd target for all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>A locally logged-in user who presses Ctrl-Alt-Del, when at the console,
-can reboot the system. If accidentally pressed, as could happen in
-the case of mixed OS environment, this can create the risk of short-term
-loss of availability of systems due to unintentional reboot.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82493-8</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="disable_ctrlaltdel_reboot" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: ctrl-alt-del.target
-        mask: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-disable_ctrlaltdel_reboot:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-disable_ctrlaltdel_reboot_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_grub2_disable_interactive_boot" severity="medium">
-              <xccdf-1.2:title>Verify that Interactive Boot is Disabled</xccdf-1.2:title>
-              <xccdf-1.2:description>Red Hat Enterprise Linux CoreOS 4 systems support an "interactive boot" option that can
-be used to prevent services from being started. On a Red Hat Enterprise Linux CoreOS 4
-system, interactive boot can be enabled by providing a <html:code>1</html:code>,
-<html:code>yes</html:code>, <html:code>true</html:code>, or <html:code>on</html:code> value to the
-<html:code>systemd.confirm_spawn</html:code> kernel argument in <html:code>/etc/default/grub</html:code>.
-Remove any instance of <html:pre>systemd.confirm_spawn=(1|yes|true|on)</html:pre> from
-the kernel arguments in that file to disable interactive boot.
-Recovery booting must also be disabled. Confirm that
-<html:code>GRUB_DISABLE_RECOVERY=true</html:code> is set in  <html:code>/etc/default/grub</html:code>.
-It is also required to change the runtime configuration, run:
-
-<html:pre>/sbin/grubby --update-kernel=ALL --remove-args="systemd.confirm_spawn"</html:pre>
-
-<html:pre>grub2-mkconfig -o /boot/grub2/grub.cfg</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000213</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-2(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Using interactive or recovery boot, the console user could disable auditing, firewalls,
-or other services, weakening system security.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#grub2"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82551-3</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-grub2_disable_interactive_boot:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_require_singleuser_auth" severity="medium">
-              <xccdf-1.2:title>Require Authentication for Single User Mode</xccdf-1.2:title>
-              <xccdf-1.2:description>Single-user mode is intended as a system recovery
-method, providing a single user root access to the system by
-providing a boot option at startup.
-<html:br/><html:br/>
-By default, single-user mode is protected by requiring a password and is set
-in <html:code>/usr/lib/systemd/system/rescue.service</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000213</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0421</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0422</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0431</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0974</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1173</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1401</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1504</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1505</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1546</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1557</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1558</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1559</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1560</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1561</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000080-GPOS-00048</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>This prevents attackers with physical access from trivially bypassing security
-on the machine and gaining root access. Such accesses are further prevented
-by configuring the bootloader password.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82550-5</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-require_singleuser_auth:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-require_singleuser_auth_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_screen_locking">
-              <xccdf-1.2:title>Configure Screen Locking</xccdf-1.2:title>
-              <xccdf-1.2:description>When a user must temporarily leave an account
-logged-in, screen locking should be employed to prevent passersby
-from abusing the account. User education and training is
-particularly important for screen locking to be effective, and policies
-can be implemented to reinforce this.
-<html:br/><html:br/>
-Automatic screen locking is only meant as a safeguard for
-those cases where a user forgot to lock the screen.</xccdf-1.2:description>
-              <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_console_screen_locking">
-                <xccdf-1.2:title>Configure Console Screen Locking</xccdf-1.2:title>
-                <xccdf-1.2:description>A console screen locking mechanism is a temporary action taken when a user
-stops work and moves away from the immediate physical vicinity of the
-information system but does not logout because of the temporary nature of
-the absence. Rather than relying on the user to manually lock their
-operation system session prior to vacating the vicinity, operating systems
-need to be able to identify when a user's session has idled and take action
-to initiate the session lock.</xccdf-1.2:description>
-                <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_tmux_installed" severity="medium">
-                  <xccdf-1.2:title>Install the tmux Package</xccdf-1.2:title>
-                  <xccdf-1.2:description>To enable console screen locking, install the <html:code>tmux</html:code> package.
-A session lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not want to log out because of the temporary nature of the absence.
-The session lock is implemented at the point where session activity can be determined.
-Rather than be forced to wait for a period of time to expire before the user session can be locked, Red Hat Enterprise Linux CoreOS 4 needs to provide users with the ability to manually invoke a session lock so users can secure their session if it is necessary to temporarily vacate the immediate physical vicinity.
-Instruct users to begin new terminal sessions with the following command:
-<html:pre>$ tmux</html:pre>
-The console can now be locked with the following key combination:
-<html:pre>ctrl+b :lock-session</html:pre></xccdf-1.2:description>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.10</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000058</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000056</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FTA_SSL.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000030-GPOS-00011</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000028-GPOS-00009</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="">SRG-OS-000030-VMM-000110</xccdf-1.2:reference>
-                  <xccdf-1.2:rationale>A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate
-physical vicinity of the information system but does not logout because of the temporary nature of the absence.
-Rather than relying on the user to manually lock their operation system session prior to vacating the vicinity,
-operating systems need to be able to identify when a user's session has idled and take action to initiate the
-session lock.
-<html:br/><html:br/>
-The <html:code>tmux</html:code> package allows for a session lock to be implemented and configured.</xccdf-1.2:rationale>
-                  <xccdf-1.2:platform idref="#machine"/>
-                  <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                    <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_tmux_installed:def:1"/>
-                  </xccdf-1.2:check>
-                  <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                    <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_tmux_installed_ocil:questionnaire:1"/>
-                  </xccdf-1.2:check>
-                </xccdf-1.2:Rule>
-                <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_configure_bashrc_exec_tmux" severity="medium">
-                  <xccdf-1.2:title>Support session locking with tmux</xccdf-1.2:title>
-                  <xccdf-1.2:description>The <html:code>tmux</html:code> terminal multiplexer is used to implement
-automatic session locking. It should be started from
-<html:code>/etc/bashrc</html:code> or drop-in files within <html:code>/etc/profile.d/</html:code>.</xccdf-1.2:description>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000056</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000058</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FTA_SSL.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000031-GPOS-00012</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000028-GPOS-00009</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000030-GPOS-00011</xccdf-1.2:reference>
-                  <xccdf-1.2:rationale>Unlike <html:code>bash</html:code> itself, the <html:code>tmux</html:code> terminal multiplexer
-provides a mechanism to lock sessions after period of inactivity.
-A session lock is a temporary action taken when a user stops work and moves away from the
-immediate physical vicinity of the information system but does not want to
-log out because of the temporary nature of the absence.</xccdf-1.2:rationale>
-                  <xccdf-1.2:platform idref="#tmux"/>
-                  <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                    <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-configure_bashrc_exec_tmux:def:1"/>
-                  </xccdf-1.2:check>
-                  <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                    <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-configure_bashrc_exec_tmux_ocil:questionnaire:1"/>
-                  </xccdf-1.2:check>
-                </xccdf-1.2:Rule>
-                <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time" severity="medium">
-                  <xccdf-1.2:title>Configure tmux to lock session after inactivity</xccdf-1.2:title>
-                  <xccdf-1.2:description>To enable console screen locking in <html:code>tmux</html:code> terminal multiplexer
-after a period of inactivity,
-the <html:code>lock-after-time</html:code> option has to be set to a value greater than 0 and less than
-or equal to 900 in <html:code>/etc/tmux.conf</html:code>.</xccdf-1.2:description>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000057</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000060</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FTA_SSL.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000029-GPOS-00010</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000031-GPOS-00012</xccdf-1.2:reference>
-                  <xccdf-1.2:rationale>Locking the session after a period of inactivity limits the
-potential exposure if the session is left unattended.</xccdf-1.2:rationale>
-                  <xccdf-1.2:platform idref="#machine"/>
-                  <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                    <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-configure_tmux_lock_after_time:def:1"/>
-                  </xccdf-1.2:check>
-                  <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                    <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-configure_tmux_lock_after_time_ocil:questionnaire:1"/>
-                  </xccdf-1.2:check>
-                </xccdf-1.2:Rule>
-                <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_configure_tmux_lock_command" severity="medium">
-                  <xccdf-1.2:title>Configure the tmux Lock Command</xccdf-1.2:title>
-                  <xccdf-1.2:description>To enable console screen locking in <html:code>tmux</html:code> terminal multiplexer,
-the <html:code>vlock</html:code> command must be configured to be used as a locking
-mechanism.
-Add the following line to <html:code>/etc/tmux.conf</html:code>:
-<html:pre>set -g lock-command vlock</html:pre>.
-The console can now be locked with the following key combination:
-<html:pre>ctrl+b :lock-session</html:pre></xccdf-1.2:description>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000056</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000058</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(a)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-11(b)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FTA_SSL.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000028-GPOS-00009</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000030-GPOS-00011</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="">SRG-OS-000028-VMM-000090</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="">SRG-OS-000030-VMM-000110</xccdf-1.2:reference>
-                  <xccdf-1.2:rationale>The <html:code>tmux</html:code> package allows for a session lock to be implemented and configured.
-However, the session lock is implemented by an external command. The <html:code>tmux</html:code>
-default configuration does not contain an effective session lock.</xccdf-1.2:rationale>
-                  <xccdf-1.2:platform idref="#machine"/>
-                  <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                    <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-configure_tmux_lock_command:def:1"/>
-                  </xccdf-1.2:check>
-                  <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                    <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-configure_tmux_lock_command_ocil:questionnaire:1"/>
-                  </xccdf-1.2:check>
-                </xccdf-1.2:Rule>
-                <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_no_tmux_in_shells" severity="low">
-                  <xccdf-1.2:title>Prevent user from disabling the screen lock</xccdf-1.2:title>
-                  <xccdf-1.2:description>The <html:code>tmux</html:code> terminal multiplexer is used to implement
-automatic session locking. It should not be listed in
-<html:code>/etc/shells</html:code>.</xccdf-1.2:description>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000056</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000058</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FTA_SSL.1</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000028-GPOS-00009</xccdf-1.2:reference>
-                  <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000030-GPOS-00011</xccdf-1.2:reference>
-                  <xccdf-1.2:rationale>Not listing <html:code>tmux</html:code> among permitted shells
-prevents malicious program running as user
-from lowering security by disabling the screen lock.</xccdf-1.2:rationale>
-                  <xccdf-1.2:platform idref="#machine"/>
-                  <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="no_tmux_in_shells">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,/bin/sh%0A/bin/bash%0A/usr/bin/sh%0A/usr/bin/bash%0A
-        mode: 0644
-        path: /etc/shells
-        overwrite: true
-</xccdf-1.2:fix>
-                  <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                    <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-no_tmux_in_shells:def:1"/>
-                  </xccdf-1.2:check>
-                  <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                    <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-no_tmux_in_shells_ocil:questionnaire:1"/>
-                  </xccdf-1.2:check>
-                </xccdf-1.2:Rule>
-              </xccdf-1.2:Group>
-              <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_smart_card_login">
-                <xccdf-1.2:title>Hardware Tokens for Authentication</xccdf-1.2:title>
-                <xccdf-1.2:description>The use of hardware tokens such as smart cards for system login
-provides stronger, two-factor authentication than using a username and password.
-
-In Red Hat Enterprise Linux servers and workstations, hardware token login
-
-is not enabled by default and must be enabled in the system settings.</xccdf-1.2:description>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_smartcard_drivers" type="string" interactive="true">
-                  <xccdf-1.2:title>OpenSC Smart Card Drivers</xccdf-1.2:title>
-                  <xccdf-1.2:description>Choose the Smart Card Driver in use by your organization.
-<html:br/>For DoD, choose the <html:code>cac</html:code> driver.
-<html:br/>If your driver is not listed and you don't want to use the
-<html:code>default</html:code> driver, use the <html:code>other</html:code> option and
-manually specify your driver.</xccdf-1.2:description>
-                  <xccdf-1.2:value>default</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="acos5">acos5</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="akis">akis</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="asepcos">asepcos</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="atrust-acos">atrust-acos</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="authentic">authentic</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="belpic">belpic</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="cac">cac</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="cardos">cardos</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="coolkey">coolkey</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="cyberflex">cyberflex</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="dnie">dnie</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="entersafe">entersafe</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="epass2003">epass2003</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="flex">flex</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="gemsafeV1">gemsafeV1</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="gids">gids</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="gpk">gpk</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="iasecc">iasecc</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="incrypto34">incrypto34</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="isoApplet">isoApplet</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="itacns">itacns</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="jpki">jpki</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="MaskTech">MaskTech</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="mcrd">mcrd</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="muscle">muscle</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="myeid">myeid</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="npa">npa</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="oberthur">oberthur</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="openpgp">openpgp</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="other">None</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="PIV-II">PIV-II</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="rutoken_ecp">rutoken_ecp</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="rutoken">rutoken</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="sc-hsm">sc-hsm</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="setcos">setcos</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="starcos">starcos</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="tcos">tcos</xccdf-1.2:value>
-                  <xccdf-1.2:value selector="westcos">westcos</xccdf-1.2:value>
-                </xccdf-1.2:Value>
-              </xccdf-1.2:Group>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_accounts-restrictions">
-            <xccdf-1.2:title>Protect Accounts by Restricting Password-Based Login</xccdf-1.2:title>
-            <xccdf-1.2:description>Conventionally, Unix shell accounts are accessed by
-providing a username and password to a login program, which tests
-these values for correctness using the <html:code>/etc/passwd</html:code> and
-<html:code>/etc/shadow</html:code> files. Password-based login is vulnerable to
-guessing of weak passwords, and to sniffing and man-in-the-middle
-attacks against passwords entered over a network or at an insecure
-console. Therefore, mechanisms for accessing accounts by entering
-usernames and passwords should be restricted to those which are
-operationally necessary.</xccdf-1.2:description>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_accounts_authorized_local_users_regex" type="string" operator="pattern match" interactive="true">
-              <xccdf-1.2:title>Accounts Authorized Local Users on the Operating System</xccdf-1.2:title>
-              <xccdf-1.2:description>List the user accounts that are authorized locally on the operating system. This list
-includes both users requried by the operating system and by the installed applications.
-Depending on the Operating System distribution, version, software groups and applications,
-the user list is different and can be customized with scap-workbench.
-OVAL regular expression is used for the user list.
-The list starts with '^' and ends with '$' so that it matches exactly the
-username, not any string that includes the username. Users are separated with '|'.
-For example, three users: bin, oracle and sapadm are allowed, then the list is
-<html:code>^(bin|oracle|sapadm)$</html:code>. The user <html:code>root</html:code> is the only user that is hard coded
-in OVAL that is always allowed on the operating system.</xccdf-1.2:description>
-              <xccdf-1.2:value selector="ol7">^(abrt|adm|avahi|bin|chrony|clevis|cockpit-ws|cockpit-wsinstance|colord|daemon|dbus|dnsmasq|flatpak|ftp|games|gdm|geoclue|gluster|gnome-initial-setup|halt|libstoragemgmt|lp|mail|nfsnobody|nobody|ntp|operator|oprofile|oracle|pcp|pegasus|pipewire|polkitd|postfix|pulse|qemu|radvd|rngd|root|rpc|rpcuser|rtkit|saned|saslauth|setroubleshoot|shutdown|sshd|sssd|sync|systemd-bus-proxy|systemd-coredump|systemd-network|systemd-resolve|tcpdump|tss|unbound|usbmuxd$|uuidd)$</xccdf-1.2:value>
-              <xccdf-1.2:value selector="ol8">^(abrt|adm|avahi|bin|chrony|clevis|cockpit-ws|cockpit-wsinstance|colord|daemon|dbus|dnsmasq|flatpak|ftp|games|gdm|geoclue|gluster|gnome-initial-setup|halt|libstoragemgmt|lp|mail|nfsnobody|nobody|ntp|operator|oprofile|oracle|pcp|pegasus|pipewire|polkitd|postfix|pulse|qemu|radvd|rngd|root|rpc|rpcuser|rtkit|saned|saslauth|setroubleshoot|shutdown|sshd|sssd|sync|systemd-bus-proxy|systemd-coredump|systemd-network|systemd-resolve|tcpdump|tss|unbound|usbmuxd$|uuidd)$</xccdf-1.2:value>
-              <xccdf-1.2:value selector="ol7forsap">^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$</xccdf-1.2:value>
-              <xccdf-1.2:value selector="rhel7">^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$</xccdf-1.2:value>
-              <xccdf-1.2:value selector="rhel8">^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$</xccdf-1.2:value>
-              <xccdf-1.2:value selector="sle12">^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd|man|systemd-timesync|scard|hacluster|statd|at|dockremap|vnc)$</xccdf-1.2:value>
-              <xccdf-1.2:value selector="sle15">^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd|man|systemd-timesync|scard|hacluster|statd|at|dockremap|vnc|messagebus|nscd)$</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_account_expiration">
-              <xccdf-1.2:title>Set Account Expiration Parameters</xccdf-1.2:title>
-              <xccdf-1.2:description>Accounts can be configured to be automatically disabled
-after a certain time period,
-meaning that they will require administrator interaction to become usable again.
-Expiration of accounts after inactivity can be set for all accounts by default
-and also on a per-account basis, such as for accounts that are known to be temporary.
-To configure automatic expiration of an account following
-the expiration of its password (that is, after the password has expired and not been changed),
-run the following command, substituting <html:code><html:i>NUM_DAYS</html:i></html:code> and <html:code><html:i>USER</html:i></html:code> appropriately:
-<html:pre>$ sudo chage -I <html:i>NUM_DAYS USER</html:i></html:pre>
-Accounts, such as temporary accounts, can also be configured to expire on an explicitly-set date with the
-<html:code>-E</html:code> option.
-The file <html:code>/etc/default/useradd</html:code> controls
-default settings for all newly-created accounts created with the system's
-normal command line utilities.</xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">This will only apply to newly created accounts</xccdf-1.2:warning>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_account_disable_inactivity" type="number">
-                <xccdf-1.2:title>number of days after the last login of the user when the user will be locked out</xccdf-1.2:title>
-                <xccdf-1.2:description>'This option is specific for the auth or account phase. It specifies the number of days after
-the last login of the user when the user will be locked out by the pam_lastlog module.'</xccdf-1.2:description>
-                <xccdf-1.2:value selector="0">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="180">180</xccdf-1.2:value>
-                <xccdf-1.2:value selector="30">30</xccdf-1.2:value>
-                <xccdf-1.2:value selector="35">35</xccdf-1.2:value>
-                <xccdf-1.2:value selector="40">40</xccdf-1.2:value>
-                <xccdf-1.2:value selector="60">60</xccdf-1.2:value>
-                <xccdf-1.2:value selector="90">90</xccdf-1.2:value>
-                <xccdf-1.2:value>35</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" type="number">
-                <xccdf-1.2:title>number of days after a password expires until the account is permanently disabled</xccdf-1.2:title>
-                <xccdf-1.2:description>The number of days to wait after a password expires, until the account will be permanently disabled.</xccdf-1.2:description>
-                <xccdf-1.2:value selector="0">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="180">180</xccdf-1.2:value>
-                <xccdf-1.2:value selector="30">30</xccdf-1.2:value>
-                <xccdf-1.2:value selector="35">35</xccdf-1.2:value>
-                <xccdf-1.2:value selector="40">40</xccdf-1.2:value>
-                <xccdf-1.2:value selector="60">60</xccdf-1.2:value>
-                <xccdf-1.2:value selector="90">90</xccdf-1.2:value>
-                <xccdf-1.2:value>35</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_account_disable_post_pw_expiration" severity="medium">
-                <xccdf-1.2:title>Set Account Expiration Following Inactivity</xccdf-1.2:title>
-                <xccdf-1.2:description>To specify the number of days after a password expires (which
-signifies inactivity) until an account is permanently disabled, add or correct
-the following line in <html:code>/etc/default/useradd</html:code>:
-<html:pre>INACTIVE=<html:i><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" use="legacy"/></html:i></html:pre>
-If a password is currently on the verge of expiration, then
-<html:code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" use="legacy"/></html:code>
-day(s) remain(s) until the account is automatically
-disabled. However, if the password will not expire for another 60 days, then 60
-days plus <html:code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration" use="legacy"/></html:code> day(s) could
-elapse until the account would be automatically disabled. See the
-<html:code>useradd</html:code> man page for more information.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000017</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000795</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000118-GPOS-00060</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000003-VMM-000030</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000118-VMM-000590</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Inactive identifiers pose a risk to systems and applications because attackers may exploit an inactive identifier and potentially obtain undetected access to the system.
-Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials.
-Owners of inactive accounts will not notice if unauthorized access to their user account has been obtained.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#login_defs"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82695-8</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-var_account_disable_post_pw_expiration:var:1" value-id="xccdf_org.ssgproject.content_value_var_account_disable_post_pw_expiration"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-account_disable_post_pw_expiration:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-account_disable_post_pw_expiration_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_account_unique_name" severity="medium">
-                <xccdf-1.2:title>Ensure All Accounts on the System Have Unique Names</xccdf-1.2:title>
-                <xccdf-1.2:description>Ensure accounts on the system have unique names.
-
-To ensure all accounts have unique names, run the following command:
-<html:pre>$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d</html:pre>
-If a username is returned, change or delete the username.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000770</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000804</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unique usernames allow for accountability on the system.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-account_unique_name:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-account_unique_name_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_account_use_centralized_automated_auth" severity="medium">
-                <xccdf-1.2:title>Use Centralized and Automated Authentication</xccdf-1.2:title>
-                <xccdf-1.2:description>Implement an automated system for managing user accounts that minimizes the
-risk of errors, either intentional or deliberate. This system
-should integrate with an existing enterprise user management system, such as
-one based on Identity Management tools such as Active Directory, Kerberos,
-Directory Server, etc.</xccdf-1.2:description>
-                <xccdf-1.2:rationale>A comprehensive account management process that includes automation helps to
-ensure the accounts designated as requiring attention are consistently and
-promptly addressed. Enterprise environments make user account management
-challenging and complex. A user management process requiring administrators to
-manually address account management functions adds risk of potential
-oversight.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-account_use_centralized_automated_auth_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_password_expiration">
-              <xccdf-1.2:title>Set Password Expiration Parameters</xccdf-1.2:title>
-              <xccdf-1.2:description>The file <html:code>/etc/login.defs</html:code> controls several
-password-related settings. Programs such as <html:code>passwd</html:code>,
-<html:code>su</html:code>, and
-<html:code>login</html:code> consult <html:code>/etc/login.defs</html:code> to determine
-behavior with regard to password aging, expiration warnings,
-and length. See the man page <html:code>login.defs(5)</html:code> for more information.
-<html:br/><html:br/>
-Users should be forced to change their passwords, in order to
-decrease the utility of compromised passwords. However, the need to
-change passwords often should be balanced against the risk that
-users will reuse or write down passwords if forced to change them
-too often. Forcing password changes every 90-360 days, depending on
-the environment, is recommended. Set the appropriate value as
-<html:code>PASS_MAX_DAYS</html:code> and apply it to existing accounts with the
-<html:code>-M</html:code> flag.
-<html:br/><html:br/>
-The <html:code>PASS_MIN_DAYS</html:code> (<html:code>-m</html:code>) setting prevents password
-changes for 7 days after the first change, to discourage password
-cycling. If you use this setting, train users to contact an administrator
-for an emergency password change in case a new password becomes
-compromised. The <html:code>PASS_WARN_AGE</html:code> (<html:code>-W</html:code>) setting gives
-users 7 days of warnings at login time that their passwords are about to expire.
-<html:br/><html:br/>
-For example, for each existing human user <html:i>USER</html:i>, expiration parameters
-could be adjusted to a 180 day maximum password age, 7 day minimum password
-age, and 7 day warning period with the following command:
-<html:pre>$ sudo chage -M 180 -m 7 -W 7 USER</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" type="number">
-                <xccdf-1.2:title>maximum password age</xccdf-1.2:title>
-                <xccdf-1.2:description>Maximum age of password in days</xccdf-1.2:description>
-                <xccdf-1.2:value selector="365">365</xccdf-1.2:value>
-                <xccdf-1.2:value selector="120">120</xccdf-1.2:value>
-                <xccdf-1.2:value selector="180">180</xccdf-1.2:value>
-                <xccdf-1.2:value selector="60">60</xccdf-1.2:value>
-                <xccdf-1.2:value selector="90">90</xccdf-1.2:value>
-                <xccdf-1.2:value>60</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" type="number">
-                <xccdf-1.2:title>minimum password age</xccdf-1.2:title>
-                <xccdf-1.2:description>Minimum age of password in days</xccdf-1.2:description>
-                <xccdf-1.2:value selector="0">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="1">1</xccdf-1.2:value>
-                <xccdf-1.2:value selector="2">2</xccdf-1.2:value>
-                <xccdf-1.2:value selector="5">5</xccdf-1.2:value>
-                <xccdf-1.2:value selector="7">7</xccdf-1.2:value>
-                <xccdf-1.2:value>7</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" type="number">
-                <xccdf-1.2:title>minimum password length</xccdf-1.2:title>
-                <xccdf-1.2:description>Minimum number of characters in password</xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">This will only check new passwords</xccdf-1.2:warning>
-                <xccdf-1.2:value selector="10">10</xccdf-1.2:value>
-                <xccdf-1.2:value selector="12">12</xccdf-1.2:value>
-                <xccdf-1.2:value selector="14">14</xccdf-1.2:value>
-                <xccdf-1.2:value selector="15">15</xccdf-1.2:value>
-                <xccdf-1.2:value selector="18">18</xccdf-1.2:value>
-                <xccdf-1.2:value selector="20">20</xccdf-1.2:value>
-                <xccdf-1.2:value selector="6">6</xccdf-1.2:value>
-                <xccdf-1.2:value selector="8">8</xccdf-1.2:value>
-                <xccdf-1.2:value>15</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" type="number">
-                <xccdf-1.2:title>warning days before password expires</xccdf-1.2:title>
-                <xccdf-1.2:description>The number of days' warning given before a password expires.</xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">This will only apply to newly created accounts</xccdf-1.2:warning>
-                <xccdf-1.2:value selector="0">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="14">14</xccdf-1.2:value>
-                <xccdf-1.2:value selector="7">7</xccdf-1.2:value>
-                <xccdf-1.2:value>7</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs" severity="medium">
-                <xccdf-1.2:title>Set Password Maximum Age</xccdf-1.2:title>
-                <xccdf-1.2:description>To specify password maximum age for new accounts,
-edit the file <html:code>/etc/login.defs</html:code>
-and add or correct the following line:
-<html:pre>PASS_MAX_DAYS <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="legacy"/></html:pre>
-A value of 180 days is sufficient for many environments.
-The DoD requirement is 60.
-The profile requirement is <html:code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs" use="legacy"/></html:code>.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000199</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">0418</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1055</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1402</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000076-GPOS-00044</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Any password, no matter how complex, can eventually be cracked. Therefore, passwords
-need to be changed periodically. If the operating system does not limit the lifetime
-of passwords and force users to change their passwords, there is the risk that the
-operating system passwords could be compromised.
-<html:br/><html:br/>
-Setting the password maximum age ensures users are required to
-periodically change their passwords. Requiring shorter password lifetimes
-increases the risk of users writing down the password in a convenient
-location subject to physical compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#login_defs"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-var_accounts_maximum_age_login_defs:var:1" value-id="xccdf_org.ssgproject.content_value_var_accounts_maximum_age_login_defs"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-accounts_maximum_age_login_defs:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_accounts_minimum_age_login_defs" severity="medium">
-                <xccdf-1.2:title>Set Password Minimum Age</xccdf-1.2:title>
-                <xccdf-1.2:description>To specify password minimum age for new accounts,
-edit the file <html:code>/etc/login.defs</html:code>
-and add or correct the following line:
-<html:pre>PASS_MIN_DAYS <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" use="legacy"/></html:pre>
-A value of 1 day is considered sufficient for many
-environments. The DoD requirement is 1.
-The profile requirement is <html:code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs" use="legacy"/></html:code>.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000198</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">0418</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1055</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1402</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000075-GPOS-00043</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Enforcing a minimum password lifetime helps to prevent repeated password
-changes to defeat the password reuse or history enforcement requirement. If
-users are allowed to immediately and continually change their password,
-then the password could be repeatedly changed in a short period of time to
-defeat the organization's policy regarding password reuse.
-<html:br/><html:br/>
-Setting the minimum password age protects against users cycling back to a
-favorite password after satisfying the password reuse requirement.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#login_defs"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-var_accounts_minimum_age_login_defs:var:1" value-id="xccdf_org.ssgproject.content_value_var_accounts_minimum_age_login_defs"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-accounts_minimum_age_login_defs:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-accounts_minimum_age_login_defs_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_accounts_password_minlen_login_defs" severity="medium">
-                <xccdf-1.2:title>Set Password Minimum Length in login.defs</xccdf-1.2:title>
-                <xccdf-1.2:description>To specify password length requirements for new accounts, edit the file
-<html:code>/etc/login.defs</html:code> and add or correct the following line:
-<html:pre>PASS_MIN_LEN <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" use="legacy"/></html:pre>
-<html:br/><html:br/>
-The DoD requirement is <html:code>15</html:code>.
-The FISMA requirement is <html:code>12</html:code>.
-The profile requirement is
-<html:code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs" use="legacy"/></html:code>.
-If a program consults <html:code>/etc/login.defs</html:code> and also another PAM module
-(such as <html:code>pam_pwquality</html:code>) during a password change operation, then
-the most restrictive must be satisfied. See PAM section for more
-information about enforcing password quality requirements.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R18)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">0421</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">0422</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">0431</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">0974</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1173</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1401</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1504</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1505</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1546</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1557</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1558</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1559</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1560</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1561</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000078-GPOS-00046</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Requiring a minimum password length makes password
-cracking attacks more difficult by ensuring a larger
-search space. However, any security benefit from an onerous requirement
-must be carefully weighed against usability problems, support costs, or counterproductive
-behavior that may result.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#login_defs"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-var_accounts_password_minlen_login_defs:var:1" value-id="xccdf_org.ssgproject.content_value_var_accounts_password_minlen_login_defs"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-accounts_password_minlen_login_defs:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-accounts_password_minlen_login_defs_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_accounts_password_warn_age_login_defs" severity="medium">
-                <xccdf-1.2:title>Set Password Warning Age</xccdf-1.2:title>
-                <xccdf-1.2:description>To specify how many days prior to password
-expiration that a warning will be issued to users,
-edit the file <html:code>/etc/login.defs</html:code> and add or correct
- the following line:
-<html:pre>PASS_WARN_AGE <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" use="legacy"/></html:pre>
-The DoD requirement is 7.
-The profile requirement is <html:code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs" use="legacy"/></html:code>.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">0418</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1055</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1402</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(f)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Setting the password warning age enables users to
-make the change at a practical time.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#login_defs"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-var_accounts_password_warn_age_login_defs:var:1" value-id="xccdf_org.ssgproject.content_value_var_accounts_password_warn_age_login_defs"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-accounts_password_warn_age_login_defs:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-accounts_password_warn_age_login_defs_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_password_storage">
-              <xccdf-1.2:title>Verify Proper Storage and Existence of Password
-Hashes</xccdf-1.2:title>
-              <xccdf-1.2:description>By default, password hashes for local accounts are stored
-in the second field (colon-separated) in
-<html:code>/etc/shadow</html:code>. This file should be readable only by
-processes running with root credentials, preventing users from
-casually accessing others' password hashes and attempting
-to crack them.
-However, it remains possible to misconfigure the system
-and store password hashes
-in world-readable files such as <html:code>/etc/passwd</html:code>, or
-to even store passwords themselves in plaintext on the system.
-Using system-provided tools for password change/creation
-should allow administrators to avoid such misconfiguration.</xccdf-1.2:description>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_password_pam_unix_rounds" type="number">
-                <xccdf-1.2:title>Password Hashing algorithm</xccdf-1.2:title>
-                <xccdf-1.2:description>Specify the number of SHA rounds for the system password encryption algorithm.
-Defines the value set in <html:code>/etc/pam.d/system-auth</html:code> and <html:code>/etc/pam.d/password-auth</html:code></xccdf-1.2:description>
-                <xccdf-1.2:value>5000</xccdf-1.2:value>
-                <xccdf-1.2:value selector="5000">5000</xccdf-1.2:value>
-                <xccdf-1.2:value selector="65536">65536</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_accounts_password_all_shadowed" severity="medium">
-                <xccdf-1.2:title>Verify All Account Password Hashes are Shadowed</xccdf-1.2:title>
-                <xccdf-1.2:description>If any password hashes are stored in <html:code>/etc/passwd</html:code> (in the second field,
-instead of an <html:code>x</html:code> or <html:code>*</html:code>), the cause of this misconfiguration should be
-investigated. The account should have its password reset and the hash should be
-properly stored, or the account should be deleted entirely.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1410</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(h)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The hashes for all user account passwords should be stored in
-the file <html:code>/etc/shadow</html:code> and never in <html:code>/etc/passwd</html:code>,
-which is readable by all users.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-accounts_password_all_shadowed:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-accounts_password_all_shadowed_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_gid_passwd_group_same" severity="low">
-                <xccdf-1.2:title>All GIDs referenced in /etc/passwd must be defined in /etc/group</xccdf-1.2:title>
-                <xccdf-1.2:description>Add a group to the system for each GID referenced without a corresponding group.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000764</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.5.a</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000104-GPOS-00051</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>If a user is assigned the Group Identifier (GID) of a group not existing on the system, and a group
-with the Group Identifier (GID) is subsequently created, the user may have unintended rights to
-any files associated with the group.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-gid_passwd_group_same:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-gid_passwd_group_same_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_no_empty_passwords" severity="high">
-                <xccdf-1.2:title>Prevent Login to Accounts With Empty Password</xccdf-1.2:title>
-                <xccdf-1.2:description>If an account is configured for password authentication
-but does not have an assigned password, it may be possible to log
-into the account without authentication. Remove any instances of the
-<html:code>nullok</html:code> in
-
-<html:code>/etc/pam.d/system-auth</html:code> and
-<html:code>/etc/pam.d/password-auth</html:code>
-
-to prevent logins with empty passwords.</xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">If the system relies on <html:code>authselect</html:code> tool to manage PAM settings, the remediation
-will also use <html:code>authselect</html:code> tool. However, if any manual modification was made in
-PAM files, the <html:code>authselect</html:code> integrity check will fail and the remediation will be
-aborted in order to preserve intentional changes. In this case, an informative message will
-be shown in the remediation report.
-Note that this rule is not applicable for systems running within a
-container. Having user with empty password within a container is not
-considered a risk, because it should not be possible to directly login into
-a container anyway.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>If an account has an empty password, anyone could log in and
-run commands with the privileges of that account. Accounts with
-empty passwords should never be used in operational environments.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82553-9</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="no_empty_passwords">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/password-auth
-        overwrite: true
-      - contents:
-          source: data:,%23%20Generated%20by%20authselect%20on%20Sat%20Oct%2027%2014%3A59%3A36%202018%0A%23%20Do%20not%20modify%20this%20file%20manually.%0A%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_env.so%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_faildelay.so%20delay%3D2000000%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_fprintd.so%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet%0Aauth%20%20%20%20%20%20%20%20%5Bdefault%3D1%20ignore%3Dignore%20success%3Dok%5D%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20try_first_pass%0Aauth%20%20%20%20%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3E%3D%201000%20quiet_success%0Aauth%20%20%20%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20forward_pass%0Aauth%20%20%20%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_localuser.so%0Aaccount%20%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20uid%20%3C%201000%20quiet%0Aaccount%20%20%20%20%20%5Bdefault%3Dbad%20success%3Dok%20user_unknown%3Dignore%5D%20pam_sss.so%0Aaccount%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_permit.so%0A%0Apassword%20%20%20%20requisite%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_pwquality.so%20try_first_pass%20local_users_only%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%20sha512%20shadow%20try_first_pass%20use_authtok%0Apassword%20%20%20%20sufficient%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%20use_authtok%0Apassword%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_deny.so%0A%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_keyinit.so%20revoke%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_limits.so%0A-session%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_systemd.so%0Asession%20%20%20%20%20%5Bsuccess%3D1%20default%3Dignore%5D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_succeed_if.so%20service%20in%20crond%20quiet%20use_uid%0Asession%20%20%20%20%20required%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_unix.so%0Asession%20%20%20%20%20optional%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20pam_sss.so%0A
-        mode: 0644
-        path: /etc/pam.d/system-auth
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-no_empty_passwords:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-no_empty_passwords_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow" severity="high">
-                <xccdf-1.2:title>Ensure There Are No Accounts With Blank or Null Passwords</xccdf-1.2:title>
-                <xccdf-1.2:description>Check the "/etc/shadow" file for blank passwords with the
-following command:
-<html:pre>$ sudo awk -F: '!$2 {print $1}' /etc/shadow</html:pre>
-If the command returns any results, this is a finding.
-Configure all accounts on the system to have a password or lock
-the account with the following commands:
-Perform a password reset:
-<html:pre>$ sudo passwd [username]</html:pre>
-Lock an account:
-<html:pre>$ sudo passwd -l [username]</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that this rule is not applicable for systems running within a container. Having user with empty password within a container is not considered a risk, because it should not be possible to directly login into a container anyway.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6.1(iv)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>If an account has an empty password, anyone could log in and
-run commands with the privileges of that account. Accounts with
-empty passwords should never be used in operational environments.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-no_empty_passwords_etc_shadow:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-no_empty_passwords_etc_shadow_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_no_legacy_plus_entries_etc_group" severity="medium">
-                <xccdf-1.2:title>Ensure there are no legacy + NIS entries in /etc/group</xccdf-1.2:title>
-                <xccdf-1.2:description>The <html:code>+</html:code> character in <html:code>/etc/group</html:code> file marks a place where
-entries from a network information service (NIS) should be directly inserted.</xccdf-1.2:description>
-                <xccdf-1.2:rationale>Using this method to include entries into <html:code>/etc/group</html:code> is considered legacy
-and should be avoided. These entries may provide a way for an attacker
-to gain access to the system.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-no_legacy_plus_entries_etc_group:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-no_legacy_plus_entries_etc_group_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_no_legacy_plus_entries_etc_passwd" severity="medium">
-                <xccdf-1.2:title>Ensure there are no legacy + NIS entries in /etc/passwd</xccdf-1.2:title>
-                <xccdf-1.2:description>The <html:code>+</html:code> character in <html:code>/etc/passwd</html:code> file marks a place where
-entries from a network information service (NIS) should be directly inserted.</xccdf-1.2:description>
-                <xccdf-1.2:rationale>Using this method to include entries into <html:code>/etc/passwd</html:code> is considered legacy
-and should be avoided. These entries may provide a way for an attacker
-to gain access to the system.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-no_legacy_plus_entries_etc_passwd:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-no_legacy_plus_entries_etc_passwd_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_no_legacy_plus_entries_etc_shadow" severity="medium">
-                <xccdf-1.2:title>Ensure there are no legacy + NIS entries in /etc/shadow</xccdf-1.2:title>
-                <xccdf-1.2:description>The <html:code>+</html:code> character in <html:code>/etc/shadow</html:code> file marks a place where
-entries from a network information service (NIS) should be directly inserted.</xccdf-1.2:description>
-                <xccdf-1.2:rationale>Using this method to include entries into <html:code>/etc/shadow</html:code> is considered legacy
-and should be avoided. These entries may provide a way for an attacker
-to gain access to the system.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-no_legacy_plus_entries_etc_shadow:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-no_legacy_plus_entries_etc_shadow_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_no_netrc_files" severity="medium">
-                <xccdf-1.2:title>Verify No netrc Files Exist</xccdf-1.2:title>
-                <xccdf-1.2:description>The <html:code>.netrc</html:code> files contain login information
-used to auto-login into FTP servers and reside in the user's home
-directory. These files may contain unencrypted passwords to
-remote FTP servers making them susceptible to access by unauthorized
-users and should not be used.  Any <html:code>.netrc</html:code> files should be removed.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000196</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(h)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(7)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unencrypted passwords for remote FTP servers may be stored in <html:code>.netrc</html:code>
-files. </xccdf-1.2:rationale>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82667-7</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-no_netrc_files:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-no_netrc_files_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_root_logins">
-              <xccdf-1.2:title>Restrict Root Logins</xccdf-1.2:title>
-              <xccdf-1.2:description>Direct root logins should be allowed only for emergency use.
-In normal situations, the administrator should access the system
-via a unique unprivileged account, and then use <html:code>su</html:code> or <html:code>sudo</html:code> to execute
-privileged commands. Discouraging administrators from accessing the
-root account directly ensures an audit trail in organizations with
-multiple administrators. Locking down the channels through which
-root can connect directly also reduces opportunities for
-password-guessing against the root account. The <html:code>login</html:code> program
-uses the file <html:code>/etc/securetty</html:code> to determine which interfaces
-should allow root logins.
-
-The virtual devices <html:code>/dev/console</html:code>
-and <html:code>/dev/tty*</html:code> represent the system consoles (accessible via
-the Ctrl-Alt-F1 through Ctrl-Alt-F6 keyboard sequences on a default
-installation). The default securetty file also contains <html:code>/dev/vc/*</html:code>.
-These are likely to be deprecated in most environments, but may be retained
-for compatibility. Root should also be prohibited from connecting
-via network protocols. Other sections of this document
-include guidance describing how to prevent root from logging in via SSH.</xccdf-1.2:description>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_accounts_no_uid_except_zero" severity="high">
-                <xccdf-1.2:title>Verify Only Root Has UID 0</xccdf-1.2:title>
-                <xccdf-1.2:description>If any account other than root has a UID of 0, this misconfiguration should
-be investigated and the accounts other than root should be removed or have
-their UID changed.
-<html:br/>
-If the account is associated with system commands or applications the UID
-should be changed to one greater than "0" but less than "1000."
-Otherwise assign a UID greater than "1000" that has not already been
-assigned.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(5)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-4(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>An account has root authority if it has a UID of 0. Multiple accounts
-with a UID of 0 afford more opportunity for potential intruders to
-guess a password for a privileged account. Proper configuration of
-sudo is recommended to afford multiple system administrators
-access to root privileges in an accountable manner.</xccdf-1.2:rationale>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82699-0</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-accounts_no_uid_except_zero:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-accounts_no_uid_except_zero_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_accounts_root_gid_zero" severity="high">
-                <xccdf-1.2:title>Verify Root Has A Primary GID 0</xccdf-1.2:title>
-                <xccdf-1.2:description>The <html:code>root</html:code> user should have a primary group of 0.</xccdf-1.2:description>
-                <xccdf-1.2:rationale>To help ensure that root-owned files are not inadvertently exposed to other users.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-accounts_root_gid_zero:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-accounts_root_gid_zero_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_no_direct_root_logins" severity="medium">
-                <xccdf-1.2:title>Direct root Logins Not Allowed</xccdf-1.2:title>
-                <xccdf-1.2:description>To further limit access to the <html:code>root</html:code> account, administrators
-can disable root logins at the console by editing the <html:code>/etc/securetty</html:code> file.
-This file lists all devices the root user is allowed to login to. If the file does
-not exist at all, the root user can login through any communication device on the
-system, whether via the console or via a raw network interface. This is dangerous
-as user can login to the system as root via Telnet, which sends the password in
-plain text over the network. By default, Red Hat Enterprise Linux CoreOS 4's
-<html:code>/etc/securetty</html:code> file only allows the root user to login at the console
-physically attached to the system. To prevent root from logging in, remove the
-contents of this file. To prevent direct root logins, remove the contents of this
-file by typing the following command:
-<html:pre>
-$ sudo echo &gt; /etc/securetty
-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R19)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Disabling direct root logins ensures proper accountability and multifactor
-authentication to privileged accounts. Users will first login, then escalate
-to privileged (root) access via su / sudo. This is required for FISMA Low
-and FISMA Moderate systems.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82698-2</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="no_direct_root_logins">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,
-        mode: 0600
-        path: /etc/securetty
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-no_direct_root_logins:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-no_direct_root_logins_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_no_password_auth_for_systemaccounts" severity="medium">
-                <xccdf-1.2:title>Ensure that System Accounts Are Locked</xccdf-1.2:title>
-                <xccdf-1.2:description>Some accounts are not associated with a human user of the system, and exist to
-perform some administrative function. An attacker should not be able to log into
-these accounts.
-<html:br/><html:br/>
-System accounts are those user accounts with a user ID
-less than UID_MIN, where value of the UID_MIN directive is set in
-<html:code>/etc/login.defs</html:code> configuration file. In the default configuration UID_MIN is set
-to 500, thus system accounts are those user accounts with a user ID less than
-500. If any system account <html:i>SYSACCT</html:i> (other than root) has an unlocked password,
-disable it with the command:
-<html:pre>$ sudo passwd -l <html:i>SYSACCT</html:i></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Disabling authentication for default system accounts makes it more difficult
-for attackers to make use of them to compromise a system.false</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-no_password_auth_for_systemaccounts_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_no_shelllogin_for_systemaccounts" severity="medium">
-                <xccdf-1.2:title>Ensure that System Accounts Do Not Run a Shell Upon Login</xccdf-1.2:title>
-                <xccdf-1.2:description>Some accounts are not associated with a human user of the system, and exist to
-perform some administrative function. Should an attacker be able to log into
-these accounts, they should not be granted access to a shell.
-<html:br/><html:br/>
-The login shell for each local account is stored in the last field of each line
-in <html:code>/etc/passwd</html:code>. System accounts are those user accounts with a user ID
-less than UID_MIN, where value of UID_MIN directive is set in
-/etc/login.defs configuration file. In the default configuration UID_MIN is set
-to 1000, thus system accounts are those user accounts with a user ID less than
-1000. The user ID is stored in the third field. If any system account
-<html:i>SYSACCT</html:i> (other than root) has a login shell, disable it with the
-command: <html:pre>$ sudo usermod -s /sbin/nologin <html:i>SYSACCT</html:i></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="functionality">Do not perform the steps in this section on the root account. Doing so might
-cause the system to become inaccessible.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1491</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6.1(iv)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Ensuring shells are not given to system accounts upon login makes it more
-difficult for attackers to make use of system accounts.</xccdf-1.2:rationale>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82697-4</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-no_shelllogin_for_systemaccounts:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_restrict_serial_port_logins" severity="medium">
-                <xccdf-1.2:title>Restrict Serial Port Root Logins</xccdf-1.2:title>
-                <xccdf-1.2:description>To restrict root logins on serial ports,
-ensure lines of this form do not appear in <html:code>/etc/securetty</html:code>:
-<html:pre>ttyS0
-ttyS1</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000770</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Preventing direct root login to serial port interfaces
-helps ensure accountability for actions taken on the systems
-using the root account.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-restrict_serial_port_logins:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-restrict_serial_port_logins_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_securetty_root_login_console_only" severity="medium">
-                <xccdf-1.2:title>Restrict Virtual Console Root Logins</xccdf-1.2:title>
-                <xccdf-1.2:description>To restrict root logins through the (deprecated) virtual console devices,
-ensure lines of this form do not appear in <html:code>/etc/securetty</html:code>:
-<html:pre>vc/1
-vc/2
-vc/3
-vc/4</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000770</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Preventing direct root login to virtual console devices
-helps ensure accountability for actions taken on the system
-using the root account.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-securetty_root_login_console_only:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-securetty_root_login_console_only_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_accounts-session">
-            <xccdf-1.2:title>Secure Session Configuration Files for Login Accounts</xccdf-1.2:title>
-            <xccdf-1.2:description>When a user logs into a Unix account, the system
-configures the user's session by reading a number of files. Many of
-these files are located in the user's home directory, and may have
-weak permissions as a result of user error or misconfiguration. If
-an attacker can modify or even read certain types of account
-configuration information, they can often gain full access to the
-affected user's account. Therefore, it is important to test and
-correct configuration file permissions for interactive accounts,
-particularly those of privileged users such as root or system
-administrators.</xccdf-1.2:description>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_accounts_fail_delay" type="number">
-              <xccdf-1.2:title>Maximum login attempts delay</xccdf-1.2:title>
-              <xccdf-1.2:description>Maximum time in seconds between fail login attempts before re-prompting.</xccdf-1.2:description>
-              <xccdf-1.2:value selector="1">1</xccdf-1.2:value>
-              <xccdf-1.2:value selector="2">2</xccdf-1.2:value>
-              <xccdf-1.2:value selector="3">3</xccdf-1.2:value>
-              <xccdf-1.2:value selector="4">4</xccdf-1.2:value>
-              <xccdf-1.2:value selector="5">5</xccdf-1.2:value>
-              <xccdf-1.2:value>4</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions" type="number">
-              <xccdf-1.2:title>Maximum concurrent login sessions</xccdf-1.2:title>
-              <xccdf-1.2:description>Maximum number of concurrent sessions by a user</xccdf-1.2:description>
-              <xccdf-1.2:value selector="1">1</xccdf-1.2:value>
-              <xccdf-1.2:value selector="10">10</xccdf-1.2:value>
-              <xccdf-1.2:value selector="15">15</xccdf-1.2:value>
-              <xccdf-1.2:value selector="20">20</xccdf-1.2:value>
-              <xccdf-1.2:value selector="3">3</xccdf-1.2:value>
-              <xccdf-1.2:value selector="5">5</xccdf-1.2:value>
-              <xccdf-1.2:value>1</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_accounts_tmout" type="number">
-              <xccdf-1.2:title>Account Inactivity Timeout (seconds)</xccdf-1.2:title>
-              <xccdf-1.2:description>In an interactive shell, the value is interpreted as the
-number of seconds to wait for input after issuing the primary prompt.
-Bash terminates after waiting for that number of seconds if input does
-not arrive.</xccdf-1.2:description>
-              <xccdf-1.2:value selector="30_min">1800</xccdf-1.2:value>
-              <xccdf-1.2:value selector="10_min">600</xccdf-1.2:value>
-              <xccdf-1.2:value selector="15_min">900</xccdf-1.2:value>
-              <xccdf-1.2:value selector="5_min">300</xccdf-1.2:value>
-              <xccdf-1.2:value>600</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_user_initialization_files_regex" type="string">
-              <xccdf-1.2:title>Interactive users initialization files</xccdf-1.2:title>
-              <xccdf-1.2:description>'A regular expression describing a list of file names
-for files that are sourced at login time for interactive users'</xccdf-1.2:description>
-              <xccdf-1.2:value>(\.bashrc|\.zshrc|\.cshrc|\.profile|\.bash_login|\.bash_profile)</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_accounts_logon_fail_delay" severity="medium">
-              <xccdf-1.2:title>Ensure the Logon Failure Delay is Set Correctly in login.defs</xccdf-1.2:title>
-              <xccdf-1.2:description>To ensure the logon failure delay controlled by <html:code>/etc/login.defs</html:code> is set properly,
-add or correct the <html:code>FAIL_DELAY</html:code> setting in <html:code>/etc/login.defs</html:code> to read as follows:
-<html:pre>FAIL_DELAY <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_fail_delay" use="legacy"/></html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00226</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Increasing the time between a failed authentication attempt and re-prompting to
-enter credentials helps to slow a single-threaded brute force attack.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#login_defs"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_accounts_fail_delay:var:1" value-id="xccdf_org.ssgproject.content_value_var_accounts_fail_delay"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-accounts_logon_fail_delay:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-accounts_logon_fail_delay_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_accounts_max_concurrent_login_sessions" severity="low">
-              <xccdf-1.2:title>Limit the Number of Concurrent Login Sessions Allowed Per User</xccdf-1.2:title>
-              <xccdf-1.2:description>Limiting the number of allowed users and sessions per user can limit risks related to Denial of
-Service attacks. This addresses concurrent sessions for a single account and does not address
-concurrent sessions by a single user via multiple accounts. To set the number of concurrent
-sessions per user add the following line in <html:code>/etc/security/limits.conf</html:code> or
-a file under <html:code>/etc/security/limits.d/</html:code>:
-<html:pre>* hard maxlogins <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions" use="legacy"/></html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000054</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000027-GPOS-00008</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000027-VMM-000080</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Limiting simultaneous user logins can insulate the system from denial of service
-problems caused by excessive logins. Automated login processes operating improperly or
-maliciously may result in an exceptional number of simultaneous login sessions.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#pam"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_accounts_max_concurrent_login_sessions:var:1" value-id="xccdf_org.ssgproject.content_value_var_accounts_max_concurrent_login_sessions"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-accounts_max_concurrent_login_sessions:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-accounts_max_concurrent_login_sessions_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_tmp" severity="low">
-              <xccdf-1.2:title>Configure Polyinstantiation of /tmp Directories</xccdf-1.2:title>
-              <xccdf-1.2:description>To configure polyinstantiated /tmp directories, first create the parent directories
-which will hold the polyinstantiation child directories. Use the following command:
-<html:pre>$ sudo mkdir --mode 000 /tmp/tmp-inst</html:pre>
-Then, add the following entry to <html:code>/etc/security/namespace.conf</html:code>:
-<html:pre>/tmp     /tmp/tmp-inst/            level      root,adm</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R39)</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Polyinstantiation of temporary directories is a proactive security measure
-which reduces chances of attacks that are made possible by /tmp
-directories being world-writable.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-accounts_polyinstantiated_tmp:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-accounts_polyinstantiated_tmp_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_accounts_polyinstantiated_var_tmp" severity="low">
-              <xccdf-1.2:title>Configure Polyinstantiation of /var/tmp Directories</xccdf-1.2:title>
-              <xccdf-1.2:description>To configure polyinstantiated /tmp directories, first create the parent directories
-which will hold the polyinstantiation child directories. Use the following command:
-<html:pre>$ sudo mkdir --mode 000 /var/tmp/tmp-inst</html:pre>
-Then, add the following entry to <html:code>/etc/security/namespace.conf</html:code>:
-<html:pre>/var/tmp /var/tmp/tmp-inst/    level      root,adm</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R39)</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Polyinstantiation of temporary directories is a proactive security measure
-which reduces chances of attacks that are made possible by /var/tmp
-directories being world-writable.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-accounts_polyinstantiated_var_tmp:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-accounts_polyinstantiated_var_tmp_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_accounts_tmout" severity="medium">
-              <xccdf-1.2:title>Set Interactive Session Timeout</xccdf-1.2:title>
-              <xccdf-1.2:description>Setting the <html:code>TMOUT</html:code> option in <html:code>/etc/profile</html:code> ensures that
-all user sessions will terminate based on inactivity.
-The value of TMOUT should be exported and read only.
-The <html:code>TMOUT</html:code>
-
-setting in a file loaded by <html:code>/etc/profile</html:code>, e.g.
-<html:code>/etc/profile.d/tmout.sh</html:code> should read as follows:
-<html:pre>declare -xr TMOUT=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_tmout" use="legacy"/></html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R29)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000057</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001133</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002361</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_MOF_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000163-GPOS-00072</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000029-GPOS-00010</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000163-VMM-000700</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000279-VMM-001010</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Terminating an idle session within a short time period reduces
-the window of opportunity for unauthorized personnel to take control of a
-management session enabled on the console or console port that has been
-left unattended.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_accounts_tmout:var:1" value-id="xccdf_org.ssgproject.content_value_var_accounts_tmout"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-accounts_tmout:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-accounts_tmout_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_home_dirs" severity="medium">
-              <xccdf-1.2:title>Ensure that User Home Directories are not Group-Writable or World-Readable</xccdf-1.2:title>
-              <xccdf-1.2:description>For each human user of the system, view the
-permissions of the user's home directory:
-<html:pre># ls -ld /home/<html:i>USER</html:i></html:pre>
-Ensure that the directory is not group-writable and that it
-is not world-readable. If necessary, repair the permissions:
-<html:pre># chmod g-w /home/<html:i>USER</html:i>
-# chmod o-rwx /home/<html:i>USER</html:i></html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="functionality">This action may involve modifying user home directories.
-Notify your user community, and solicit input if appropriate,
-before making this type of change.</xccdf-1.2:warning>
-              <xccdf-1.2:warning category="general">This rule is deprecated in favor of the <html:code>file_permissions_home_directories</html:code> rule.
-Please consider replacing this rule in your files as it is not expected to receive
-updates as of version <html:code>0.1.62</html:code>.</xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000225</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>User home directories contain many configuration files which
-affect the behavior of a user's account. No user should ever have
-write permission to another user's home directory. Group shared
-directories can be configured in sub-directories or elsewhere in the
-filesystem if they are needed. Typically, user home directories
-should not be world-readable, as it would disclose file names
-to other users. If a subset of users need read access
-to one another's home directories, this can be provided using
-groups or ACLs.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_home_dirs:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_home_dirs_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_root_paths">
-              <xccdf-1.2:title>Ensure that No Dangerous Directories Exist in Root's Path</xccdf-1.2:title>
-              <xccdf-1.2:description>The active path of the root account can be obtained by
-starting a new root shell and running:
-<html:pre># echo $PATH</html:pre>
-This will produce a colon-separated list of
-directories in the path.
-<html:br/><html:br/>
-Certain path elements could be considered dangerous, as they could lead
-to root executing unknown or
-untrusted programs, which could contain malicious
-code.
-Since root may sometimes work inside
-untrusted directories, the <html:code>.</html:code> character, which represents the
-current directory, should never be in the root path, nor should any
-directory which can be written to by an unprivileged or
-semi-privileged (system) user.
-<html:br/><html:br/>
-It is a good practice for administrators to always execute
-privileged commands by typing the full path to the
-command.</xccdf-1.2:description>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_accounts_root_path_dirs_no_write" severity="medium">
-                <xccdf-1.2:title>Ensure that Root's Path Does Not Include World or Group-Writable Directories</xccdf-1.2:title>
-                <xccdf-1.2:description>For each element in root's path, run:
-<html:pre># ls -ld <html:i>DIR</html:i></html:pre>
-and ensure that write permissions are disabled for group and
-other.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Such entries increase the risk that root could
-execute code provided by unprivileged users,
-and potentially malicious code.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-accounts_root_path_dirs_no_write:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-accounts_root_path_dirs_no_write_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_root_path_no_dot" severity="unknown">
-                <xccdf-1.2:title>Ensure that Root's Path Does Not Include Relative Paths or Null Directories</xccdf-1.2:title>
-                <xccdf-1.2:description>Ensure that none of the directories in root's path is equal to a single
-<html:code>.</html:code> character, or
-that it contains any instances that lead to relative path traversal, such as
-<html:code>..</html:code> or beginning a path without the slash (<html:code>/</html:code>) character.
-Also ensure that there are no "empty" elements in the path, such as in these examples:
-<html:pre>PATH=:/bin
-PATH=/bin:
-PATH=/bin::/sbin</html:pre>
-These empty elements have the same effect as a single <html:code>.</html:code> character.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Including these entries increases the risk that root could
-execute code from an untrusted location.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-root_path_no_dot:def:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_user_umask">
-              <xccdf-1.2:title>Ensure that Users Have Sensible Umask Values</xccdf-1.2:title>
-              <xccdf-1.2:description>The umask setting controls the default permissions
-for the creation of new files.
-With a default <html:code>umask</html:code> setting of 077, files and directories
-created by users will not be readable by any other user on the
-system. Users who wish to make specific files group- or
-world-readable can accomplish this by using the chmod command.
-Additionally, users can make all their files readable to their
-group by default by setting a <html:code>umask</html:code> of 027 in their shell
-configuration files. If default per-user groups exist (that is, if
-every user has a default group whose name is the same as that
-user's username and whose only member is the user), then it may
-even be safe for users to select a <html:code>umask</html:code> of 007, making it very
-easy to intentionally share files with groups of which the user is
-a member.
-<html:br/><html:br/></xccdf-1.2:description>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_accounts_user_umask" type="string">
-                <xccdf-1.2:title>Sensible umask</xccdf-1.2:title>
-                <xccdf-1.2:description>Enter default user umask</xccdf-1.2:description>
-                <xccdf-1.2:value selector="007">007</xccdf-1.2:value>
-                <xccdf-1.2:value selector="022">022</xccdf-1.2:value>
-                <xccdf-1.2:value selector="027">027</xccdf-1.2:value>
-                <xccdf-1.2:value selector="077">077</xccdf-1.2:value>
-                <xccdf-1.2:value>027</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc" severity="medium">
-                <xccdf-1.2:title>Ensure the Default Bash Umask is Set Correctly</xccdf-1.2:title>
-                <xccdf-1.2:description>To ensure the default umask for users of the Bash shell is set properly,
-add or correct the <html:code>umask</html:code> setting in <html:code>/etc/bashrc</html:code> to read
-as follows:
-<html:pre>umask <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" use="legacy"/></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R35)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00228</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The umask value influences the permissions assigned to files when they are created.
-A misconfigured umask value could result in files with excessive permissions that can be read or
-written to by unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84260-9</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:ignition" id="accounts_umask_etc_bashrc">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20/etc/bashrc%0A%0A%23%20System%20wide%20functions%20and%20aliases%0A%23%20Environment%20stuff%20goes%20in%20/etc/profile%0A%0A%23%20It%27s%20NOT%20a%20good%20idea%20to%20change%20this%20file%20unless%20you%20know%20what%20you%0A%23%20are%20doing.%20It%27s%20much%20better%20to%20create%20a%20custom.sh%20shell%20script%20in%0A%23%20/etc/profile.d/%20to%20make%20custom%20changes%20to%20your%20environment%2C%20as%20this%0A%23%20will%20prevent%20the%20need%20for%20merging%20in%20future%20updates.%0A%0A%23%20Prevent%20doublesourcing%0Aif%20%5B%20-z%20%22%24BASHRCSOURCED%22%20%5D%3B%20then%0A%20%20BASHRCSOURCED%3D%22Y%22%0A%0A%20%20%23%20are%20we%20an%20interactive%20shell%3F%0A%20%20if%20%5B%20%22%24PS1%22%20%5D%3B%20then%0A%20%20%20%20if%20%5B%20-z%20%22%24PROMPT_COMMAND%22%20%5D%3B%20then%0A%20%20%20%20%20%20case%20%24TERM%20in%0A%20%20%20%20%20%20xterm%2A%7Cvte%2A%29%0A%20%20%20%20%20%20%20%20if%20%5B%20-e%20/etc/sysconfig/bash-prompt-xterm%20%5D%3B%20then%0A%20%20%20%20%20%20%20%20%20%20%20%20PROMPT_COMMAND%3D/etc/sysconfig/bash-prompt-xterm%0A%20%20%20%20%20%20%20%20elif%20%5B%20%22%24%7BVTE_VERSION%3A-0%7D%22%20-ge%203405%20%5D%3B%20then%0A%20%20%20%20%20%20%20%20%20%20%20%20PROMPT_COMMAND%3D%22__vte_prompt_command%22%0A%20%20%20%20%20%20%20%20else%0A%20%20%20%20%20%20%20%20%20%20%20%20PROMPT_COMMAND%3D%27printf%20%22%5C033%5D0%3B%25s%40%25s%3A%25s%5C007%22%20%22%24%7BUSER%7D%22%20%22%24%7BHOSTNAME%25%25.%2A%7D%22%20%22%24%7BPWD/%23%24HOME/%5C~%7D%22%27%0A%20%20%20%20%20%20%20%20fi%0A%20%20%20%20%20%20%20%20%3B%3B%0A%20%20%20%20%20%20screen%2A%29%0A%20%20%20%20%20%20%20%20if%20%5B%20-e%20/etc/sysconfig/bash-prompt-screen%20%5D%3B%20then%0A%20%20%20%20%20%20%20%20%20%20%20%20PROMPT_COMMAND%3D/etc/sysconfig/bash-prompt-screen%0A%20%20%20%20%20%20%20%20else%0A%20%20%20%20%20%20%20%20%20%20%20%20PROMPT_COMMAND%3D%27printf%20%22%5C033k%25s%40%25s%3A%25s%5C033%5C%5C%22%20%22%24%7BUSER%7D%22%20%22%24%7BHOSTNAME%25%25.%2A%7D%22%20%22%24%7BPWD/%23%24HOME/%5C~%7D%22%27%0A%20%20%20%20%20%20%20%20fi%0A%20%20%20%20%20%20%20%20%3B%3B%0A%20%20%20%20%20%20%2A%29%0A%20%20%20%20%20%20%20%20%5B%20-e%20/etc/sysconfig/bash-prompt-default%20%5D%20%26%26%20PROMPT_COMMAND%3D/etc/sysconfig/bash-prompt-default%0A%20%20%20%20%20%20%20%20%3B%3B%0A%20%20%20%20%20%20esac%0A%20%20%20%20fi%0A%20%20%20%20%23%20Turn%20on%20parallel%20history%0A%20%20%20%20shopt%20-s%20histappend%0A%20%20%20%20history%20-a%0A%20%20%20%20%23%20Turn%20on%20checkwinsize%0A%20%20%20%20shopt%20-s%20checkwinsize%0A%20%20%20%20%5B%20%22%24PS1%22%20%3D%20%22%5C%5Cs-%5C%5Cv%5C%5C%5C%24%20%22%20%5D%20%26%26%20PS1%3D%22%5B%5Cu%40%5Ch%20%5CW%5D%5C%5C%24%20%22%0A%20%20%20%20%23%20You%20might%20want%20to%20have%20e.g.%20tty%20in%20prompt%20%28e.g.%20more%20virtual%20machines%29%0A%20%20%20%20%23%20and%20console%20windows%0A%20%20%20%20%23%20If%20you%20want%20to%20do%20so%2C%20just%20add%20e.g.%0A%20%20%20%20%23%20if%20%5B%20%22%24PS1%22%20%5D%3B%20then%0A%20%20%20%20%23%20%20%20PS1%3D%22%5B%5Cu%40%5Ch%3A%5Cl%20%5CW%5D%5C%5C%24%20%22%0A%20%20%20%20%23%20fi%0A%20%20%20%20%23%20to%20your%20custom%20modification%20shell%20script%20in%20/etc/profile.d/%20directory%0A%20%20fi%0A%0A%20%20if%20%21%20shopt%20-q%20login_shell%20%3B%20then%20%23%20We%27re%20not%20a%20login%20shell%0A%20%20%20%20%23%20Need%20to%20redefine%20pathmunge%2C%20it%20gets%20undefined%20at%20the%20end%20of%20/etc/profile%0A%20%20%20%20pathmunge%20%28%29%20%7B%0A%20%20%20%20%20%20%20%20case%20%22%3A%24%7BPATH%7D%3A%22%20in%0A%20%20%20%20%20%20%20%20%20%20%20%20%2A%3A%22%241%22%3A%2A%29%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3B%3B%0A%20%20%20%20%20%20%20%20%20%20%20%20%2A%29%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20if%20%5B%20%22%242%22%20%3D%20%22after%22%20%5D%20%3B%20then%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20PATH%3D%24PATH%3A%241%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20else%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20PATH%3D%241%3A%24PATH%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20fi%0A%20%20%20%20%20%20%20%20esac%0A%20%20%20%20%7D%0A%0A%20%20%20%20%23%20By%20default%2C%20we%20want%20umask%20to%20get%20set.%20This%20sets%20it%20for%20non-login%20shell.%0A%20%20%20%20%23%20Current%20threshold%20for%20system%20reserved%20uid/gids%20is%20200%0A%20%20%20%20%23%20You%20could%20check%20uidgid%20reservation%20validity%20in%0A%20%20%20%20%23%20/usr/share/doc/setup-%2A/uidgid%20file%0A%20%20%20%20if%20%5B%20%24UID%20-gt%20199%20%5D%20%26%26%20%5B%20%22%60id%20-gn%60%22%20%3D%20%22%60id%20-un%60%22%20%5D%3B%20then%0A%20%20%20%20%20%20%20umask%20027%0A%20%20%20%20else%0A%20%20%20%20%20%20%20umask%20027%0A%20%20%20%20fi%0A%0A%20%20%20%20SHELL%3D/bin/bash%0A%20%20%20%20%23%20Only%20display%20echos%20from%20profile.d%20scripts%20if%20we%20are%20no%20login%20shell%0A%20%20%20%20%23%20and%20interactive%20-%20otherwise%20just%20process%20them%20to%20set%20envvars%0A%20%20%20%20for%20i%20in%20/etc/profile.d/%2A.sh%3B%20do%0A%20%20%20%20%20%20%20%20if%20%5B%20-r%20%22%24i%22%20%5D%3B%20then%0A%20%20%20%20%20%20%20%20%20%20%20%20if%20%5B%20%22%24PS1%22%20%5D%3B%20then%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20.%20%22%24i%22%0A%20%20%20%20%20%20%20%20%20%20%20%20else%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20.%20%22%24i%22%20%3E/dev/null%0A%20%20%20%20%20%20%20%20%20%20%20%20fi%0A%20%20%20%20%20%20%20%20fi%0A%20%20%20%20done%0A%0A%20%20%20%20unset%20i%0A%20%20%20%20unset%20-f%20pathmunge%0A%20%20fi%0A%0Afi%0A%23%20vim%3Ats%3D4%3Asw%3D4%0A%0A%0A
-        mode: 0644
-        path: /etc/bashrc
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-var_accounts_user_umask:var:1" value-id="xccdf_org.ssgproject.content_value_var_accounts_user_umask"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-accounts_umask_etc_bashrc:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-accounts_umask_etc_bashrc_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc" severity="medium">
-                <xccdf-1.2:title>Ensure the Default C Shell Umask is Set Correctly</xccdf-1.2:title>
-                <xccdf-1.2:description>To ensure the default umask for users of the C shell is set properly,
-add or correct the <html:code>umask</html:code> setting in <html:code>/etc/csh.cshrc</html:code> to read as follows:
-<html:pre>umask <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" use="legacy"/></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00228</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The umask value influences the permissions assigned to files when they are created.
-A misconfigured umask value could result in files with excessive permissions that can be read or
-written to by unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84261-7</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:ignition" id="accounts_umask_etc_csh_cshrc">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20/etc/cshrc%0A%23%0A%23%20csh%20configuration%20for%20all%20shell%20invocations.%0A%0A%23%20By%20default%2C%20we%20want%20this%20to%20get%20set.%0A%23%20Even%20for%20non-interactive%2C%20non-login%20shells.%0A%23%20Current%20threshold%20for%20system%20reserved%20uid/gids%20is%20200%0A%23%20You%20could%20check%20uidgid%20reservation%20validity%20in%0A%23%20/usr/share/doc/setup-%2A/uidgid%20file%0Aif%20%28%24uid%20%3E%20199%20%26%26%20%22%60id%20-gn%60%22%20%3D%3D%20%22%60id%20-un%60%22%29%20then%0A%20%20%20%20umask%20027%0Aelse%0A%20%20%20%20umask%20027%0Aendif%0A%0Aif%20%28%24%3Fprompt%29%20then%0A%20%20if%20%28%24%3Ftcsh%29%20then%0A%20%20%20%20set%20promptchars%3D%27%24%23%27%0A%20%20%20%20set%20prompt%3D%27%5B%25n%40%25m%20%25c%5D%25%23%20%27%0A%20%20%20%20%23%20make%20completion%20work%20better%20by%20default%0A%20%20%20%20set%20autolist%0A%20%20else%0A%20%20%20%20set%20prompt%3D%5C%5B%24user%40%60hostname%20-s%60%5C%5D%5C%24%5C%20%0A%20%20endif%0Aendif%0A%0Aif%20%28%20%24%3Ftcsh%20%29%20then%0A%09bindkey%20%22%5E%5B%5B3~%22%20delete-char%0Aendif%0A%0Abindkey%20%22%5ER%22%20i-search-back%0Aset%20echo_style%20%3D%20both%0Aset%20histdup%20%3D%20erase%0Aset%20savehist%20%3D%20%281024%20merge%29%0A%0Aif%20%28%24%3Fprompt%29%20then%0A%20%20if%20%28%24%3FTERM%29%20then%0A%20%20%20%20switch%28%24TERM%29%0A%20%20%20%20%20%20case%20xterm%2A%3A%0A%20%20%20%20%20%20%20%20if%20%28%24%3Ftcsh%29%20then%0A%09%20%20set%20prompt%3D%27%25%7B%5C033%5D0%3B%25n%40%25m%3A%25c%5C007%25%7D%5B%25n%40%25m%20%25c%5D%25%23%20%27%0A%20%20%20%20%20%20%20%20endif%0A%20%20%20%20%20%20%20%20breaksw%0A%20%20%20%20%20%20case%20screen%3A%0A%20%20%20%20%20%20%20%20if%20%28%24%3Ftcsh%29%20then%0A%20%20%20%20%20%20%20%20%20%20set%20prompt%3D%27%25%7B%5C033k%25n%40%25m%3A%25c%5C033%5C%5C%25%7D%5B%25n%40%25m%20%25c%5D%25%23%20%27%0A%20%20%20%20%20%20%20%20endif%0A%20%20%20%20%20%20%20%20breaksw%0A%20%20%20%20%20%20default%3A%0A%20%20%20%20%20%20%20%20breaksw%0A%20%20%20%20endsw%0A%20%20endif%0Aendif%0A%0Asetenv%20MAIL%20%22/var/spool/mail/%24USER%22%0A%0A%23%20Check%20if%20we%20aren%27t%20a%20loginshell%20and%20do%20stuff%20if%20we%20aren%27t%0Aif%20%28%21%20%24%3Floginsh%29%20then%0A%20%20%20%20if%20%28%20-d%20/etc/profile.d%20%29%20then%0A%20%20%20%20%20%20%20%20set%20nonomatch%0A%20%20%20%20%20%20%20%20foreach%20i%20%28%20/etc/profile.d/%2A.csh%20%29%0A%20%20%20%20%20%20%20%20%20%20%20%20if%20%28%20-r%20%22%24i%22%20%29%20then%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20if%20%28%24%3Fprompt%29%20then%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20source%20%22%24i%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20else%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20source%20%22%24i%22%20%3E%26/dev/null%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20endif%0A%20%20%20%20%20%20%20%20%20%20%20%20endif%0A%20%20%20%20%20%20%20%20end%0A%20%20%20%20%20%20%20%20unset%20i%20nonomatch%0A%20%20%20%20endif%0Aendif%0A%0A%0A
-        mode: 0644
-        path: /etc/csh.cshrc
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-var_accounts_user_umask:var:1" value-id="xccdf_org.ssgproject.content_value_var_accounts_user_umask"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-accounts_umask_etc_csh_cshrc:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-accounts_umask_etc_csh_cshrc_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs" severity="medium">
-                <xccdf-1.2:title>Ensure the Default Umask is Set Correctly in login.defs</xccdf-1.2:title>
-                <xccdf-1.2:description>To ensure the default umask controlled by <html:code>/etc/login.defs</html:code> is set properly,
-add or correct the <html:code>UMASK</html:code> setting in <html:code>/etc/login.defs</html:code> to read as follows:
-<html:pre>UMASK <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" use="legacy"/></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R35)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00228</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The umask value influences the permissions assigned to files when they are created.
-A misconfigured umask value could result in files with excessive permissions that can be read and
-written to by unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#login_defs"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-var_accounts_user_umask:var:1" value-id="xccdf_org.ssgproject.content_value_var_accounts_user_umask"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-accounts_umask_etc_login_defs:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-accounts_umask_etc_login_defs_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile" severity="medium">
-                <xccdf-1.2:title>Ensure the Default Umask is Set Correctly in /etc/profile</xccdf-1.2:title>
-                <xccdf-1.2:description>To ensure the default umask controlled by <html:code>/etc/profile</html:code> is set properly,
-add or correct the <html:code>umask</html:code> setting in <html:code>/etc/profile</html:code> to read as follows:
-<html:pre>umask <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" use="legacy"/></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R35)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00228</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The umask value influences the permissions assigned to files when they are created.
-A misconfigured umask value could result in files with excessive permissions that can be read or
-written to by unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84262-5</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:ignition" id="accounts_umask_etc_profile">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20/etc/profile%0A%0A%23%20System%20wide%20environment%20and%20startup%20programs%2C%20for%20login%20setup%0A%23%20Functions%20and%20aliases%20go%20in%20/etc/bashrc%0A%0A%23%20It%27s%20NOT%20a%20good%20idea%20to%20change%20this%20file%20unless%20you%20know%20what%20you%0A%23%20are%20doing.%20It%27s%20much%20better%20to%20create%20a%20custom.sh%20shell%20script%20in%0A%23%20/etc/profile.d/%20to%20make%20custom%20changes%20to%20your%20environment%2C%20as%20this%0A%23%20will%20prevent%20the%20need%20for%20merging%20in%20future%20updates.%0A%0Apathmunge%20%28%29%20%7B%0A%20%20%20%20case%20%22%3A%24%7BPATH%7D%3A%22%20in%0A%20%20%20%20%20%20%20%20%2A%3A%22%241%22%3A%2A%29%0A%20%20%20%20%20%20%20%20%20%20%20%20%3B%3B%0A%20%20%20%20%20%20%20%20%2A%29%0A%20%20%20%20%20%20%20%20%20%20%20%20if%20%5B%20%22%242%22%20%3D%20%22after%22%20%5D%20%3B%20then%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20PATH%3D%24PATH%3A%241%0A%20%20%20%20%20%20%20%20%20%20%20%20else%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20PATH%3D%241%3A%24PATH%0A%20%20%20%20%20%20%20%20%20%20%20%20fi%0A%20%20%20%20esac%0A%7D%0A%0A%0Aif%20%5B%20-x%20/usr/bin/id%20%5D%3B%20then%0A%20%20%20%20if%20%5B%20-z%20%22%24EUID%22%20%5D%3B%20then%0A%20%20%20%20%20%20%20%20%23%20ksh%20workaround%0A%20%20%20%20%20%20%20%20EUID%3D%60id%20-u%60%0A%20%20%20%20%20%20%20%20UID%3D%60id%20-ru%60%0A%20%20%20%20fi%0A%20%20%20%20USER%3D%22%60id%20-un%60%22%0A%20%20%20%20LOGNAME%3D%24USER%0A%20%20%20%20MAIL%3D%22/var/spool/mail/%24USER%22%0Afi%0A%0A%23%20Path%20manipulation%0Aif%20%5B%20%22%24EUID%22%20%3D%20%220%22%20%5D%3B%20then%0A%20%20%20%20pathmunge%20/usr/sbin%0A%20%20%20%20pathmunge%20/usr/local/sbin%0Aelse%0A%20%20%20%20pathmunge%20/usr/local/sbin%20after%0A%20%20%20%20pathmunge%20/usr/sbin%20after%0Afi%0A%0AHOSTNAME%3D%60/usr/bin/hostname%202%3E/dev/null%60%0AHISTSIZE%3D1000%0Aif%20%5B%20%22%24HISTCONTROL%22%20%3D%20%22ignorespace%22%20%5D%20%3B%20then%0A%20%20%20%20export%20HISTCONTROL%3Dignoreboth%0Aelse%0A%20%20%20%20export%20HISTCONTROL%3Dignoredups%0Afi%0A%0Aexport%20PATH%20USER%20LOGNAME%20MAIL%20HOSTNAME%20HISTSIZE%20HISTCONTROL%0A%0A%23%20By%20default%2C%20we%20want%20umask%20to%20get%20set.%20This%20sets%20it%20for%20login%20shell%0A%23%20Current%20threshold%20for%20system%20reserved%20uid/gids%20is%20200%0A%23%20You%20could%20check%20uidgid%20reservation%20validity%20in%0A%23%20/usr/share/doc/setup-%2A/uidgid%20file%0Aif%20%5B%20%24UID%20-gt%20199%20%5D%20%26%26%20%5B%20%22%60id%20-gn%60%22%20%3D%20%22%60id%20-un%60%22%20%5D%3B%20then%0A%20%20%20%20umask%20027%0Aelse%0A%20%20%20%20umask%20027%0Afi%0A%0Afor%20i%20in%20/etc/profile.d/%2A.sh%20/etc/profile.d/sh.local%20%3B%20do%0A%20%20%20%20if%20%5B%20-r%20%22%24i%22%20%5D%3B%20then%0A%20%20%20%20%20%20%20%20if%20%5B%20%22%24%7B-%23%2Ai%7D%22%20%21%3D%20%22%24-%22%20%5D%3B%20then%20%0A%20%20%20%20%20%20%20%20%20%20%20%20.%20%22%24i%22%0A%20%20%20%20%20%20%20%20else%0A%20%20%20%20%20%20%20%20%20%20%20%20.%20%22%24i%22%20%3E/dev/null%0A%20%20%20%20%20%20%20%20fi%0A%20%20%20%20fi%0Adone%0A%0Aunset%20i%0Aunset%20-f%20pathmunge%0A%0Aif%20%5B%20-n%20%22%24%7BBASH_VERSION-%7D%22%20%5D%20%3B%20then%0A%20%20%20%20%20%20%20%20if%20%5B%20-f%20/etc/bashrc%20%5D%20%3B%20then%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%20Bash%20login%20shells%20run%20only%20/etc/profile%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%20Bash%20non-login%20shells%20run%20only%20/etc/bashrc%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%23%20Check%20for%20double%20sourcing%20is%20done%20in%20/etc/bashrc.%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20.%20/etc/bashrc%0A%20%20%20%20%20%20%20fi%0Afi%0A%0A%0A
-        mode: 0644
-        path: /etc/profile
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-var_accounts_user_umask:var:1" value-id="xccdf_org.ssgproject.content_value_var_accounts_user_umask"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-accounts_umask_etc_profile:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-accounts_umask_etc_profile_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_auditing">
-          <xccdf-1.2:title>System Accounting with auditd</xccdf-1.2:title>
-          <xccdf-1.2:description>The audit service provides substantial capabilities
-for recording system activities. By default, the service audits about
-SELinux AVC denials and certain types of security-relevant events
-such as system logins, account modifications, and authentication
-events performed by programs such as sudo.
-Under its default configuration, <html:code>auditd</html:code> has modest disk space
-requirements, and should not noticeably impact system performance.
-<html:br/><html:br/>
-NOTE: The Linux Audit daemon <html:code>auditd</html:code> can be configured to use
-the <html:code>augenrules</html:code> program to read audit rules files (<html:code>*.rules</html:code>)
-located in <html:code>/etc/audit/rules.d</html:code> location and compile them to create
-the resulting form of the <html:code>/etc/audit/audit.rules</html:code> configuration file
-during the daemon startup (default configuration). Alternatively, the <html:code>auditd</html:code>
-daemon can use the <html:code>auditctl</html:code> utility to read audit rules from the
-<html:code>/etc/audit/audit.rules</html:code> configuration file during daemon startup,
-and load them into the kernel. The expected behavior is configured via the
-appropriate <html:code>ExecStartPost</html:code> directive setting in the
-<html:code>/usr/lib/systemd/system/auditd.service</html:code> configuration file.
-To instruct the <html:code>auditd</html:code> daemon to use the <html:code>augenrules</html:code> program
-to read audit rules (default configuration), use the following setting:
-<html:br/> <html:pre>ExecStartPost=-/sbin/augenrules --load</html:pre>
-in the <html:code>/usr/lib/systemd/system/auditd.service</html:code> configuration file.
-In order to instruct the <html:code>auditd</html:code> daemon to use the <html:code>auditctl</html:code>
-utility to read audit rules, use the following setting:
-<html:br/> <html:pre>ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules</html:pre>
-in the <html:code>/usr/lib/systemd/system/auditd.service</html:code> configuration file.
-Refer to <html:code>[Service]</html:code> section of the <html:code>/usr/lib/systemd/system/auditd.service</html:code>
-configuration file for further details.
-<html:br/><html:br/>
-Government networks often have substantial auditing
-requirements and <html:code>auditd</html:code> can be configured to meet these
-requirements.
-Examining some example audit records demonstrates how the Linux audit system
-satisfies common requirements.
-The following example from Red Hat Enterprise Linux 7 Documentation available at
-<html:code><html:a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/index#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/selinux_users_and_administrators_guide/index#sect-Security-Enhanced_Linux-Fixing_Problems-Raw_Audit_Messages</html:a></html:code>
-shows the substantial amount of information captured in a
-two typical "raw" audit messages, followed by a breakdown of the most important
-fields. In this example the message is SELinux-related and reports an AVC
-denial (and the associated system call) that occurred when the Apache HTTP
-Server attempted to access the <html:code>/var/www/html/file1</html:code> file (labeled with
-the <html:code>samba_share_t</html:code> type):
-<html:pre>type=AVC msg=audit(1226874073.147:96): avc:  denied  { getattr } for pid=2465 comm="httpd"
-path="/var/www/html/file1" dev=dm-0 ino=284133 scontext=unconfined_u:system_r:httpd_t:s0
-tcontext=unconfined_u:object_r:samba_share_t:s0 tclass=file
-
-type=SYSCALL msg=audit(1226874073.147:96): arch=40000003 syscall=196 success=no exit=-13
-a0=b98df198 a1=bfec85dc a2=54dff4 a3=2008171 items=0 ppid=2463 pid=2465 auid=502 uid=48
-gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=6 comm="httpd"
-exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
-</html:pre>
-<html:ul><html:li><html:code>msg=audit(1226874073.147:96)</html:code><html:ul><html:li>The number in parentheses is the unformatted time stamp (Epoch time)
-for the event, which can be converted to standard time by using the
-<html:code>date</html:code> command.
-</html:li></html:ul></html:li><html:li><html:code>{ getattr }</html:code><html:ul><html:li>The item in braces indicates the permission that was denied. <html:code>getattr</html:code>
-indicates the source process was trying to read the target file's status information.
-This occurs before reading files. This action is denied due to the file being
-accessed having the wrong label. Commonly seen permissions include <html:code>getattr</html:code>,
-<html:code>read</html:code>, and <html:code>write</html:code>.</html:li></html:ul></html:li><html:li><html:code>comm="httpd"</html:code><html:ul><html:li>The executable that launched the process. The full path of the executable is
-found in the <html:code>exe=</html:code> section of the system call (<html:code>SYSCALL</html:code>) message,
-which in this case, is <html:code>exe="/usr/sbin/httpd"</html:code>.
-</html:li></html:ul></html:li><html:li><html:code>path="/var/www/html/file1"</html:code><html:ul><html:li>The path to the object (target) the process attempted to access.
-</html:li></html:ul></html:li><html:li><html:code>scontext="unconfined_u:system_r:httpd_t:s0"</html:code><html:ul><html:li>The SELinux context of the process that attempted the denied action. In
-this case, it is the SELinux context of the Apache HTTP Server, which is running
-in the <html:code>httpd_t</html:code> domain.
-</html:li></html:ul></html:li><html:li><html:code>tcontext="unconfined_u:object_r:samba_share_t:s0"</html:code><html:ul><html:li>The SELinux context of the object (target) the process attempted to access.
-In this case, it is the SELinux context of <html:code>file1</html:code>. Note: the <html:code>samba_share_t</html:code>
-type is not accessible to processes running in the <html:code>httpd_t</html:code> domain.</html:li></html:ul></html:li><html:li> From the system call (<html:code>SYSCALL</html:code>) message, two items are of interest:
-<html:ul><html:li><html:code>success=no</html:code>: indicates whether the denial (AVC) was enforced or not.
-<html:code>success=no</html:code> indicates the system call was not successful (SELinux denied
-access). <html:code>success=yes</html:code> indicates the system call was successful - this can
-be seen for permissive domains or unconfined domains, such as <html:code>initrc_t</html:code>
-and <html:code>kernel_t</html:code>.
-</html:li><html:li><html:code>exe="/usr/sbin/httpd"</html:code>: the full path to the executable that launched
-the process, which in this case, is <html:code>exe="/usr/sbin/httpd"</html:code>.
-</html:li></html:ul>
-</html:li></html:ul></xccdf-1.2:description>
-          <xccdf-1.2:platform idref="#machine"/>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_audispd-plugins_installed" severity="medium">
-            <xccdf-1.2:title>Install audispd-plugins Package</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code>audispd-plugins</html:code> package can be installed with the following command:
-<html:pre/></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</xccdf-1.2:reference>
-            <xccdf-1.2:rationale><html:code>audispd-plugins</html:code> provides plugins for the real-time interface to the
-audit subsystem, <html:code>audispd</html:code>. These plugins can do things like relay events
-to remote machines or analyze events for suspicious behavior.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_audispd-plugins_installed:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_audispd-plugins_installed_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_audit-audispd-plugins_installed" severity="medium">
-            <xccdf-1.2:title>Ensure the default plugins for the audit dispatcher are Installed</xccdf-1.2:title>
-            <xccdf-1.2:description>The audit-audispd-plugins package should be installed.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001851</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_audit-audispd-plugins_installed:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_audit-audispd-plugins_installed_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_audit_installed" severity="medium">
-            <xccdf-1.2:title>Ensure the audit Subsystem is Installed</xccdf-1.2:title>
-            <xccdf-1.2:description>The audit package should be installed.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000131</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000132</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000133</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000134</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000154</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000158</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001464</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001487</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001814</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001875</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001876</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001877</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001878</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001879</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001880</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001881</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001882</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001889</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001914</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-7(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-7(2)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(2)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The auditd service is an access monitoring and accounting daemon, watching system calls to audit any access, in comparison with potential local access control policy such as SELinux policy.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82669-3</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_audit_installed:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_audit_installed_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_auditd_enabled" severity="medium">
-            <xccdf-1.2:title>Enable auditd Service</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code>auditd</html:code> service is an essential userspace component of
-the Linux Auditing System, as it is responsible for writing audit records to
-disk.
-
-The <html:code>auditd</html:code> service can be enabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-auditd-enable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: auditd.service
-        enabled: true
-</html:pre>
-<html:p>
-This will enable the <html:code>auditd</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000126</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000131</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000132</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000133</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000134</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000154</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000158</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001464</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001487</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001814</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001875</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001876</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001877</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001878</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001879</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001880</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001881</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001882</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001889</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001914</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(g)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(23)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000038-GPOS-00016</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000040-GPOS-00018</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000041-GPOS-00019</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00021</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000054-GPOS-00025</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000122-GPOS-00063</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000337-GPOS-00129</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000348-GPOS-00136</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000349-GPOS-00137</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000350-GPOS-00138</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000351-GPOS-00139</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000352-GPOS-00140</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000353-GPOS-00141</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000354-GPOS-00142</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000358-GPOS-00145</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">SRG-OS-000037-VMM-000150</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">SRG-OS-000063-VMM-000310</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">SRG-OS-000038-VMM-000160</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">SRG-OS-000039-VMM-000170</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">SRG-OS-000040-VMM-000180</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">SRG-OS-000041-VMM-000190</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Without establishing what type of events occurred, it would be difficult
-to establish, correlate, and investigate the events leading up to an outage or attack.
-Ensuring the <html:code>auditd</html:code> service is active ensures audit records
-generated by the kernel are appropriately recorded.
-<html:br/><html:br/>
-Additionally, a properly configured audit subsystem ensures that actions of
-individual system users can be uniquely traced to those users so they
-can be held accountable for their actions.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#audit"/>
-            <xccdf-1.2:requires idref="xccdf_org.ssgproject.content_rule_package_audit_installed"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82463-1</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="service_auditd_enabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: auditd.service
-        enabled: true
-</xccdf-1.2:fix>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_auditd_enabled:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument" severity="medium">
-            <xccdf-1.2:title>Extend Audit Backlog Limit for the Audit Daemon</xccdf-1.2:title>
-            <xccdf-1.2:description>To improve the kernel capacity to queue all log events, even those which occurred
-prior to the audit daemon, add the argument <html:code>audit_backlog_limit=8192</html:code> to all
-BLS (Boot Loader Specification) entries ('options' line) for the Linux
-operating system in <html:code>/boot/loader/entries/*.conf</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>audit_backlog_limit sets the queue length for audit events awaiting transfer
-to the audit daemon. Until the audit daemon is up and running, all log messages
-are stored in this queue.  If the queue is overrun during boot process, the action
-defined by audit failure flag is taken.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82671-9</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="coreos_audit_backlog_limit_kernel_argument" complexity="low" disruption="medium" reboot="true" strategy="restrict">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-  kernelArguments:
-    - audit_backlog_limit=8192
-</xccdf-1.2:fix>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-coreos_audit_backlog_limit_kernel_argument:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-coreos_audit_backlog_limit_kernel_argument_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_coreos_audit_option" severity="medium">
-            <xccdf-1.2:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</xccdf-1.2:title>
-            <xccdf-1.2:description>To ensure all processes can be audited, even those which start
-prior to the audit daemon, add the argument <html:code>audit=1</html:code> to all
-BLS (Boot Loader Specification) entries ('options' line) for the Linux
-operating system in <html:code>/boot/loader/entries/*.conf</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001464</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-14(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IR-5(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000254-GPOS-00095</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">SRG-OS-000254-VMM-000880</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Each process on the system carries an "auditable" flag which indicates whether
-its activities can be audited. Although <html:code>auditd</html:code> takes care of enabling
-this for all processes which launch after it does, adding the kernel argument
-ensures it is set for every process during boot.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82670-1</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="coreos_audit_option" complexity="low" disruption="medium" reboot="true" strategy="restrict">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-  kernelArguments:
-    - audit=1
-</xccdf-1.2:fix>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-coreos_audit_option:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-coreos_audit_option_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_auditd_configure_rules">
-            <xccdf-1.2:title>Configure auditd Rules for Comprehensive Auditing</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code>auditd</html:code> program can perform comprehensive
-monitoring of system activity. This section describes recommended
-configuration settings for comprehensive auditing, but a full
-description of the auditing system's capabilities is beyond the
-scope of this guide. The mailing list <html:i>linux-audit@redhat.com</html:i> exists
-to facilitate community discussion of the auditing system.
-<html:br/><html:br/>
-The audit subsystem supports extensive collection of events, including:
-<html:br/>
-<html:ul><html:li>Tracing of arbitrary system calls (identified by name or number)
-on entry or exit.</html:li><html:li>Filtering by PID, UID, call success, system call argument (with
-some limitations), etc.</html:li><html:li>Monitoring of specific files for modifications to the file's
-contents or metadata.</html:li></html:ul>
-<html:br/>
-Auditing rules at startup are controlled by the file <html:code>/etc/audit/audit.rules</html:code>.
-Add rules to it to meet the auditing requirements for your organization.
-Each line in <html:code>/etc/audit/audit.rules</html:code> represents a series of arguments
-that can be passed to <html:code>auditctl</html:code> and can be individually tested
-during runtime. See documentation in <html:code>/usr/share/doc/audit-<html:i>VERSION</html:i></html:code> and
-in the related man pages for more details.
-<html:br/><html:br/>
-If copying any example audit rulesets from <html:code>/usr/share/doc/audit-VERSION</html:code>,
-be sure to comment out the
-lines containing <html:code>arch=</html:code> which are not appropriate for your system's
-architecture. Then review and understand the following rules,
-ensuring rules are activated as needed for the appropriate
-architecture.
-<html:br/><html:br/>
-After reviewing all the rules, reading the following sections, and
-editing as needed, the new rules can be activated as follows:
-<html:pre>$ sudo service auditd restart</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#audit"/>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify User/Group Information via open syscall - /etc/group</xccdf-1.2:title>
-              <xccdf-1.2:description>The audit system should collect write events to /etc/group file for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/group -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/group -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/group -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/group -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre></xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82700-6</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_etc_group_open" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/group%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/group%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-etc_group_open_path_syscall.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_etc_group_open:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_etc_group_open_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_etc_group_open_by_handle_at" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group</xccdf-1.2:title>
-              <xccdf-1.2:description>The audit system should collect write events to /etc/group file for all group and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;03 -F path=/etc/group -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;03 -F path=/etc/group -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;03 -F path=/etc/group -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/group -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre></xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82702-2</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_etc_group_open_by_handle_at" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/group%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/group%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-etc_group_open_by_handle_at_path_syscall.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_etc_group_open_by_handle_at:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_etc_group_open_by_handle_at_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_etc_group_openat" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify User/Group Information via openat syscall - /etc/group</xccdf-1.2:title>
-              <xccdf-1.2:description>The audit system should collect write events to /etc/group file for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S openat -F a2&amp;03 -F path=/etc/group -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S openat -F a2&amp;03 -F path=/etc/group -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S openat -F a2&amp;03 -F path=/etc/group -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/group -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre></xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Creation of groups through direct edition of /etc/group could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82701-4</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_etc_group_openat" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/group%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/group%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-etc_group_openat_path_syscall.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_etc_group_openat:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_etc_group_openat_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify User/Group Information via open syscall - /etc/gshadow</xccdf-1.2:title>
-              <xccdf-1.2:description>The audit system should collect write events to /etc/gshadow file for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/gshadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/gshadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/gshadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/gshadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre></xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82703-0</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_etc_gshadow_open" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/gshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/gshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-etc_gshadow_open_path_syscall.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_etc_gshadow_open:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_etc_gshadow_open_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_open_by_handle_at" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow</xccdf-1.2:title>
-              <xccdf-1.2:description>The audit system should collect write events to /etc/gshadow file for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;03 -F path=/etc/gshadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;03 -F path=/etc/gshadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;03 -F path=/etc/gshadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/gshadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre></xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82705-5</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_etc_gshadow_open_by_handle_at" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/gshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/gshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-etc_gshadow_open_by_handle_at_path_syscall.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_etc_gshadow_open_by_handle_at:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_etc_gshadow_open_by_handle_at_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_etc_gshadow_openat" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify User/Group Information via openat syscall - /etc/gshadow</xccdf-1.2:title>
-              <xccdf-1.2:description>The audit system should collect write events to /etc/gshadow file for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S openat -F a2&amp;03 -F path=/etc/gshadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S openat -F a2&amp;03 -F path=/etc/gshadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S openat -F a2&amp;03 -F path=/etc/gshadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/gshadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre></xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Creation of users through direct edition of /etc/gshadow could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82704-8</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_etc_gshadow_openat" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/gshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/gshadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-etc_gshadow_openat_path_syscall.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_etc_gshadow_openat:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_etc_gshadow_openat_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify User/Group Information via open syscall - /etc/passwd</xccdf-1.2:title>
-              <xccdf-1.2:description>The audit system should collect write events to /etc/passwd file for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre></xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82706-3</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_etc_passwd_open" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-etc_passwd_open_path_syscall.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_etc_passwd_open:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_etc_passwd_open_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_open_by_handle_at" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd</xccdf-1.2:title>
-              <xccdf-1.2:description>The audit system should collect write events to /etc/passwd file for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre></xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82708-9</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_etc_passwd_open_by_handle_at" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-etc_passwd_open_by_handle_at_path_syscall.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_etc_passwd_open_by_handle_at:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_etc_passwd_open_by_handle_at_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_etc_passwd_openat" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify User/Group Information via openat syscall - /etc/passwd</xccdf-1.2:title>
-              <xccdf-1.2:description>The audit system should collect write events to /etc/passwd file for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S openat -F a2&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S openat -F a2&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S openat -F a2&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=modify</html:pre></xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Creation of users through direct edition of /etc/passwd could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82707-1</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_etc_passwd_openat" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-etc_passwd_openat_path_syscall.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_etc_passwd_openat:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_etc_passwd_openat_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify User/Group Information via open syscall - /etc/shadow</xccdf-1.2:title>
-              <xccdf-1.2:description>The audit system should collect write events to /etc/shadow file for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a1&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre></xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82709-7</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_etc_shadow_open" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-etc_shadow_open_path_syscall.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_etc_shadow_open:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_etc_shadow_open_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_open_by_handle_at" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow</xccdf-1.2:title>
-              <xccdf-1.2:description>The audit system should collect write events to /etc/shadow file for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre></xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82711-3</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_etc_shadow_open_by_handle_at" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-etc_shadow_open_by_handle_at_path_syscall.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_etc_shadow_open_by_handle_at:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_etc_shadow_open_by_handle_at_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_etc_shadow_openat" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify User/Group Information via openat syscall - /etc/shadow</xccdf-1.2:title>
-              <xccdf-1.2:description>The audit system should collect write events to /etc/shadow file for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S openat -F a2&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S openat -F a2&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S openat -F a2&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S open,openat,open_by_handle_at -F a2&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify</html:pre></xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Creation of users through direct edition of /etc/shadow could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82710-5</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_etc_shadow_openat" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%20-F%20a2%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dmodify%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-etc_shadow_openat_path_syscall.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_etc_shadow_openat:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_etc_shadow_openat_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_immutable" severity="medium">
-              <xccdf-1.2:title>Make the auditd Configuration Immutable</xccdf-1.2:title>
-              <xccdf-1.2:description>If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code> in order to make the auditd configuration
-immutable:
-<html:pre>-e 2</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file in order to make the auditd configuration
-immutable:
-<html:pre>-e 2</html:pre>
-With this setting, a reboot will be required to change any audit rules.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000162</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000163</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000164</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iv)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000057-GPOS-00027</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000058-GPOS-00028</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000059-GPOS-00029</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Making the audit configuration immutable prevents accidental as
-well as malicious modification of the audit rules, although it may be
-problematic if legitimate changes are needed during system
-operation.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82668-5</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_immutable">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-e%202%0A
-        mode: 0600
-        path: /etc/audit/rules.d/90-immutable.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_immutable:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_immutable_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_mac_modification" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify the System's Mandatory Access Controls</xccdf-1.2:title>
-              <xccdf-1.2:description>If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-w /etc/selinux/ -p wa -k MAC-policy</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-w /etc/selinux/ -p wa -k MAC-policy</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The system's mandatory access policy (SELinux) should not be
-arbitrarily changed by anything other than administrator action. All changes to
-MAC policy should be audited.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82586-9</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_mac_modification" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -w%20/etc/selinux/%20-p%20wa%20-k%20MAC-policy%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-etcselinux-wa-MAC-policy.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_mac_modification:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_mac_modification_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_media_export" severity="medium">
-              <xccdf-1.2:title>Ensure auditd Collects Information on Exporting to Media (successful)</xccdf-1.2:title>
-              <xccdf-1.2:description>At a minimum, the audit system should collect media exportation
-events for all users and root. If the <html:code>auditd</html:code> daemon is configured to
-use the <html:code>augenrules</html:code> program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix <html:code>.rules</html:code> in
-the directory <html:code>/etc/audit/rules.d</html:code>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<html:pre>-a always,exit -F arch=ARCH -S mount -F auid&gt;=1000 -F auid!=unset -F key=export</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<html:pre>-a always,exit -F arch=ARCH -S mount -F auid&gt;=1000 -F auid!=unset -F key=export</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The unauthorized exportation of data to external media could result in an information leak
-where classified information, Privacy Act information, and intellectual property could be lost. An audit
-trail should be created each time a filesystem is mounted to help identify and guard against information
-loss.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82587-7</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_media_export" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20mount%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20mount%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-mount_dac_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_media_export:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_networkconfig_modification" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify the System's Network Environment</xccdf-1.2:title>
-              <xccdf-1.2:description>If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<html:pre>-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
--w /etc/issue -p wa -k audit_rules_networkconfig_modification
--w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
--w /etc/hosts -p wa -k audit_rules_networkconfig_modification
--w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<html:pre>-a always,exit -F arch=ARCH -S sethostname,setdomainname -F key=audit_rules_networkconfig_modification
--w /etc/issue -p wa -k audit_rules_networkconfig_modification
--w /etc/issue.net -p wa -k audit_rules_networkconfig_modification
--w /etc/hosts -p wa -k audit_rules_networkconfig_modification
--w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The network environment should not be modified by anything other
-than administrator action. Any change to network parameters should be
-audited.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82588-5</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_networkconfig_modification">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20sethostname%2Csetdomainname%20-F%20key%3Daudit_rules_networkconfig_modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20sethostname%2Csetdomainname%20-F%20key%3Daudit_rules_networkconfig_modification%0A-w%20/etc/issue%20-p%20wa%20-k%20audit_rules_networkconfig_modification%0A-w%20/etc/issue.net%20-p%20wa%20-k%20audit_rules_networkconfig_modification%0A-w%20/etc/hosts%20-p%20wa%20-k%20audit_rules_networkconfig_modification%0A-w%20/etc/sysconfig/network%20-p%20wa%20-k%20audit_rules_networkconfig_modification%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-audit_rules_networkconfig_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_networkconfig_modification:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_networkconfig_modification_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_session_events" severity="medium">
-              <xccdf-1.2:title>Record Attempts to Alter Process and Session Initiation Information</xccdf-1.2:title>
-              <xccdf-1.2:description>The audit system already collects process information for all
-users and root. If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code> in order to watch for attempted manual
-edits of files involved in storing such process information:
-<html:pre>-w /var/run/utmp -p wa -k session
--w /var/log/btmp -p wa -k session
--w /var/log/wtmp -p wa -k session</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file in order to watch for attempted manual
-edits of files involved in storing such process information:
-<html:pre>-w /var/run/utmp -p wa -k session
--w /var/log/btmp -p wa -k session
--w /var/log/wtmp -p wa -k session</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0582</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0584</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">05885</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0586</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0846</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0957</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Manual editing of these files may indicate nefarious activity, such
-as an attacker attempting to remove evidence of an intrusion.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82612-3</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_session_events" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A-w%20/var/run/utmp%20-p%20wa%20-k%20session%0A-w%20/var/log/btmp%20-p%20wa%20-k%20session%0A-w%20/var/log/wtmp%20-p%20wa%20-k%20session%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-audit-session-events.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_session_events:def:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions" severity="medium">
-              <xccdf-1.2:title>Ensure auditd Collects System Administrator Actions</xccdf-1.2:title>
-              <xccdf-1.2:description>At a minimum, the audit system should collect administrator actions
-for all users and root. If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the default),
-add the following line to a file with suffix <html:code>.rules</html:code> in the directory
-<html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-w /etc/sudoers -p wa -k actions
--w /etc/sudoers.d/ -p wa -k actions</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-w /etc/sudoers -p wa -k actions
--w /etc/sudoers.d/ -p wa -k actions</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000126</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(7)(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.5.b</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000004-GPOS-00004</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000304-GPOS-00121</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000239-GPOS-00089</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000240-GPOS-00090</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000241-GPOS-00091</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000303-GPOS-00120</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000304-GPOS-00121</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000476-GPOS-00221</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000462-VMM-001840</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The actions taken by system administrators should be audited to keep a record
-of what was executed on the system, as well as, for accountability purposes.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82613-1</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_sysadmin_actions" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -w%20/etc/sudoers.d/%20-p%20wa%20-k%20actions%0A-w%20/etc/sudoers%20-p%20wa%20-k%20actions%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-audit-sysadmin-actions.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_sysadmin_actions:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_sysadmin_actions_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify User/Group Information</xccdf-1.2:title>
-              <xccdf-1.2:description>If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code>, in order to capture events that modify
-account changes:
-<html:pre>-w /etc/group -p wa -k audit_rules_usergroup_modification
--w /etc/passwd -p wa -k audit_rules_usergroup_modification
--w /etc/gshadow -p wa -k audit_rules_usergroup_modification
--w /etc/shadow -p wa -k audit_rules_usergroup_modification
--w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification</html:pre>
-<html:br/>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file, in order to capture events that modify
-account changes:
-<html:pre>-w /etc/group -p wa -k audit_rules_usergroup_modification
--w /etc/passwd -p wa -k audit_rules_usergroup_modification
--w /etc/gshadow -p wa -k audit_rules_usergroup_modification
--w /etc/shadow -p wa -k audit_rules_usergroup_modification
--w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">This rule checks for multiple syscalls related to account changes;
-it was written with DISA STIG in mind. Other policies should use a
-separate rule for each syscall that needs to be checked. For example:
-<html:ul><html:li><html:code>audit_rules_usergroup_modification_group</html:code></html:li><html:li><html:code>audit_rules_usergroup_modification_gshadow</html:code></html:li><html:li><html:code>audit_rules_usergroup_modification_passwd</html:code></html:li></html:ul></xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000018</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001403</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002130</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000004-GPOS-00004</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000239-GPOS-00089</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000241-GPOS-00090</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000241-GPOS-00091</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000303-GPOS-00120</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000476-GPOS-00221</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>In addition to auditing new user and group accounts, these watches
-will alert the system administrator(s) to any modifications. Any unexpected
-users, groups, or modifications should be investigated for legitimacy.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_usergroup_modification">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-audit_rules_usergroup_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_usergroup_modification:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_usergroup_modification_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify User/Group Information - /etc/group</xccdf-1.2:title>
-              <xccdf-1.2:description>If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code>, in order to capture events that modify
-account changes:
-<html:br/><html:br/>
-<html:pre>-w /etc/group -p wa -k audit_rules_usergroup_modification</html:pre>
-<html:br/><html:br/>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file, in order to capture events that modify
-account changes:
-<html:br/><html:br/>
-<html:pre>-w /etc/group -p wa -k audit_rules_usergroup_modification</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000018</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001403</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001404</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001405</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001683</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001684</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001685</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001686</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002130</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002132</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000004-GPOS-00004</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000304-GPOS-00121</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000239-GPOS-00089</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000240-GPOS-00090</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000241-GPOS-00091</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000303-GPOS-00120</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000476-GPOS-00221</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000004-VMM-000040</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000239-VMM-000810</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000240-VMM-000820</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000241-VMM-000830</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000274-VMM-000960</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000275-VMM-000970</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000276-VMM-000980</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000277-VMM-000990</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000303-VMM-001090</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000304-VMM-001100</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000476-VMM-001960</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>In addition to auditing new user and group accounts, these watches
-will alert the system administrator(s) to any modifications. Any unexpected
-users, groups, or modifications should be investigated for legitimacy.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82654-5</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_usergroup_modification_group" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-w%20/etc/group%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
-        mode: 0644
-        path: /etc/audit/rules.d/30-etc_group_usergroup_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_usergroup_modification_group:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_usergroup_modification_group_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify User/Group Information - /etc/gshadow</xccdf-1.2:title>
-              <xccdf-1.2:description>If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code>, in order to capture events that modify
-account changes:
-<html:br/><html:br/>
-<html:pre>-w /etc/gshadow -p wa -k audit_rules_usergroup_modification</html:pre>
-<html:br/><html:br/>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file, in order to capture events that modify
-account changes:
-<html:br/><html:br/>
-<html:pre>-w /etc/gshadow -p wa -k audit_rules_usergroup_modification</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000018</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001403</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001404</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001405</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001683</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001684</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001685</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001686</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002130</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002132</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000004-GPOS-00004</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000304-GPOS-00121</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000239-GPOS-00089</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000240-GPOS-00090</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000241-GPOS-00091</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000303-GPOS-00120</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000476-GPOS-00221</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000004-VMM-000040</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000239-VMM-000810</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000240-VMM-000820</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000241-VMM-000830</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000274-VMM-000960</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000275-VMM-000970</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000276-VMM-000980</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000277-VMM-000990</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000303-VMM-001090</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000304-VMM-001100</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000476-VMM-001960</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>In addition to auditing new user and group accounts, these watches
-will alert the system administrator(s) to any modifications. Any unexpected
-users, groups, or modifications should be investigated for legitimacy.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82655-2</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_usergroup_modification_gshadow" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-w%20/etc/gshadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
-        mode: 0644
-        path: /etc/audit/rules.d/30-etc_gshadow_usergroup_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_usergroup_modification_gshadow:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_usergroup_modification_gshadow_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify User/Group Information - /etc/security/opasswd</xccdf-1.2:title>
-              <xccdf-1.2:description>If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code>, in order to capture events that modify
-account changes:
-<html:br/><html:br/>
-<html:pre>-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification</html:pre>
-<html:br/><html:br/>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file, in order to capture events that modify
-account changes:
-<html:br/><html:br/>
-<html:pre>-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000018</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001403</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001404</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001405</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001683</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001684</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001685</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001686</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002130</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002132</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000004-GPOS-00004</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000304-GPOS-00121</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000239-GPOS-00089</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000240-GPOS-00090</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000241-GPOS-00091</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000303-GPOS-00120</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000476-GPOS-00221</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000004-VMM-000040</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000239-VMM-000810</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000240-VMM-000820</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000241-VMM-000830</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000274-VMM-000960</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000275-VMM-000970</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000276-VMM-000980</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000277-VMM-000990</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000303-VMM-001090</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000304-VMM-001100</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000476-VMM-001960</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>In addition to auditing new user and group accounts, these watches
-will alert the system administrator(s) to any modifications. Any unexpected
-users, groups, or modifications should be investigated for legitimacy.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82656-0</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_usergroup_modification_opasswd" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-w%20/etc/security/opasswd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
-        mode: 0644
-        path: /etc/audit/rules.d/30-etc_security_opasswd_usergroup_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_usergroup_modification_opasswd:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_usergroup_modification_opasswd_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify User/Group Information - /etc/passwd</xccdf-1.2:title>
-              <xccdf-1.2:description>If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code>, in order to capture events that modify
-account changes:
-<html:br/><html:br/>
-<html:pre>-w /etc/passwd -p wa -k audit_rules_usergroup_modification</html:pre>
-<html:br/><html:br/>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file, in order to capture events that modify
-account changes:
-<html:br/><html:br/>
-<html:pre>-w /etc/passwd -p wa -k audit_rules_usergroup_modification</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000018</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001403</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001404</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001405</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001683</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001684</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001685</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001686</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002130</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002132</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000004-GPOS-00004</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000304-GPOS-00121</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000239-GPOS-00089</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000240-GPOS-00090</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000241-GPOS-00091</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000303-GPOS-00120</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000304-GPOS-00121</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000476-GPOS-00221</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000274-GPOS-00104</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000275-GPOS-00105</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000276-GPOS-00106</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000277-GPOS-00107</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000004-VMM-000040</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000239-VMM-000810</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000240-VMM-000820</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000241-VMM-000830</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000274-VMM-000960</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000275-VMM-000970</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000276-VMM-000980</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000277-VMM-000990</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000303-VMM-001090</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000304-VMM-001100</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000476-VMM-001960</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>In addition to auditing new user and group accounts, these watches
-will alert the system administrator(s) to any modifications. Any unexpected
-users, groups, or modifications should be investigated for legitimacy.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82657-8</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_usergroup_modification_passwd" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-w%20/etc/passwd%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
-        mode: 0644
-        path: /etc/audit/rules.d/30-etc_passwd_usergroup_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_usergroup_modification_passwd:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_usergroup_modification_passwd_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow" severity="medium">
-              <xccdf-1.2:title>Record Events that Modify User/Group Information - /etc/shadow</xccdf-1.2:title>
-              <xccdf-1.2:description>If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code>, in order to capture events that modify
-account changes:
-<html:br/><html:br/>
-<html:pre>-w /etc/shadow -p wa -k audit_rules_usergroup_modification</html:pre>
-<html:br/><html:br/>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file, in order to capture events that modify
-account changes:
-<html:br/><html:br/>
-<html:pre>-w /etc/shadow -p wa -k audit_rules_usergroup_modification</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000018</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001403</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001404</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001405</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001683</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001684</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001685</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001686</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002130</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002132</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000004-GPOS-00004</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000304-GPOS-00121</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000239-GPOS-00089</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000240-GPOS-00090</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000241-GPOS-00091</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000303-GPOS-00120</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000476-GPOS-00221</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000004-VMM-000040</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000239-VMM-000810</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000240-VMM-000820</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000241-VMM-000830</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000274-VMM-000960</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000275-VMM-000970</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000276-VMM-000980</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000277-VMM-000990</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000303-VMM-001090</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000304-VMM-001100</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000476-VMM-001960</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>In addition to auditing new user and group accounts, these watches
-will alert the system administrator(s) to any modifications. Any unexpected
-users, groups, or modifications should be investigated for legitimacy.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82658-6</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_usergroup_modification_shadow" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-w%20/etc/shadow%20-p%20wa%20-k%20audit_rules_usergroup_modification%0A
-        mode: 0644
-        path: /etc/audit/rules.d/30-etc_shadow_usergroup_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_usergroup_modification_shadow:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_usergroup_modification_shadow_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_directory_access_var_log_audit" severity="medium">
-              <xccdf-1.2:title>Record Access Events to Audit Log Directory</xccdf-1.2:title>
-              <xccdf-1.2:description>The audit system should collect access events to read audit log directory.
-The following audit rule will assure that access to audit log directory are
-collected.
-<html:pre>-a always,exit -F dir=/var/log/audit/ -F perm=r -F auid&gt;=1000 -F auid!=unset -F key=access-audit-trail</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code>
-program to read audit rules during daemon startup (the default), add the
-rule to a file with suffix <html:code>.rules</html:code> in the directory
-<html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the rule to
-<html:code>/etc/audit/audit.rules</html:code> file.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Attempts to read the logs should be recorded, suspicious access to audit log files could be an indicator of malicious activity on a system.
-Auditing these events could serve as evidence of potential system compromise.'</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82712-1</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="directory_access_var_log_audit" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-#
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20dir%3D/var/log/audit/%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/30-access-var-log-audit.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-directory_access_var_log_audit:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-directory_access_var_log_audit_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_directory_permissions_var_log_audit" severity="medium">
-              <xccdf-1.2:title>System Audit Logs Must Have Mode 0750 or Less Permissive</xccdf-1.2:title>
-              <xccdf-1.2:description>
-If <html:code>log_group</html:code> in <html:code>/etc/audit/auditd.conf</html:code> is set to a group other than the <html:code>root</html:code>
-group account, change the mode of the audit log files with the following command:
-<html:pre>$ sudo chmod 0750 /var/log/audit</html:pre>
-<html:br/>
-Otherwise, change the mode of the audit log files with the following command:
-<html:pre>$ sudo chmod 0700 /var/log/audit</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000162</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000163</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000164</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000057-GPOS-00027</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000058-GPOS-00028</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000059-GPOS-00029</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>If users can write to audit logs, audit trails can be modified or destroyed.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82692-5</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-directory_permissions_var_log_audit:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-directory_permissions_var_log_audit_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration" severity="medium">
-              <xccdf-1.2:title>Audit Configuration Files Must Be Owned By Group root</xccdf-1.2:title>
-              <xccdf-1.2:description>All audit configuration files must be owned by group root.
-<html:pre>chown :root /etc/audit/audit*.{rules,conf} /etc/audit/rules.d/*</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000171</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000063-GPOS-00032</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Without the capability to restrict which roles and individuals can
-select which events are audited, unauthorized personnel may be able
-to prevent the auditing of critical events.
-Misconfigured audits may degrade the system's performance by
-overwhelming the audit log. Misconfigured audits may also make it more
-difficult to establish, correlate, and investigate the events relating
-to an incident or identify those responsible for one.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_groupownership_audit_configuration:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_groupownership_audit_configuration_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration" severity="medium">
-              <xccdf-1.2:title>Audit Configuration Files Must Be Owned By Root</xccdf-1.2:title>
-              <xccdf-1.2:description>All audit configuration files must be owned by root user.
-
-To properly set the owner of <html:code>/etc/audit/</html:code>, run the command:
-<html:pre>$ sudo chown root /etc/audit/ </html:pre>
-
-To properly set the owner of <html:code>/etc/audit/rules.d/</html:code>, run the command:
-<html:pre>$ sudo chown root /etc/audit/rules.d/ </html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000171</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000063-GPOS-00032</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Without the capability to restrict which roles and individuals can
-select which events are audited, unauthorized personnel may be able
-to prevent the auditing of critical events.
-Misconfigured audits may degrade the system's performance by
-overwhelming the audit log. Misconfigured audits may also make it more
-difficult to establish, correlate, and investigate the events relating
-to an incident or identify those responsible for one.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_ownership_audit_configuration:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_ownership_audit_configuration_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit" severity="medium">
-              <xccdf-1.2:title>System Audit Logs Must Be Owned By Root</xccdf-1.2:title>
-              <xccdf-1.2:description>All audit logs must be owned by root user and group. By default, the path for audit log is <html:pre>/var/log/audit/</html:pre>.
-
-To properly set the owner of <html:code>/var/log/audit</html:code>, run the command:
-<html:pre>$ sudo chown root /var/log/audit </html:pre>
-
-To properly set the owner of <html:code>/var/log/audit/*</html:code>, run the command:
-<html:pre>$ sudo chown root /var/log/audit/* </html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000162</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000163</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000164</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000057-GPOS-00027</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000058-GPOS-00028</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000059-GPOS-00029</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Unauthorized disclosure of audit records can reveal system and configuration data to
-attackers, thus compromising its confidentiality.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82691-7</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_ownership_var_log_audit:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_ownership_var_log_audit_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit" severity="medium">
-              <xccdf-1.2:title>System Audit Logs Must Have Mode 0640 or Less Permissive</xccdf-1.2:title>
-              <xccdf-1.2:description>
-If <html:code>log_group</html:code> in <html:code>/etc/audit/auditd.conf</html:code> is set to a group other than the
-<html:code>root</html:code>
-group account, change the mode of the audit log files with the following command:
-<html:pre>$ sudo chmod 0640 <html:i>audit_file</html:i></html:pre>
-<html:br/>
-Otherwise, change the mode of the audit log files with the following command:
-<html:pre>$ sudo chmod 0600 <html:i>audit_file</html:i></html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000162</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000163</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000164</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000057-GPOS-00027</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000058-GPOS-00028</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000059-GPOS-00029</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000206-GPOS-00084</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>If users can write to audit logs, audit trails can be modified or destroyed.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82690-9</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_var_log_audit:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_var_log_audit_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_audit_dac_actions">
-              <xccdf-1.2:title>Record Events that Modify the System's Discretionary Access Controls</xccdf-1.2:title>
-              <xccdf-1.2:description>At a minimum, the audit system should collect file permission
-changes for all users and root. Note that the "-F arch=b32" lines should be
-present even on a 64 bit system. These commands identify system calls for
-auditing. Even if the system is 64 bit it can still execute 32 bit system
-calls. Additionally, these rules can be configured in a number of ways while
-still achieving the desired effect. An example of this is that the "-S" calls
-could be split up and placed on separate lines, however, this is less efficient.
-Add the following to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod
-    -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod
-    -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If your system is 64 bit then these lines should be duplicated and the
-arch=b32 replaced with arch=b64 as follows:
-<html:pre>-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod
-    -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod
-    -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod" severity="medium">
-                <xccdf-1.2:title>Record Events that Modify the System's Discretionary Access Controls - chmod</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file permission
-changes for all users and root. If the <html:code>auditd</html:code> daemon is configured to
-use the <html:code>augenrules</html:code> program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix <html:code>.rules</html:code> in
-the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S chmod -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S chmod -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S chmod -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S chmod -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect.  Here the system calls
-have been placed independent of other system calls.  Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000126</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000474-VMM-001940</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82556-2</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_dac_modification_chmod" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chmod%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chmod%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-chmod_dac_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_dac_modification_chmod:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_chmod_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown" severity="medium">
-                <xccdf-1.2:title>Record Events that Modify the System's Discretionary Access Controls - chown</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file permission
-changes for all users and root. If the <html:code>auditd</html:code> daemon is configured to
-use the <html:code>augenrules</html:code> program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix <html:code>.rules</html:code> in
-the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S chown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S chown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S chown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S chown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect.  Here the system calls
-have been placed independent of other system calls.  Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000126</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000474-VMM-001940</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82557-0</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_dac_modification_chown" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-chown_dac_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_dac_modification_chown:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_chown_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod" severity="medium">
-                <xccdf-1.2:title>Record Events that Modify the System's Discretionary Access Controls - fchmod</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file permission
-changes for all users and root. If the <html:code>auditd</html:code> daemon is configured to
-use the <html:code>augenrules</html:code> program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix <html:code>.rules</html:code> in
-the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S fchmod -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S fchmod -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S fchmod -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S fchmod -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000126</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000474-VMM-001940</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82558-8</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_dac_modification_fchmod" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchmod%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchmod%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-fchmod_dac_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_dac_modification_fchmod:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_fchmod_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat" severity="medium">
-                <xccdf-1.2:title>Record Events that Modify the System's Discretionary Access Controls - fchmodat</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file permission
-changes for all users and root. If the <html:code>auditd</html:code> daemon is configured to
-use the <html:code>augenrules</html:code> program to read audit rules during daemon startup
-(the default), add the following line to a file with suffix <html:code>.rules</html:code> in
-the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S fchmodat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S fchmodat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S fchmodat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S fchmodat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000126</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000474-VMM-001940</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82559-6</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_dac_modification_fchmodat" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchmodat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchmodat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-fchmodat_dac_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_dac_modification_fchmodat:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_fchmodat_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown" severity="medium">
-                <xccdf-1.2:title>Record Events that Modify the System's Discretionary Access Controls - fchown</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file permission
-changes for all users and root. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S fchown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S fchown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S fchown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S fchown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000126</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000474-VMM-001940</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82560-4</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_dac_modification_fchown" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-fchown_dac_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_dac_modification_fchown:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_fchown_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat" severity="medium">
-                <xccdf-1.2:title>Record Events that Modify the System's Discretionary Access Controls - fchownat</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file permission
-changes for all users and root. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S fchownat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S fchownat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S fchownat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S fchownat -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000126</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000474-VMM-001940</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82561-2</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_dac_modification_fchownat" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchownat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchownat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-fchownat_dac_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_dac_modification_fchownat:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_fchownat_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr" severity="medium">
-                <xccdf-1.2:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file permission
-changes for all users and root.
-<html:br/><html:br/>
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S fremovexattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-<html:br/><html:br/>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S fremovexattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-<html:br/><html:br/>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S fremovexattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-<html:br/><html:br/>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S fremovexattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000474-VMM-001940</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82562-0</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_dac_modification_fremovexattr" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fremovexattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fremovexattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-fremovexattr_dac_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_dac_modification_fremovexattr:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr" severity="medium">
-                <xccdf-1.2:title>Record Events that Modify the System's Discretionary Access Controls - fsetxattr</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file permission
-changes for all users and root. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S fsetxattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S fsetxattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S fsetxattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S fsetxattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000126</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000474-VMM-001940</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82563-8</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_dac_modification_fsetxattr" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fsetxattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fsetxattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-fsetxattr_dac_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_dac_modification_fsetxattr:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_fsetxattr_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown" severity="medium">
-                <xccdf-1.2:title>Record Events that Modify the System's Discretionary Access Controls - lchown</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file permission
-changes for all users and root. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S lchown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S lchown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S lchown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S lchown -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000126</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000474-VMM-001940</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82564-6</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_dac_modification_lchown" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lchown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lchown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-lchown_dac_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_dac_modification_lchown:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_lchown_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr" severity="medium">
-                <xccdf-1.2:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file permission
-changes for all users and root.
-<html:br/><html:br/>
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S lremovexattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-<html:br/><html:br/>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S lremovexattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-<html:br/><html:br/>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S lremovexattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-<html:br/><html:br/>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S lremovexattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000474-VMM-001940</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82565-3</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_dac_modification_lremovexattr" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lremovexattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lremovexattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-lremovexattr_dac_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_dac_modification_lremovexattr:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr" severity="medium">
-                <xccdf-1.2:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file permission
-changes for all users and root. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S lsetxattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S lsetxattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S lsetxattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S lsetxattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000126</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000474-VMM-001940</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82566-1</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_dac_modification_lsetxattr" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lsetxattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lsetxattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-lsetxattr_dac_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_dac_modification_lsetxattr:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr" severity="medium">
-                <xccdf-1.2:title>Record Events that Modify the System's Discretionary Access Controls - removexattr</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file permission
-changes for all users and root.
-<html:br/><html:br/>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code>
-program to read audit rules during daemon startup (the default), add the
-following line to a file with suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S removexattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-<html:br/><html:br/>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S removexattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-<html:br/><html:br/>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S removexattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-<html:br/><html:br/>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S removexattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000474-VMM-001940</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82567-9</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_dac_modification_removexattr" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20removexattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20removexattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-removexattr_dac_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_dac_modification_removexattr:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_removexattr_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr" severity="medium">
-                <xccdf-1.2:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file permission
-changes for all users and root. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S setxattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S setxattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S setxattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S setxattr -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000126</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000474-VMM-001940</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82568-7</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_dac_modification_setxattr" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20setxattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20setxattr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-setxattr_dac_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_dac_modification_setxattr:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount" severity="medium">
-                <xccdf-1.2:title>Record Events that Modify the System's Discretionary Access Controls - umount</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file system umount
-changes. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S umount -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S umount -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_dac_modification_umount:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_umount_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_umount2" severity="medium">
-                <xccdf-1.2:title>Record Events that Modify the System's Discretionary Access Controls - umount2</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file system umount2
-changes. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following line to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S umount2 -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S umount2 -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S umount2 -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S umount2 -F auid&gt;=1000 -F auid!=unset -F key=perm_mod</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The changing of file permissions could indicate that a user is attempting to
-gain access to information that would otherwise be disallowed. Auditing DAC modifications
-can facilitate the identification of patterns of abuse among both authorized and
-unauthorized users.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_dac_modification_umount2" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20umount2%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20umount2%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dperm_mod%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-umount2_dac_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_dac_modification_umount2:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_dac_modification_umount2_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_audit_execution_acl_commands">
-              <xccdf-1.2:title>Record Execution Attempts to Run ACL Privileged Commands</xccdf-1.2:title>
-              <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-ACL privileged commands for all users and root.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#audit"/>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_audit_execution_selinux_commands">
-              <xccdf-1.2:title>Record Execution Attempts to Run SELinux Privileged Commands</xccdf-1.2:title>
-              <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-SELinux privileged commands for all users and root.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon" severity="medium">
-                <xccdf-1.2:title>Record Any Attempts to Run chcon</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect any execution attempt
-of the <html:code>chcon</html:code> command for all users and root. If the <html:code>auditd</html:code>
-daemon is configured to use the <html:code>augenrules</html:code> program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/chcon -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F path=/usr/bin/chcon -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000463-VMM-001850</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82569-5</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_execution_chcon" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/bin/chcon%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_bin_chcon_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_execution_chcon:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_execution_chcon_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_execution_restorecon" severity="medium">
-                <xccdf-1.2:title>Record Any Attempts to Run restorecon</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect any execution attempt
-of the <html:code>restorecon</html:code> command for all users and root. If the <html:code>auditd</html:code>
-daemon is configured to use the <html:code>augenrules</html:code> program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/restorecon -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F path=/usr/sbin/restorecon -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000463-VMM-001850</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82570-3</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_execution_restorecon" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/restorecon%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_sbin_restorecon_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_execution_restorecon:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_execution_restorecon_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_execution_semanage" severity="medium">
-                <xccdf-1.2:title>Record Any Attempts to Run semanage</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect any execution attempt
-of the <html:code>semanage</html:code> command for all users and root. If the <html:code>auditd</html:code>
-daemon is configured to use the <html:code>augenrules</html:code> program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/semanage -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F path=/usr/sbin/semanage -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000463-VMM-001850</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82571-1</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_execution_semanage" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/semanage%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_sbin_semanage_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_execution_semanage:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_execution_semanage_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_execution_setfiles" severity="medium">
-                <xccdf-1.2:title>Record Any Attempts to Run setfiles</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect any execution attempt
-of the <html:code>setfiles</html:code> command for all users and root. If the <html:code>auditd</html:code>
-daemon is configured to use the <html:code>augenrules</html:code> program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/setfiles -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F path=/usr/sbin/setfiles -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000463-VMM-001850</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82572-9</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_execution_setfiles" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/setfiles%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_sbin_setfiles_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_execution_setfiles:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_execution_setfiles_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_execution_setsebool" severity="medium">
-                <xccdf-1.2:title>Record Any Attempts to Run setsebool</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect any execution attempt
-of the <html:code>setsebool</html:code> command for all users and root. If the <html:code>auditd</html:code>
-daemon is configured to use the <html:code>augenrules</html:code> program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/setsebool -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F path=/usr/sbin/setsebool -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000463-VMM-001850</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82573-7</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_execution_setsebool" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/setsebool%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_sbin_setsebool_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_execution_setsebool:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_execution_setsebool_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_execution_seunshare" severity="medium">
-                <xccdf-1.2:title>Record Any Attempts to Run seunshare</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect any execution attempt
-of the <html:code>seunshare</html:code> command for all users and root. If the <html:code>auditd</html:code>
-daemon is configured to use the <html:code>augenrules</html:code> program to read audit rules
-during daemon startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/seunshare -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F path=/usr/sbin/seunshare -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000463-VMM-001850</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82574-5</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_execution_seunshare" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/seunshare%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_sbin_seunshare_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_execution_seunshare:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_execution_seunshare_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_audit_file_deletion_events">
-              <xccdf-1.2:title>Record File Deletion Events by User</xccdf-1.2:title>
-              <xccdf-1.2:description>At a minimum, the audit system should collect file deletion events
-for all users and root. If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<html:pre>-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid&gt;=1000 -F auid!=unset -F key=delete</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<html:pre>-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid&gt;=1000 -F auid!=unset -F key=delete</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects File Deletion Events by User</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum the audit system should collect file deletion events
-for all users and root. If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<html:pre>-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F auid&gt;=1000 -F auid!=unset -F key=delete</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<html:pre>-a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename -S renameat -F auid&gt;=1000 -F auid!=unset -F key=delete</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">This rule checks for multiple syscalls related to file deletion;
-it was written with DISA STIG in mind. Other policies should use a
-separate rule for each syscall that needs to be checked. For example:
-<html:ul><html:li><html:code>audit_rules_file_deletion_events_rmdir</html:code></html:li><html:li><html:code>audit_rules_file_deletion_events_unlink</html:code></html:li><html:li><html:code>audit_rules_file_deletion_events_unlinkat</html:code></html:li></html:ul></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_file_deletion_events:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_file_deletion_events_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rename" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects File Deletion Events by User - rename</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file deletion events
-for all users and root. If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<html:pre>-a always,exit -F arch=ARCH -S rename -F auid&gt;=1000 -F auid!=unset -F key=delete</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<html:pre>-a always,exit -F arch=ARCH -S rename -F auid&gt;=1000 -F auid!=unset -F key=delete</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.MA-2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000467-GPOS-00211</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000466-VMM-001870</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000468-VMM-001890</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82575-2</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_file_deletion_events_rename" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20rename%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20rename%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-rename-file-deletion-events.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_file_deletion_events_rename:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_renameat" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects File Deletion Events by User - renameat</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file deletion events
-for all users and root. If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<html:pre>-a always,exit -F arch=ARCH -S renameat -F auid&gt;=1000 -F auid!=unset -F key=delete</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<html:pre>-a always,exit -F arch=ARCH -S renameat -F auid&gt;=1000 -F auid!=unset -F key=delete</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.MA-2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000467-GPOS-00211</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000466-VMM-001870</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000468-VMM-001890</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82576-0</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_file_deletion_events_renameat" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20renameat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20renameat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-renameat-file-deletion-events.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_file_deletion_events_renameat:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_file_deletion_events_renameat_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_rmdir" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects File Deletion Events by User - rmdir</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file deletion events
-for all users and root. If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<html:pre>-a always,exit -F arch=ARCH -S rmdir -F auid&gt;=1000 -F auid!=unset -F key=delete</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<html:pre>-a always,exit -F arch=ARCH -S rmdir -F auid&gt;=1000 -F auid!=unset -F key=delete</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.MA-2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000467-GPOS-00211</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000466-VMM-001870</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000468-VMM-001890</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82577-8</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_file_deletion_events_rmdir" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20rmdir%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20rmdir%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-rmdir-file-deletion-events.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_file_deletion_events_rmdir:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_file_deletion_events_rmdir_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlink" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects File Deletion Events by User - unlink</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file deletion events
-for all users and root. If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<html:pre>-a always,exit -F arch=ARCH -S unlink -F auid&gt;=1000 -F auid!=unset -F key=delete</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<html:pre>-a always,exit -F arch=ARCH -S unlink -F auid&gt;=1000 -F auid!=unset -F key=delete</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.MA-2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000467-GPOS-00211</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000466-VMM-001870</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000468-VMM-001890</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82578-6</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_file_deletion_events_unlink" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-unlink-file-deletion-events.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_file_deletion_events_unlink:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_file_deletion_events_unlink_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_file_deletion_events_unlinkat" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects File Deletion Events by User - unlinkat</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect file deletion events
-for all users and root. If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code>, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<html:pre>-a always,exit -F arch=ARCH -S unlinkat -F auid&gt;=1000 -F auid!=unset -F key=delete</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file, setting ARCH to either b32 or b64 as
-appropriate for your system:
-<html:pre>-a always,exit -F arch=ARCH -S unlinkat -F auid&gt;=1000 -F auid!=unset -F key=delete</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.MA-2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000467-GPOS-00211</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000466-VMM-001870</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000468-VMM-001890</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Auditing file deletions will create an audit trail for files that are removed
-from the system. The audit trail could aid in system troubleshooting, as well as, detecting
-malicious processes that attempt to delete log files to conceal their presence.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82579-4</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_file_deletion_events_unlinkat" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlinkat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlinkat%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Ddelete%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-unlinkat-file-deletion-events.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_file_deletion_events_unlinkat:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_file_deletion_events_unlinkat_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_audit_file_modification">
-              <xccdf-1.2:title>Record Unauthorized Access Attempts Events to Files (unsuccessful)</xccdf-1.2:title>
-              <xccdf-1.2:description>At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. Note that the "-F arch=b32" lines should be
-present even on a 64 bit system. These commands identify system calls for
-auditing. Even if the system is 64 bit it can still execute 32 bit system
-calls. Additionally, these rules can be configured in a number of ways while
-still achieving the desired effect. An example of this is that the "-S" calls
-could be split up and placed on separate lines, however, this is less efficient.
-Add the following to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
-    -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-If your system is 64 bit then these lines should be duplicated and the
-arch=b32 replaced with arch=b64 as follows:
-<html:pre>-a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
-    -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum the audit system should collect unauthorized file
-accesses for all users and root. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">This rule checks for multiple syscalls related to unsuccessful file modification;
-it was written with DISA STIG in mind. Other policies should use a
-separate rule for each syscall that needs to be checked. For example:
-<html:ul><html:li><html:code>audit_rules_unsuccessful_file_modification_open</html:code></html:li><html:li><html:code>audit_rules_unsuccessful_file_modification_ftruncate</html:code></html:li><html:li><html:code>audit_rules_unsuccessful_file_modification_creat</html:code></html:li></html:ul></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">0582</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">0584</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">05885</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">0586</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">0846</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">0957</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chmod" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Permission Changes to Files - chmod</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>-a always,exit -F arch=b32 -S chmod -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S chmod -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>-a always,exit -F arch=b64 -S chmod -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S chmod -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the audit rule checks a
-system call independently of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82619-8</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_chmod" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chmod%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chmod%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chmod%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chmod%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-chmod_audit_rules_unsuccessful_file_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_chmod:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_chmod_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_chown" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Ownership Changes to Files - chown</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect unsuccessful file ownership change
-attempts for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>-a always,exit -F arch=b32 -S chown -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S chown -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>-a always,exit -F arch=b64 -S chown -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S chown -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the audit rule checks a
-system call independently of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82620-6</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_chown" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chown%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20chown%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chown%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20chown%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-chown_audit_rules_unsuccessful_file_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_chown:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_creat" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Access Attempts to Files - creat</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82621-4</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_creat" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_creat:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_creat_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmod" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Permission Changes to Files - fchmod</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>-a always,exit -F arch=b32 -S fchmod -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fchmod -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>-a always,exit -F arch=b64 -S fchmod -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fchmod -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the audit rule checks a
-system call independently of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82622-2</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_fchmod" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchmod%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchmod%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchmod%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchmod%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-fchmod_audit_rules_unsuccessful_file_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_fchmod:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_fchmod_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchmodat" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Permission Changes to Files - fchmodat</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>-a always,exit -F arch=b32 -S fchmodat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fchmodat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>-a always,exit -F arch=b64 -S fchmodat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fchmodat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the audit rule checks a
-system call independently of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82624-8</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_fchmodat" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchmodat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchmodat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchmodat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchmodat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-fchmodat_audit_rules_unsuccessful_file_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_fchmodat:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchown" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Ownership Changes to Files - fchown</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect unsuccessful file ownership change
-attempts for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>-a always,exit -F arch=b32 -S fchown -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fchown -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>-a always,exit -F arch=b64 -S fchown -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fchown -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the audit rule checks a
-system call independently of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82625-5</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_fchown" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchown%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchown%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchown%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchown%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-fchown_audit_rules_unsuccessful_file_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_fchown:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_fchown_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fchownat" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Ownership Changes to Files - fchownat</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect unsuccessful file ownership change
-attempts for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>-a always,exit -F arch=b32 -S fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fchownat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>-a always,exit -F arch=b64 -S fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fchownat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the audit rule checks a
-system call independently of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82626-3</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_fchownat" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchownat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fchownat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchownat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fchownat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-fchownat_audit_rules_unsuccessful_file_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_fchownat:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_fchownat_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fremovexattr" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Permission Changes to Files - fremovexattr</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>-a always,exit -F arch=b32 -S fremovexattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fremovexattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>-a always,exit -F arch=b64 -S fremovexattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fremovexattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the audit rule checks a
-system call independently of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82627-1</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_fremovexattr" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fremovexattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fremovexattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fremovexattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fremovexattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-fremovexattr_audit_rules_unsuccessful_file_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_fremovexattr:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_fremovexattr_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_fsetxattr" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Permission Changes to Files - fsetxattr</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>-a always,exit -F arch=b32 -S fsetxattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S fsetxattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>-a always,exit -F arch=b64 -S fsetxattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S fsetxattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the audit rule checks a
-system call independently of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82628-9</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_fsetxattr" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fsetxattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20fsetxattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fsetxattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20fsetxattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-fsetxattr_audit_rules_unsuccessful_file_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_fsetxattr:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_ftruncate" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Access Attempts to Files - ftruncate</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82629-7</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_ftruncate" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lchown" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Ownership Changes to Files - lchown</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect unsuccessful file ownership change
-attempts for all users and root.
-
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file.
-
-<html:pre>-a always,exit -F arch=b32 -S lchown -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S lchown -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre>
-
-If the system is 64 bit then also add the following lines:
-<html:pre>-a always,exit -F arch=b64 -S lchown -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S lchown -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the audit rule checks a
-system call independently of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to change ownership of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82630-5</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_lchown" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lchown%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lchown%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lchown%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lchown%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-lchown_audit_rules_unsuccessful_file_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_lchown:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_lchown_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lremovexattr" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Permission Changes to Files - lremovexattr</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>-a always,exit -F arch=b32 -S lremovexattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S lremovexattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>-a always,exit -F arch=b64 -S lremovexattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S lremovexattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the audit rule checks a
-system call independently of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82631-3</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_lremovexattr" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lremovexattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lremovexattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lremovexattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lremovexattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-lremovexattr_audit_rules_unsuccessful_file_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_lremovexattr:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_lremovexattr_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_lsetxattr" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Permission Changes to Files - lsetxattr</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>-a always,exit -F arch=b32 -S lsetxattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S lsetxattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>-a always,exit -F arch=b64 -S lsetxattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S lsetxattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the audit rule checks a
-system call independently of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82632-1</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_lsetxattr" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lsetxattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20lsetxattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lsetxattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20lsetxattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-lsetxattr_audit_rules_unsuccessful_file_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_lsetxattr:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_lsetxattr_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Access Attempts to Files - open</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82633-9</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_open" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_open:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_open_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Access Attempts to Files - open_by_handle_at</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82640-4</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_open_by_handle_at" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect unauthorized file accesses for
-all users and root. The <html:code>open_by_handle_at</html:code> syscall can be used to create new files
-when O_CREAT flag is specified.
-
-The following auidt rules will asure that unsuccessful attempts to create a
-file via <html:code>open_by_handle_at</html:code> syscall are collected.
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code>
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix <html:code>.rules</html:code> in the directory
-<html:code>/etc/audit/rules.d</html:code>.
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the rules below to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-</html:pre>
-
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82641-2</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect detailed unauthorized file accesses for
-all users and root. The <html:code>open_by_handle_at</html:code> syscall can be used to modify files
-if called for write operation of with O_TRUNC_WRITE flag.
-
-The following auidt rules will asure that unsuccessful attempts to modify a
-file via <html:code>open_by_handle_at</html:code> syscall are collected.
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code>
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix <html:code>.rules</html:code> in the directory
-<html:code>/etc/audit/rules.d</html:code>.
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the rules below to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
-</html:pre>
-
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82642-0</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect detailed unauthorized file
-accesses for all users and root.
-To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
-of files via <html:code>open_by_handle_at</html:code> syscall the audit rules collecting these events need to be in certain order.
-The more specific rules need to come before the less specific rules. The reason for that is that more
-specific rules cover a subset of events covered in the less specific rules, thus, they need to come
-before to not be overshadowed by less specific rules, which match a bigger set of events.
-Make sure that rules for unsuccessful calls of <html:code>open_by_handle_at</html:code> syscall are in the order shown below.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code>
-program to read audit rules during daemon startup (the default), check the order of
-rules below in a file with suffix <html:code>.rules</html:code> in the directory
-<html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, check the order of rules below in
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
-</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The more specific rules cover a subset of events covered by the less specific rules.
-By ordering them from more specific to less specific, it is assured that the less specific
-rule will not catch events better recorded by the more specific rule.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82643-8</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_creat" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Creation Attempts to Files - open O_CREAT</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect unauthorized file accesses for
-all users and root. The <html:code>open</html:code> syscall can be used to create new files
-when O_CREAT flag is specified.
-
-The following auidt rules will asure that unsuccessful attempts to create a
-file via <html:code>open</html:code> syscall are collected.
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code>
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix <html:code>.rules</html:code> in the directory
-<html:code>/etc/audit/rules.d</html:code>.
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the rules below to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>
--a always,exit -F arch=b32 -S open -F a1&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open -F a1&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-</html:pre>
-
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S open -F a1&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open -F a1&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S open -F a1&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82644-6</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_open_o_creat" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_open_o_creat:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_o_trunc_write" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect detailed unauthorized file accesses for
-all users and root. The <html:code>open</html:code> syscall can be used to modify files
-if called for write operation of with O_TRUNC_WRITE flag.
-The following auidt rules will asure that unsuccessful attempts to modify a
-file via <html:code>open</html:code> syscall are collected.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code>
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix <html:code>.rules</html:code> in the directory
-<html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the rules below to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>
--a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
-</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82645-3</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_open_o_trunc_write" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_open_rule_order" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect detailed unauthorized file
-accesses for all users and root.
-To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
-of files via <html:code>open</html:code> syscall the audit rules collecting these events need to be in certain order.
-The more specific rules need to come before the less specific rules. The reason for that is that more
-specific rules cover a subset of events covered in the less specific rules, thus, they need to come
-before to not be overshadowed by less specific rules, which match a bigger set of events.
-Make sure that rules for unsuccessful calls of <html:code>open</html:code> syscall are in the order shown below.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code>
-program to read audit rules during daemon startup (the default), check the order of
-rules below in a file with suffix <html:code>.rules</html:code> in the directory
-<html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, check the order of rules below in
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>
--a always,exit -F arch=b32 -S open -F a1&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open -F a1&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
-</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S open -F a1&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open -F a1&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The more specific rules cover a subset of events covered by the less specific rules.
-By ordering them from more specific to less specific, it is assured that the less specific
-rule will not catch events better recorded by the more specific rule.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82646-1</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_open_rule_order:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_open_rule_order_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Access Attempts to Files - openat</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82634-7</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_openat" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_creat" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Creation Attempts to Files - openat O_CREAT</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect unauthorized file accesses for
-all users and root. The <html:code>openat</html:code> syscall can be used to create new files
-when O_CREAT flag is specified.
-
-The following auidt rules will asure that unsuccessful attempts to create a
-file via <html:code>openat</html:code> syscall are collected.
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code>
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix <html:code>.rules</html:code> in the directory
-<html:code>/etc/audit/rules.d</html:code>.
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the rules below to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>
--a always,exit -F arch=b32 -S openat -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S openat -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-</html:pre>
-
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S openat -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S openat -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82635-4</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_openat_o_creat" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_o_trunc_write" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect detailed unauthorized file accesses for
-all users and root. The <html:code>openat</html:code> syscall can be used to modify files
-if called for write operation of with O_TRUNC_WRITE flag.
-
-The following auidt rules will asure that unsuccessful attempts to modify a
-file via <html:code>openat</html:code> syscall are collected.
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code>
-program to read audit rules during daemon startup (the default), add the
-rules below to a file with suffix <html:code>.rules</html:code> in the directory
-<html:code>/etc/audit/rules.d</html:code>.
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the rules below to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>
--a always,exit -F arch=b32 -S openat -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S openat -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
-</html:pre>
-
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S openat -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S openat -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82636-2</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_openat_o_trunc_write" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_openat_rule_order" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect detailed unauthorized file
-accesses for all users and root.
-To correctly identify unsuccessful creation, unsuccessful modification and unsuccessful access
-of files via <html:code>openat</html:code> syscall the audit rules collecting these events need to be in certain order.
-The more specific rules need to come before the less specific rules. The reason for that is that more
-specific rules cover a subset of events covered in the less specific rules, thus, they need to come
-before to not be overshadowed by less specific rules, which match a bigger set of events.
-Make sure that rules for unsuccessful calls of <html:code>openat</html:code> syscall are in the order shown below.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code>
-program to read audit rules during daemon startup (the default), check the order of
-rules below in a file with suffix <html:code>.rules</html:code> in the directory
-<html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, check the order of rules below in
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>
--a always,exit -F arch=b32 -S openat -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S openat -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S openat -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S openat -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
-</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S openat -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S openat -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S openat -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S openat -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The more specific rules cover a subset of events covered by the less specific rules.
-By ordering them from more specific to less specific, it is assured that the less specific
-rule will not catch events better recorded by the more specific rule.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82639-6</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_removexattr" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Permission Changes to Files - removexattr</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>-a always,exit -F arch=b32 -S removexattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S removexattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>-a always,exit -F arch=b64 -S removexattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S removexattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the audit rule checks a
-system call independently of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82647-9</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_removexattr" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20removexattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20removexattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20removexattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20removexattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-removexattr_audit_rules_unsuccessful_file_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_removexattr:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_removexattr_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_rename" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Delete Attempts to Files - rename</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect unsuccessful file deletion
-attempts for all users and root. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>-a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
--a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
--a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-delete</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82648-7</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_rename" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20rename%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20rename%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20rename%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20rename%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-rename_audit_rules_unsuccessful_file_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_rename:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_rename_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_renameat" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Delete Attempts to Files - renameat</xccdf-1.2:title>
-                <xccdf-1.2:description>
-The audit system should collect unsuccessful file deletion
-attempts for all users and root. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>-a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
--a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
--a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-
-<html:pre>-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-delete</html:pre>
- </xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82649-5</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_renameat" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20renameat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20renameat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20renameat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20renameat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-renameat_audit_rules_unsuccessful_file_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_renameat:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_renameat_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_setxattr" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Permission Changes to Files - setxattr</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect unsuccessful file permission change
-attempts for all users and root.
-If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>-a always,exit -F arch=b32 -S setxattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b32 -S setxattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre>
-If the system is 64 bit then also add the following lines:
-<html:pre>-a always,exit -F arch=b64 -S setxattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change
--a always,exit -F arch=b64 -S setxattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the audit rule checks a
-system call independently of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-<html:pre>-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-perm-change</html:pre></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to change permissions of files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82650-3</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_setxattr" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20setxattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20setxattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20setxattr%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20setxattr%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-setxattr_audit_rules_unsuccessful_file_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_setxattr:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_truncate" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Access Attempts to Files - truncate</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect unauthorized file
-accesses for all users and root. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre>
-
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=access</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping these system
-calls with others as identifying earlier in this guide is more efficient.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82651-1</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_truncate" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%23%20This%20content%20is%20a%20section%20of%20an%20Audit%20config%20snapshot%20recommended%20for%20Red%2520Hat%2520Enterprise%2520Linux%2520CoreOS%25204%20systems%20that%20target%20OSPP%20compliance.%0A%23%23%20The%20following%20content%20has%20been%20retreived%20on%202019-03-11%20from%3A%20https%3A//github.com/linux-audit/audit-userspace/blob/master/rules/30-ospp-v42.rules%0A%0A%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%20and%2043-module-load.rules%20installed.%0A%0A%23%23%20Unsuccessful%20file%20creation%20%28open%20with%20O_CREAT%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%260100%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20creat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-create%0A%0A%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-modification%0A%0A%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Ccreat%2Ctruncate%2Cftruncate%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccesful-access }}
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42-remediation.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_truncate:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlink" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Delete Attempts to Files - unlink</xccdf-1.2:title>
-                <xccdf-1.2:description>
-The audit system should collect unsuccessful file deletion
-attempts for all users and root. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>-a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
--a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete</html:pre>
-
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
--a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-
-<html:pre>-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-delete</html:pre>
- </xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82652-9</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_unlink" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-unlink_audit_rules_unsuccessful_file_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_unlink:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_unlink_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_unsuccessful_file_modification_unlinkat" severity="medium">
-                <xccdf-1.2:title>Record Unsuccessful Delete Attempts to Files - unlinkat</xccdf-1.2:title>
-                <xccdf-1.2:description>
-The audit system should collect unsuccessful file deletion
-attempts for all users and root. If the <html:code>auditd</html:code> daemon is configured
-to use the <html:code>augenrules</html:code> program to read audit rules during daemon
-startup (the default), add the following lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file.
-<html:pre>-a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
--a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete</html:pre>
-
-If the system is 64 bit then also add the following lines:
-<html:pre>
--a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
--a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note that these rules can be configured in a
-number of ways while still achieving the desired effect. Here the system calls
-have been placed independent of other system calls. Grouping system calls related
-to the same event is more efficient. See the following example:
-
-<html:pre>-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-delete</html:pre>
- </xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000458-VMM-001810</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000461-VMM-001830</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Unsuccessful attempts to delete files could be an indicator of malicious activity on a system. Auditing
-these events could serve as evidence of potential system compromise.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82653-7</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_unsuccessful_file_modification_unlinkat" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlinkat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlinkat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlinkat%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlinkat%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-unlinkat_audit_rules_unsuccessful_file_modification.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_unsuccessful_file_modification_unlinkat:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_audit_kernel_module_loading">
-              <xccdf-1.2:title>Record Information on Kernel Modules Loading and Unloading</xccdf-1.2:title>
-              <xccdf-1.2:description>To capture kernel module loading and unloading events, use following lines, setting ARCH to
-either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-<html:pre>
--a always,exit -F arch=<html:i>ARCH</html:i> -S init_module,delete_module -F key=modules
-</html:pre>
-
-Place to add the lines depends on a way <html:code>auditd</html:code> daemon is configured. If it is configured
-to use the <html:code>augenrules</html:code> program (the default), add the lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code> utility,
-add the lines to file <html:code>/etc/audit/audit.rules</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on Kernel Module Loading and Unloading</xccdf-1.2:title>
-                <xccdf-1.2:description>To capture kernel module loading and unloading events, use following lines, setting ARCH to
-either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-<html:pre>
--a always,exit -F arch=<html:i>ARCH</html:i> -S init_module,finit_module,delete_module -F key=modules
-</html:pre>
-
-The place to add the lines depends on a way <html:code>auditd</html:code> daemon is configured. If it is configured
-to use the <html:code>augenrules</html:code> program (the default), add the lines to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code> utility,
-add the lines to file <html:code>/etc/audit/audit.rules</html:code>.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The addition/removal of kernel modules can be used to alter the behavior of
-the kernel and potentially introduce malicious code into kernel space. It is important
-to have an audit trail of modules that have been introduced into the kernel.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_kernel_module_loading:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_kernel_module_loading_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_delete" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on Kernel Module Unloading - delete_module</xccdf-1.2:title>
-                <xccdf-1.2:description>To capture kernel module unloading events, use following line, setting ARCH to
-either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-
-<html:pre>-a always,exit -F arch=<html:i>ARCH</html:i> -S delete_module -F key=modules</html:pre>
-
-
-Place to add the line depends on a way <html:code>auditd</html:code> daemon is configured. If it is configured
-to use the <html:code>augenrules</html:code> program (the default), add the line to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code> utility,
-add the line to file <html:code>/etc/audit/audit.rules</html:code>.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00216</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000477-GPOS-00222</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000477-VMM-001970</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The removal of kernel modules can be used to alter the behavior of
-the kernel and potentially introduce malicious code into kernel space. It is important
-to have an audit trail of modules that have been introduced into the kernel.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82580-2</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_kernel_module_loading_delete">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-k%20module-change%0A
-        mode: 0600
-        path: /etc/audit/rules.d/75-kernel-module-loading-delete.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_kernel_module_loading_delete:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_kernel_module_loading_delete_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_finit" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module</xccdf-1.2:title>
-                <xccdf-1.2:description>If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code> program
-to read audit rules during daemon startup (the default), add the following lines to a file
-with suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code> to capture kernel module
-loading and unloading events, setting ARCH to either b32 or b64 as appropriate for your system:
-
-<html:pre>-a always,exit -F arch=<html:i>ARCH</html:i> -S finit_module -F key=modules</html:pre>
-    If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code> utility to read audit
-rules during daemon startup, add the following lines to <html:code>/etc/audit/audit.rules</html:code> file
-in order to capture kernel module loading and unloading events, setting ARCH to either b32 or
-b64 as appropriate for your system:
-
-<html:pre>-a always,exit -F arch=<html:i>ARCH</html:i> -S finit_module -F key=modules</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00216</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000477-GPOS-00222</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000477-VMM-001970</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The addition/removal of kernel modules can be used to alter the behavior of
-the kernel and potentially introduce malicious code into kernel space. It is important
-to have an audit trail of modules that have been introduced into the kernel.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82581-0</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_kernel_module_loading_finit">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20finit_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20finit_module%20-k%20module-change%0A
-        mode: 0600
-        path: /etc/audit/rules.d/75-kernel-module-loading-finit.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_kernel_module_loading_finit:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_kernel_module_loading_finit_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_kernel_module_loading_init" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on Kernel Module Loading - init_module</xccdf-1.2:title>
-                <xccdf-1.2:description>To capture kernel module loading events, use following line, setting ARCH to
-either b32 for 32-bit system, or having two lines for both b32 and b64 in case your system is 64-bit:
-
-<html:pre>-a always,exit -F arch=<html:i>ARCH</html:i> -S init_module -F key=modules</html:pre>
-
-
-Place to add the line depends on a way <html:code>auditd</html:code> daemon is configured. If it is configured
-to use the <html:code>augenrules</html:code> program (the default), add the line to a file with suffix
-<html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>.
-
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code> utility,
-add the line to file <html:code>/etc/audit/audit.rules</html:code>.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00216</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000477-GPOS-00222</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000477-VMM-001970</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The addition of kernel modules can be used to alter the behavior of
-the kernel and potentially introduce malicious code into kernel space. It is important
-to have an audit trail of modules that have been introduced into the kernel.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82582-8</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_kernel_module_loading_init">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%20-k%20module-change%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%20-k%20module-change%0A
-        mode: 0600
-        path: /etc/audit/rules.d/75-kernel-module-loading-init.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_kernel_module_loading_init:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_kernel_module_loading_init_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_audit_login_events">
-              <xccdf-1.2:title>Record Attempts to Alter Logon and Logout Events</xccdf-1.2:title>
-              <xccdf-1.2:description>The audit system already collects login information for all users
-and root. If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code> in order to watch for attempted manual
-edits of files involved in storing logon events:
-<html:pre>-w /var/log/tallylog -p wa -k logins
--w /var/run/faillock -p wa -k logins
--w /var/log/lastlog -p wa -k logins</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file in order to watch for unattempted manual
-edits of files involved in storing logon events:
-<html:pre>-w /var/log/tallylog -p wa -k logins
--w /var/run/faillock -p wa -k logins
--w /var/log/lastlog -p wa -k logins</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_login_events" severity="medium">
-                <xccdf-1.2:title>Record Attempts to Alter Logon and Logout Events</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system already collects login information for all users
-and root. If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code> in order to watch for attempted manual
-edits of files involved in storing logon events:
-<html:pre>-w /var/log/tallylog -p wa -k logins
--w /var/run/faillock -p wa -k logins
--w /var/log/lastlog -p wa -k logins</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file in order to watch for unattempted manual
-edits of files involved in storing logon events:
-<html:pre>-w /var/log/tallylog -p wa -k logins
--w /var/run/faillock -p wa -k logins
--w /var/log/lastlog -p wa -k logins</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">This rule checks for multiple syscalls related to login events;
-it was written with DISA STIG in mind. Other policies should use a
-separate rule for each syscall that needs to be checked. For example:
-<html:ul><html:li><html:code>audit_rules_login_events_tallylog</html:code></html:li><html:li><html:code>audit_rules_login_events_faillock</html:code></html:li><html:li><html:code>audit_rules_login_events_lastlog</html:code></html:li></html:ul></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Manual editing of these files may indicate nefarious activity, such
-as an attacker attempting to remove evidence of an intrusion.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_login_events:def:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock" severity="medium">
-                <xccdf-1.2:title>Record Attempts to Alter Logon and Logout Events - faillock</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system already collects login information for all users
-and root. If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code> in order to watch for attempted manual
-edits of files involved in storing logon events:
-<html:pre>-w /var/run/faillock -p wa -k logins</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file in order to watch for unattempted manual
-edits of files involved in storing logon events:
-<html:pre>-w /var/run/faillock -p wa -k logins</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000126</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000473-GPOS-00218</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000473-VMM-001930</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000470-VMM-001900</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Manual editing of these files may indicate nefarious activity, such
-as an attacker attempting to remove evidence of an intrusion.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82583-6</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_login_events_faillock" complexity="low" disruption="medium" reboot="true" strategy="disable">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-w%20/var/run/faillock%20-p%20wa%20-k%20logins%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-faillock_login_events.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_login_events_faillock:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_login_events_faillock_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog" severity="medium">
-                <xccdf-1.2:title>Record Attempts to Alter Logon and Logout Events - lastlog</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system already collects login information for all users
-and root. If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code> in order to watch for attempted manual
-edits of files involved in storing logon events:
-<html:pre>-w /var/log/lastlog -p wa -k logins</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file in order to watch for unattempted manual
-edits of files involved in storing logon events:
-<html:pre>-w /var/log/lastlog -p wa -k logins</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000126</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000473-GPOS-00218</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000473-VMM-001930</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000470-VMM-001900</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Manual editing of these files may indicate nefarious activity, such
-as an attacker attempting to remove evidence of an intrusion.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82584-4</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_login_events_lastlog" complexity="low" disruption="medium" reboot="true" strategy="disable">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-w%20/var/log/lastlog%20-p%20wa%20-k%20logins%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-lastlog_login_events.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_login_events_lastlog:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_login_events_lastlog_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_login_events_tallylog" severity="medium">
-                <xccdf-1.2:title>Record Attempts to Alter Logon and Logout Events - tallylog</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system already collects login information for all users
-and root. If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following lines to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code> in order to watch for attempted manual
-edits of files involved in storing logon events:
-<html:pre>-w /var/log/tallylog -p wa -k logins</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following lines to
-<html:code>/etc/audit/audit.rules</html:code> file in order to watch for unattempted manual
-edits of files involved in storing logon events:
-<html:pre>-w /var/log/tallylog -p wa -k logins</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000126</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000473-GPOS-00218</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000473-VMM-001930</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000470-VMM-001900</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Manual editing of these files may indicate nefarious activity, such
-as an attacker attempting to remove evidence of an intrusion.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82585-1</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_login_events_tallylog" complexity="low" disruption="medium" reboot="true" strategy="disable">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-w%20/var/log/tallylog%20-p%20wa%20-k%20logins%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-tallylog_login_events.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_login_events_tallylog:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_login_events_tallylog_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_audit_privileged_commands">
-              <xccdf-1.2:title>Record Information on the Use of Privileged Commands</xccdf-1.2:title>
-              <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_privileged_commands_init" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - init</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/init -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/init -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000477-GPOS-00222</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of the init command may cause availability issues for the system.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_privileged_commands_init" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/init%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_sbin_init_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_privileged_commands_init:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_privileged_commands_init_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_privileged_commands_poweroff" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - poweroff</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/poweroff -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/poweroff -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000477-GPOS-00222</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of the poweroff command may cause availability issues for the system.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_privileged_commands_poweroff" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/poweroff%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_sbin_poweroff_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_privileged_commands_poweroff:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_privileged_commands_poweroff_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_privileged_commands_reboot" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - reboot</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/reboot -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/reboot -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000477-GPOS-00222</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of the reboot command may cause availability issues for the system.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_privileged_commands_reboot" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/reboot%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_sbin_reboot_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_privileged_commands_reboot:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_privileged_commands_reboot_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_privileged_commands_shutdown" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - shutdown</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/shutdown -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/shutdown -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000477-GPOS-00222</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of the shutdown command may cause availability issues for the system.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_privileged_commands_shutdown" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/shutdown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_sbin_shutdown_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_privileged_commands_shutdown:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_privileged_commands_shutdown_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands</xccdf-1.2:title>
-                <xccdf-1.2:description>The audit system should collect information about usage of privileged
-commands for all users and root. To find the relevant setuid /
-setgid programs, run the following command for each local partition
-<html:i>PART</html:i>:
-<html:pre>$ sudo find <html:i>PART</html:i> -xdev -type f -perm -4000 -o -type f -perm -2000 2&gt;/dev/null</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>augenrules</html:code>
-program to read audit rules during daemon startup (the default), add a line of
-the following form to a file with suffix <html:code>.rules</html:code> in the directory
-<html:code>/etc/audit/rules.d</html:code> for each setuid / setgid program on the system,
-replacing the <html:i>SETUID_PROG_PATH</html:i> part with the full path of that setuid /
-setgid program in the list:
-<html:pre>-a always,exit -F path=<html:i>SETUID_PROG_PATH</html:i> -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code> for each setuid / setgid program on the
-system, replacing the <html:i>SETUID_PROG_PATH</html:i> part with the full path of that
-setuid / setgid program in the list:
-<html:pre>-a always,exit -F path=<html:i>SETUID_PROG_PATH</html:i> -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">This rule checks for multiple syscalls related to privileged commands;
-it was written with DISA STIG in mind. Other policies should use a
-separate rule for each syscall that needs to be checked. For example:
-<html:ul><html:li><html:code>audit_rules_privileged_commands_su</html:code></html:li><html:li><html:code>audit_rules_privileged_commands_umount</html:code></html:li><html:li><html:code>audit_rules_privileged_commands_passwd</html:code></html:li></html:ul></xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO08.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002234</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">0582</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">0584</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">05885</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">0586</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">0846</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">0957</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.DP-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.CO-2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000327-GPOS-00127</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82589-3</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - at</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/at -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/at -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82590-1</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_at" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/bin/at%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_bin_at_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_at:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_at_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/chage -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/chage -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82591-9</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_chage" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/bin/chage%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_bin_chage_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_chage:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - chsh</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/chsh -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/chsh -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82592-7</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_chsh" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/bin/chsh%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_bin_chsh_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_chsh:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_chsh_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - crontab</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/crontab -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/crontab -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82593-5</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_crontab" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/bin/crontab%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_bin_crontab_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_crontab:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_crontab_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/gpasswd -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/gpasswd -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82594-3</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_gpasswd" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/bin/gpasswd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_bin_gpasswd_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_gpasswd:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_gpasswd_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - mount</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/mount -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/mount -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82595-0</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_mount" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/bin/mount%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_bin_mount_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_mount:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_mount_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/newgidmap -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/newgidmap -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82596-8</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_newgidmap" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/bin/newgidmap%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_bin_newgidmap_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_newgidmap:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_newgidmap_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - newgrp</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/newgrp -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/newgrp -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82597-6</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_newgrp" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/bin/newgrp%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_bin_newgrp_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_newgrp:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_newgrp_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/newuidmap -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/newuidmap -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82598-4</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_newuidmap" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/bin/newuidmap%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_bin_newuidmap_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_newuidmap:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_newuidmap_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/pam_timestamp_check
--F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82599-2</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_pam_timestamp_check" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/pam_timestamp_check%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_sbin_pam_timestamp_check_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_pam_timestamp_check:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - passwd</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/passwd -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/passwd -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82600-8</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_passwd" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/bin/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_bin_passwd_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_passwd:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_passwd_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - postdrop</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/postdrop -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/postdrop -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82601-6</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_postdrop" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/postdrop%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_sbin_postdrop_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_postdrop:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_postdrop_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - postqueue</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/postqueue -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/postqueue -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82602-4</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_postqueue" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/postqueue%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_sbin_postqueue_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_postqueue:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_postqueue_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/libexec/pt_chown -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/libexec/pt_chown -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82603-2</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_pt_chown" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/libexec/pt_chown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_libexec_pt_chown_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_pt_chown:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_pt_chown_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82604-0</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_ssh_keysign" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/libexec/openssh/ssh-keysign%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_libexec_openssh_ssh-keysign_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_ssh_keysign:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_ssh_keysign_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - su</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/su -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/su -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-0003</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82605-7</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_su" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/bin/su%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_bin_su_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_su:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_su_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - sudo</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/sudo -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/sudo -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R19)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82606-5</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_sudo" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/bin/sudo%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_bin_sudo_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_sudo:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_sudo_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/sudoedit -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/sudoedit -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82607-3</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_sudoedit" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/bin/sudoedit%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_bin_sudoedit_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_sudoedit:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_sudoedit_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - umount</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/umount -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/bin/umount -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82608-1</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_umount" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/bin/umount%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_bin_umount_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_umount:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_umount_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/unix_chkpwd -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000130</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12.1(ii)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12.1(iv)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(1)(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82609-9</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_unix_chkpwd" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/unix_chkpwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_sbin_unix_chkpwd_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_unix_chkpwd:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_unix_chkpwd_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - userhelper</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/userhelper -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/userhelper -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000135</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002884</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000037-GPOS-00015</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000042-GPOS-00020</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000392-GPOS-00172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82610-7</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_userhelper" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/userhelper%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_sbin_userhelper_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_userhelper:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_userhelper_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl" severity="medium">
-                <xccdf-1.2:title>Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl</xccdf-1.2:title>
-                <xccdf-1.2:description>At a minimum, the audit system should collect the execution of
-privileged commands for all users and root. If the <html:code>auditd</html:code> daemon is
-configured to use the <html:code>augenrules</html:code> program to read audit rules during
-daemon startup (the default), add a line of the following form to a file with
-suffix <html:code>.rules</html:code> in the directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/usernetctl -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add a line of the following
-form to <html:code>/etc/audit/audit.rules</html:code>:
-<html:pre>-a always,exit -F path=/usr/sbin/usernetctl -F auid&gt;=1000 -F auid!=unset -F key=privileged</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(4)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000471-VMM-001910</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Misuse of privileged functions, either intentionally or unintentionally by
-authorized users, or by unauthorized external entities that have compromised system accounts,
-is a serious and ongoing concern and can have significant adverse impacts on organizations.
-Auditing the use of privileged functions is one way to detect such misuse and identify
-the risk from insider and advanced persistent threats.
-<html:br/><html:br/>
-Privileged programs are subject to escalation-of-privilege attacks,
-which attempt to subvert their normal role of providing some necessary but
-limited capability. As such, motivation exists to monitor these programs for
-unusual activity.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82611-5</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_privileged_commands_usernetctl" complexity="low" disruption="medium" reboot="true" strategy="disable">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/usernetctl%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
-        mode: 0644
-        path: /etc/audit/rules.d/75-usr_sbin_usernetctl_execution.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_privileged_commands_usernetctl:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_privileged_commands_usernetctl_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_audit_time_rules">
-              <xccdf-1.2:title>Records Events that Modify Date and Time Information</xccdf-1.2:title>
-              <xccdf-1.2:description>Arbitrary changes to the system time can be used to obfuscate
-nefarious activities in log files, as well as to confuse network services that
-are highly dependent upon an accurate system time. All changes to the system
-time should be audited.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_time_adjtimex" severity="medium">
-                <xccdf-1.2:title>Record attempts to alter time through adjtimex</xccdf-1.2:title>
-                <xccdf-1.2:description>If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S adjtimex -F key=audit_time_rules</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S adjtimex -F key=audit_time_rules</html:pre>
-The -k option allows for the specification of a key in string form that can be
-used for better reporting capability through ausearch and aureport. Multiple
-system calls can be defined on the same line to save space if desired, but is
-not required. See an example of multiple combined syscalls:
-<html:pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001487</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.2.b</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Arbitrary changes to the system time can be used to obfuscate
-nefarious activities in log files, as well as to confuse network services that
-are highly dependent upon an accurate system time (such as sshd). All changes
-to the system time should be audited.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82614-9</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_time_adjtimex" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20adjtimex%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20adjtimex%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-adjtimex.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_time_adjtimex:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_time_adjtimex_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_time_clock_settime" severity="medium">
-                <xccdf-1.2:title>Record Attempts to Alter Time Through clock_settime</xccdf-1.2:title>
-                <xccdf-1.2:description>If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change</html:pre>
-The -k option allows for the specification of a key in string form that can
-be used for better reporting capability through ausearch and aureport.
-Multiple system calls can be defined on the same line to save space if
-desired, but is not required. See an example of multiple combined syscalls:
-<html:pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001487</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.2.b</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Arbitrary changes to the system time can be used to obfuscate
-nefarious activities in log files, as well as to confuse network services that
-are highly dependent upon an accurate system time (such as sshd). All changes
-to the system time should be audited.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82615-6</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_time_clock_settime" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20clock_settime%20-F%20a0%3D0x0%20-k%20time-change%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-clock-settime.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_time_clock_settime:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_time_settimeofday" severity="medium">
-                <xccdf-1.2:title>Record attempts to alter time through settimeofday</xccdf-1.2:title>
-                <xccdf-1.2:description>If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-a always,exit -F arch=b32 -S settimeofday -F key=audit_time_rules</html:pre>
-If the system is 64 bit then also add the following line:
-<html:pre>-a always,exit -F arch=b64 -S settimeofday -F key=audit_time_rules</html:pre>
-The -k option allows for the specification of a key in string form that can be
-used for better reporting capability through ausearch and aureport. Multiple
-system calls can be defined on the same line to save space if desired, but is
-not required. See an example of multiple combined syscalls:
-<html:pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001487</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.2.b</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Arbitrary changes to the system time can be used to obfuscate
-nefarious activities in log files, as well as to confuse network services that
-are highly dependent upon an accurate system time (such as sshd). All changes
-to the system time should be audited.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82616-4</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_time_settimeofday" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20settimeofday%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20settimeofday%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-settimeofday.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_time_settimeofday:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_time_settimeofday_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_time_stime" severity="medium">
-                <xccdf-1.2:title>Record Attempts to Alter Time Through stime</xccdf-1.2:title>
-                <xccdf-1.2:description>If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the
-default), add the following line to a file with suffix <html:code>.rules</html:code> in the
-directory <html:code>/etc/audit/rules.d</html:code> for both 32 bit and 64 bit systems:
-<html:pre>-a always,exit -F arch=b32 -S stime -F key=audit_time_rules</html:pre>
-Since the 64 bit version of the "stime" system call is not defined in the audit
-lookup table, the corresponding "-F arch=b64" form of this rule is not expected
-to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
-form itself is sufficient for both 32 bit and 64 bit systems). If the
-<html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code> utility to
-read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file for both 32 bit and 64 bit systems:
-<html:pre>-a always,exit -F arch=b32 -S stime -F key=audit_time_rules</html:pre>
-Since the 64 bit version of the "stime" system call is not defined in the audit
-lookup table, the corresponding "-F arch=b64" form of this rule is not expected
-to be defined on 64 bit systems (the aforementioned "-F arch=b32" stime rule
-form itself is sufficient for both 32 bit and 64 bit systems). The -k option
-allows for the specification of a key in string form that can be used for
-better reporting capability through ausearch and aureport. Multiple system
-calls can be defined on the same line to save space if desired, but is not
-required. See an example of multiple combined system calls:
-<html:pre>-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=audit_time_rules</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001487</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.2.b</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Arbitrary changes to the system time can be used to obfuscate
-nefarious activities in log files, as well as to confuse network services that
-are highly dependent upon an accurate system time (such as sshd). All changes
-to the system time should be audited.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82617-2</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_time_stime" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -a%20always%2Cexit%20-F%20arch%3Db64%20-S%20stime%20-k%20audit_time_rules%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20stime%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-syscall-stime.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_time_stime:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_time_stime_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_time_watch_localtime" severity="medium">
-                <xccdf-1.2:title>Record Attempts to Alter the localtime File</xccdf-1.2:title>
-                <xccdf-1.2:description>If the <html:code>auditd</html:code> daemon is configured to use the
-<html:code>augenrules</html:code> program to read audit rules during daemon startup (the default),
-add the following line to a file with suffix <html:code>.rules</html:code> in the directory
-<html:code>/etc/audit/rules.d</html:code>:
-<html:pre>-w /etc/localtime -p wa -k audit_time_rules</html:pre>
-If the <html:code>auditd</html:code> daemon is configured to use the <html:code>auditctl</html:code>
-utility to read audit rules during daemon startup, add the following line to
-<html:code>/etc/audit/audit.rules</html:code> file:
-<html:pre>-w /etc/localtime -p wa -k audit_time_rules</html:pre>
-The -k option allows for the specification of a key in string form that can
-be used for better reporting capability through ausearch and aureport and
-should always be used.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001487</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(d)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(9)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.2.b</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Arbitrary changes to the system time can be used to obfuscate
-nefarious activities in log files, as well as to confuse network services that
-are highly dependent upon an accurate system time (such as sshd). All changes
-to the system time should be audited.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#audit"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82618-0</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_rules_time_watch_localtime" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ -w%20/etc/localtime%20-p%20wa%20-k%20audit_time_rules%0A }}
-        mode: 0600
-        path: /etc/audit/rules.d/75-etclocaltime-wa-audit_time_rules.rules
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_time_watch_localtime:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_configure_auditd_data_retention">
-            <xccdf-1.2:title>Configure auditd Data Retention</xccdf-1.2:title>
-            <xccdf-1.2:description>The audit system writes data to <html:code>/var/log/audit/audit.log</html:code>. By default,
-<html:code>auditd</html:code> rotates 5 logs by size (6MB), retaining a maximum of 30MB of
-data in total, and refuses to write entries when the disk is too
-full. This minimizes the risk of audit data filling its partition
-and impacting other services. This also minimizes the risk of the audit
-daemon temporarily disabling the system if it cannot write audit log (which
-it can be configured to do).
-
-For a busy
-system or a system which is thoroughly auditing system activity, the default settings
-for data retention may be
- insufficient. The log file size needed will depend heavily on what types
-of events are being audited. First configure auditing to log all the events of
-interest. Then monitor the log size manually for awhile to determine what file
-size will allow you to keep the required data for the correct time period.
-<html:br/><html:br/>
-Using a dedicated partition for <html:code>/var/log/audit</html:code> prevents the
-<html:code>auditd</html:code> logs from disrupting system functionality if they fill, and,
-more importantly, prevents other activity in <html:code>/var</html:code> from filling the
-partition and stopping the audit trail. (The audit logs are size-limited and
-therefore unlikely to grow without bound unless configured to do so.) Some
-machines may have requirements that no actions occur which cannot be audited.
-If this is the case, then <html:code>auditd</html:code> can be configured to halt the machine
-if it runs out of space. <html:b>Note:</html:b> Since older logs are rotated,
-configuring <html:code>auditd</html:code> this way does not prevent older logs from being
-rotated away before they can be viewed.
-
-<html:i>If your system is configured to halt when logging cannot be performed, make
-sure this can never happen under normal circumstances! Ensure that
-<html:code>/var/log/audit</html:code> is on its own partition, and that this partition is
-larger than the maximum amount of data <html:code>auditd</html:code> will retain
-normally.</html:i></xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#audit"/>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_audispd_disk_full_action" type="string">
-              <xccdf-1.2:title>Action for audispd to take when disk is full</xccdf-1.2:title>
-              <xccdf-1.2:description>The setting for disk_full_action in /etc/audisp/audisp-remote.conf</xccdf-1.2:description>
-              <xccdf-1.2:value>single</xccdf-1.2:value>
-              <xccdf-1.2:value selector="exec">exec</xccdf-1.2:value>
-              <xccdf-1.2:value selector="halt">halt</xccdf-1.2:value>
-              <xccdf-1.2:value selector="single">single</xccdf-1.2:value>
-              <xccdf-1.2:value selector="suspend">suspend</xccdf-1.2:value>
-              <xccdf-1.2:value selector="syslog">syslog</xccdf-1.2:value>
-              <xccdf-1.2:value selector="warn_once">warn_once</xccdf-1.2:value>
-              <xccdf-1.2:value selector="stop">stop</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_audispd_network_failure_action" type="string">
-              <xccdf-1.2:title>Action for audispd to take when network fails</xccdf-1.2:title>
-              <xccdf-1.2:description>The setting for network_failure_action in /etc/audisp/audisp-remote.conf</xccdf-1.2:description>
-              <xccdf-1.2:value>single</xccdf-1.2:value>
-              <xccdf-1.2:value selector="exec">exec</xccdf-1.2:value>
-              <xccdf-1.2:value selector="halt">halt</xccdf-1.2:value>
-              <xccdf-1.2:value selector="single">single</xccdf-1.2:value>
-              <xccdf-1.2:value selector="suspend">suspend</xccdf-1.2:value>
-              <xccdf-1.2:value selector="syslog">syslog</xccdf-1.2:value>
-              <xccdf-1.2:value selector="warn_once">warn_once</xccdf-1.2:value>
-              <xccdf-1.2:value selector="stop">stop</xccdf-1.2:value>
-              <xccdf-1.2:value selector="ignore">ignore</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_audispd_remote_server" type="string" interactive="true">
-              <xccdf-1.2:title>Remote server for audispd to send audit records</xccdf-1.2:title>
-              <xccdf-1.2:description>
-The setting for remote_server in /etc/audisp/audisp-remote.conf</xccdf-1.2:description>
-              <xccdf-1.2:value>logcollector</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_auditd_action_mail_acct" type="string">
-              <xccdf-1.2:title>Account for auditd to send email when actions occurs</xccdf-1.2:title>
-              <xccdf-1.2:description>The setting for action_mail_acct in /etc/audit/auditd.conf</xccdf-1.2:description>
-              <xccdf-1.2:value selector="admin">admin</xccdf-1.2:value>
-              <xccdf-1.2:value>root</xccdf-1.2:value>
-              <xccdf-1.2:value selector="root">root</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_auditd_admin_space_left_action" type="string">
-              <xccdf-1.2:title>Action for auditd to take when disk space is low</xccdf-1.2:title>
-              <xccdf-1.2:description>The setting for admin_space_left_action in /etc/audit/auditd.conf</xccdf-1.2:description>
-              <xccdf-1.2:value>single</xccdf-1.2:value>
-              <xccdf-1.2:value selector="email">email</xccdf-1.2:value>
-              <xccdf-1.2:value selector="exec">exec</xccdf-1.2:value>
-              <xccdf-1.2:value selector="halt">halt</xccdf-1.2:value>
-              <xccdf-1.2:value selector="single">single</xccdf-1.2:value>
-              <xccdf-1.2:value selector="suspend">suspend</xccdf-1.2:value>
-              <xccdf-1.2:value selector="syslog">syslog</xccdf-1.2:value>
-              <xccdf-1.2:value selector="rotate">rotate</xccdf-1.2:value>
-              <xccdf-1.2:value selector="ignore">ignore</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_auditd_disk_error_action" type="string">
-              <xccdf-1.2:title>Action for auditd to take when disk errors</xccdf-1.2:title>
-              <xccdf-1.2:description>'The setting for disk_error_action in /etc/audit/auditd.conf, if multiple
-values are allowed write them separated by pipes as in "syslog|single|halt",
-for remediations the first value will be taken'</xccdf-1.2:description>
-              <xccdf-1.2:value>single</xccdf-1.2:value>
-              <xccdf-1.2:value selector="exec">exec</xccdf-1.2:value>
-              <xccdf-1.2:value selector="halt">halt</xccdf-1.2:value>
-              <xccdf-1.2:value selector="single">single</xccdf-1.2:value>
-              <xccdf-1.2:value selector="suspend">suspend</xccdf-1.2:value>
-              <xccdf-1.2:value selector="syslog">syslog</xccdf-1.2:value>
-              <xccdf-1.2:value selector="ignore">ignore</xccdf-1.2:value>
-              <xccdf-1.2:value selector="ol8">syslog|single|halt</xccdf-1.2:value>
-              <xccdf-1.2:value selector="rhel8">syslog|single|halt</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_auditd_disk_full_action" type="string">
-              <xccdf-1.2:title>Action for auditd to take when disk is full</xccdf-1.2:title>
-              <xccdf-1.2:description>'The setting for disk_full_action in /etc/audit/auditd.conf, if multiple
-values are allowed write them separated by pipes as in "syslog|single|halt",
-for remediations the first value will be taken'</xccdf-1.2:description>
-              <xccdf-1.2:value>single</xccdf-1.2:value>
-              <xccdf-1.2:value selector="exec">exec</xccdf-1.2:value>
-              <xccdf-1.2:value selector="halt">halt</xccdf-1.2:value>
-              <xccdf-1.2:value selector="single">single</xccdf-1.2:value>
-              <xccdf-1.2:value selector="suspend">suspend</xccdf-1.2:value>
-              <xccdf-1.2:value selector="syslog">syslog</xccdf-1.2:value>
-              <xccdf-1.2:value selector="ignore">ignore</xccdf-1.2:value>
-              <xccdf-1.2:value selector="rotate">rotate</xccdf-1.2:value>
-              <xccdf-1.2:value selector="ol8">syslog|single|halt</xccdf-1.2:value>
-              <xccdf-1.2:value selector="rhel8">syslog|single|halt</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_auditd_flush" type="string">
-              <xccdf-1.2:title>Auditd priority for flushing data to disk</xccdf-1.2:title>
-              <xccdf-1.2:description>The setting for flush in /etc/audit/auditd.conf</xccdf-1.2:description>
-              <xccdf-1.2:value selector="data">data</xccdf-1.2:value>
-              <xccdf-1.2:value>data</xccdf-1.2:value>
-              <xccdf-1.2:value selector="incremental">incremental</xccdf-1.2:value>
-              <xccdf-1.2:value selector="incremental_async">incremental_async</xccdf-1.2:value>
-              <xccdf-1.2:value selector="none">none</xccdf-1.2:value>
-              <xccdf-1.2:value selector="sync">sync</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_auditd_max_log_file" type="number">
-              <xccdf-1.2:title>Maximum audit log file size for auditd</xccdf-1.2:title>
-              <xccdf-1.2:description>The setting for max_log_file in /etc/audit/auditd.conf</xccdf-1.2:description>
-              <xccdf-1.2:value selector="1">1</xccdf-1.2:value>
-              <xccdf-1.2:value selector="10">10</xccdf-1.2:value>
-              <xccdf-1.2:value selector="20">20</xccdf-1.2:value>
-              <xccdf-1.2:value selector="5">5</xccdf-1.2:value>
-              <xccdf-1.2:value selector="6">6</xccdf-1.2:value>
-              <xccdf-1.2:value>6</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_auditd_max_log_file_action" type="string">
-              <xccdf-1.2:title>Action for auditd to take when log files reach their maximum size</xccdf-1.2:title>
-              <xccdf-1.2:description>The setting for max_log_file_action in /etc/audit/auditd.conf. The following options are available:
-<html:br/>ignore - audit daemon does nothing.
-<html:br/>syslog - audit daemon will issue a warning to syslog.
-<html:br/>suspend - audit daemon will stop writing records to the disk.
-<html:br/>rotate - audit daemon will rotate logs in the same convention used by logrotate.
-<html:br/>keep_logs - similar to rotate but prevents audit logs to be overwritten. May trigger space_left_action if volume is full.</xccdf-1.2:description>
-              <xccdf-1.2:value>rotate</xccdf-1.2:value>
-              <xccdf-1.2:value selector="keep_logs">keep_logs</xccdf-1.2:value>
-              <xccdf-1.2:value selector="rotate">rotate</xccdf-1.2:value>
-              <xccdf-1.2:value selector="suspend">suspend</xccdf-1.2:value>
-              <xccdf-1.2:value selector="syslog">syslog</xccdf-1.2:value>
-              <xccdf-1.2:value selector="ignore">ignore</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_auditd_num_logs" type="number">
-              <xccdf-1.2:title>Number of log files for auditd to retain</xccdf-1.2:title>
-              <xccdf-1.2:description>The setting for num_logs in /etc/audit/auditd.conf</xccdf-1.2:description>
-              <xccdf-1.2:value selector="0">0</xccdf-1.2:value>
-              <xccdf-1.2:value selector="1">1</xccdf-1.2:value>
-              <xccdf-1.2:value selector="2">2</xccdf-1.2:value>
-              <xccdf-1.2:value selector="3">3</xccdf-1.2:value>
-              <xccdf-1.2:value selector="4">4</xccdf-1.2:value>
-              <xccdf-1.2:value selector="5">5</xccdf-1.2:value>
-              <xccdf-1.2:value selector="10">10</xccdf-1.2:value>
-              <xccdf-1.2:value selector="20">20</xccdf-1.2:value>
-              <xccdf-1.2:value selector="50">50</xccdf-1.2:value>
-              <xccdf-1.2:value selector="100">100</xccdf-1.2:value>
-              <xccdf-1.2:value>5</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_auditd_space_left" type="number">
-              <xccdf-1.2:title>Size remaining in disk space before prompting space_left_action</xccdf-1.2:title>
-              <xccdf-1.2:description>The setting for space_left (MB) in /etc/audit/auditd.conf</xccdf-1.2:description>
-              <xccdf-1.2:value selector="1000MB">1000</xccdf-1.2:value>
-              <xccdf-1.2:value selector="100MB">100</xccdf-1.2:value>
-              <xccdf-1.2:value selector="250MB">250</xccdf-1.2:value>
-              <xccdf-1.2:value selector="500MB">500</xccdf-1.2:value>
-              <xccdf-1.2:value selector="750MB">750</xccdf-1.2:value>
-              <xccdf-1.2:value>100</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_auditd_space_left_action" type="string">
-              <xccdf-1.2:title>Action for auditd to take when disk space just starts to run low</xccdf-1.2:title>
-              <xccdf-1.2:description>The setting for space_left_action in /etc/audit/auditd.conf</xccdf-1.2:description>
-              <xccdf-1.2:value>email</xccdf-1.2:value>
-              <xccdf-1.2:value selector="email">email</xccdf-1.2:value>
-              <xccdf-1.2:value selector="exec">exec</xccdf-1.2:value>
-              <xccdf-1.2:value selector="halt">halt</xccdf-1.2:value>
-              <xccdf-1.2:value selector="single">single</xccdf-1.2:value>
-              <xccdf-1.2:value selector="suspend">suspend</xccdf-1.2:value>
-              <xccdf-1.2:value selector="syslog">syslog</xccdf-1.2:value>
-              <xccdf-1.2:value selector="rotate">rotate</xccdf-1.2:value>
-              <xccdf-1.2:value selector="ignore">ignore</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_auditd_space_left_percentage" type="number" interactive="true">
-              <xccdf-1.2:title>The percentage remaining in disk space before prompting space_left_action</xccdf-1.2:title>
-              <xccdf-1.2:description>The setting for space_left as a percentage in /etc/audit/auditd.conf</xccdf-1.2:description>
-              <xccdf-1.2:value selector="25pc">25</xccdf-1.2:value>
-              <xccdf-1.2:value selector="50pc">50</xccdf-1.2:value>
-              <xccdf-1.2:value selector="75pc">75</xccdf-1.2:value>
-              <xccdf-1.2:value>25</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_audispd_configure_remote_server" severity="medium">
-              <xccdf-1.2:title>Configure audispd Plugin To Send Logs To Remote Server</xccdf-1.2:title>
-              <xccdf-1.2:description>Configure the audispd plugin to off-load audit records onto a different
-system or media from the system being audited.
-
-Set the <html:code>remote_server</html:code> option in <html:pre>/etc/audit/audisp-remote.conf</html:pre>
-with an IP address or hostname of the system that the audispd plugin should
-send audit records to. For example
-<html:pre>remote_server = <html:i><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_audispd_remote_server" use="legacy"/></html:i></html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001851</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000051-VMM-000230</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000058-VMM-000270</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000059-VMM-000280</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000479-VMM-001990</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000479-VMM-001990</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Information stored in one location is vulnerable to accidental or incidental
-deletion or alteration.Off-loading is a common process in information systems
-with limited audit storage capacity.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_audispd_remote_server:var:1" value-id="xccdf_org.ssgproject.content_value_var_audispd_remote_server"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_audispd_configure_remote_server:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_audispd_configure_remote_server_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action" severity="medium">
-              <xccdf-1.2:title>Configure audispd's Plugin disk_full_action When Disk Is Full</xccdf-1.2:title>
-              <xccdf-1.2:description>Configure the action the operating system takes if the disk the audit records
-are written to becomes full. Edit the file <html:code>/etc/audit/audisp-remote.conf</html:code>.
-Add or modify the following line, substituting <html:i>ACTION</html:i> appropriately:
-<html:pre>disk_full_action = <html:i>ACTION</html:i></html:pre>
-Set this value to <html:code>single</html:code> to cause the system to switch to single user
-mode for corrective action. Acceptable values also include <html:code>syslog</html:code> and
-<html:code>halt</html:code>. For certain systems, the need for availability
-outweighs the need to log all actions, and a different setting should be
-determined.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001851</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Taking appropriate action in case of a filled audit storage volume will
-minimize the possibility of losing audit records.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_audispd_disk_full_action:var:1" value-id="xccdf_org.ssgproject.content_value_var_audispd_disk_full_action"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_audispd_disk_full_action:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_audispd_disk_full_action_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_audispd_encrypt_sent_records" severity="medium">
-              <xccdf-1.2:title>Encrypt Audit Records Sent With audispd Plugin</xccdf-1.2:title>
-              <xccdf-1.2:description>Configure the operating system to encrypt the transfer of off-loaded audit
-records onto a different system or media from the system being audited.
-
-Uncomment the <html:code>enable_krb5</html:code> option in <html:pre>/etc/audit/audisp-remote.conf</html:pre>,
-and set it with the following line:
-<html:pre>enable_krb5 = yes</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001851</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Information stored in one location is vulnerable to accidental or incidental deletion
-or alteration. Off-loading is a common process in information systems with limited
-audit storage capacity.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_audispd_encrypt_sent_records:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_audispd_encrypt_sent_records_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action" severity="medium">
-              <xccdf-1.2:title>Configure audispd's Plugin network_failure_action On Network Failure</xccdf-1.2:title>
-              <xccdf-1.2:description>Configure the action the operating system takes if there is an error sending
-audit records to a remote system. Edit the file <html:code>/etc/audit/audisp-remote.conf</html:code>.
-Add or modify the following line, substituting <html:i>ACTION</html:i> appropriately:
-<html:pre>network_failure_action = <html:i>ACTION</html:i></html:pre>
-Set this value to <html:code>single</html:code> to cause the system to switch to single user
-mode for corrective action. Acceptable values also include <html:code>syslog</html:code> and
-<html:code>halt</html:code>. For certain systems, the need for availability
-outweighs the need to log all actions, and a different setting should be
-determined.
-This profile configures the <html:i>action</html:i> to be <html:code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_audispd_network_failure_action" use="legacy"/></html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001851</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Taking appropriate action when there is an error sending audit records to a
-remote system will minimize the possibility of losing audit records.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_audispd_network_failure_action:var:1" value-id="xccdf_org.ssgproject.content_value_var_audispd_network_failure_action"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_audispd_network_failure_action:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_audispd_network_failure_action_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_audispd_syslog_plugin_activated" severity="medium">
-              <xccdf-1.2:title>Configure auditd to use audispd's syslog plugin</xccdf-1.2:title>
-              <xccdf-1.2:description>To configure the <html:code>auditd</html:code> service to use the
-<html:code>syslog</html:code> plug-in of the <html:code>audispd</html:code> audit event multiplexor, set
-the <html:code>active</html:code> line in <html:code>/etc/audit/plugins.d/syslog.conf</html:code> to <html:code>yes</html:code>.
-Restart the <html:code>auditd</html:code> service:
-<html:pre>$ sudo service auditd restart</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000136</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(B)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(6)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(8)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(a)(2)(i)(C)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(a)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000051-VMM-000230</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000058-VMM-000270</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000059-VMM-000280</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000479-VMM-001990</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000479-VMM-001990</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The auditd service does not include the ability to send audit
-records to a centralized server for management directly. It does, however,
-include a plug-in for audit event multiplexor (audispd) to pass audit records
-to the local syslog server.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_audispd_syslog_plugin_activated:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_audispd_syslog_plugin_activated_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action" severity="medium">
-              <xccdf-1.2:title>Configure auditd Disk Error Action on Disk Error</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>auditd</html:code> service can be configured to take an action
-when there is a disk error.
-Edit the file <html:code>/etc/audit/auditd.conf</html:code>. Add or modify the following line,
-substituting <html:i>ACTION</html:i> appropriately:
-<html:pre>disk_error_action = <html:i>ACTION</html:i></html:pre>
-Set this value to <html:code>single</html:code> to cause the system to switch to single-user
-mode for corrective action. Acceptable values also include <html:code>syslog</html:code>,
-<html:code>exec</html:code>, <html:code>single</html:code>, and <html:code>halt</html:code>. For certain systems, the need for availability
-outweighs the need to log all actions, and a different setting should be
-determined. Details regarding all possible values for <html:i>ACTION</html:i> are described in the
-<html:code>auditd.conf</html:code> man page.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000140</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000047-GPOS-00023</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Taking appropriate action in case of disk errors will minimize the possibility of
-losing audit records.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82679-2</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="auditd_data_disk_error_action" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_auditd_disk_error_action:var:1" value-id="xccdf_org.ssgproject.content_value_var_auditd_disk_error_action"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_data_disk_error_action:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_data_disk_error_action_stig" severity="medium">
-              <xccdf-1.2:title>Configure auditd Disk Error Action on Disk Error</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>auditd</html:code> service can be configured to take an action
-when there is a disk error.
-Edit the file <html:code>/etc/audit/auditd.conf</html:code>. Add or modify the following line,
-substituting <html:i>ACTION</html:i> appropriately:
-<html:pre>disk_error_action = <html:i>ACTION</html:i></html:pre>
-Set this value to <html:code>single</html:code> to cause the system to switch to single-user
-mode for corrective action. Acceptable values also include <html:code>syslog</html:code>,
-<html:code>exec</html:code>, <html:code>single</html:code>, and <html:code>halt</html:code>. For certain systems, the need for availability
-outweighs the need to log all actions, and a different setting should be
-determined. Details regarding all possible values for <html:i>ACTION</html:i> are described in the
-<html:code>auditd.conf</html:code> man page.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000140</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000047-GPOS-00023</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Taking appropriate action in case of disk errors will minimize the possibility of
-losing audit records.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="auditd_data_disk_error_action_stig" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_data_disk_error_action_stig:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_data_disk_error_action_stig_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action" severity="medium">
-              <xccdf-1.2:title>Configure auditd Disk Full Action when Disk Space Is Full</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>auditd</html:code> service can be configured to take an action
-when disk space is running low but prior to running out of space completely.
-Edit the file <html:code>/etc/audit/auditd.conf</html:code>. Add or modify the following line,
-substituting <html:i>ACTION</html:i> appropriately:
-<html:pre>disk_full_action = <html:i>ACTION</html:i></html:pre>
-Set this value to <html:code>single</html:code> to cause the system to switch to single-user
-mode for corrective action. Acceptable values also include <html:code>syslog</html:code>,
-
-<html:code>exec</html:code>,
-
-<html:code>single</html:code>, and <html:code>halt</html:code>. For certain systems, the need for availability
-outweighs the need to log all actions, and a different setting should be
-determined. Details regarding all possible values for <html:i>ACTION</html:i> are described in the
-<html:code>auditd.conf</html:code> man page.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000140</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000047-GPOS-00023</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Taking appropriate action in case of a filled audit storage volume will minimize
-the possibility of losing audit records.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82676-8</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="auditd_data_disk_full_action" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_auditd_disk_full_action:var:1" value-id="xccdf_org.ssgproject.content_value_var_auditd_disk_full_action"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_data_disk_full_action:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_data_disk_full_action_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action_stig" severity="medium">
-              <xccdf-1.2:title>Configure auditd Disk Full Action when Disk Space Is Full</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>auditd</html:code> service can be configured to take an action
-when disk space is running low but prior to running out of space completely.
-Edit the file <html:code>/etc/audit/auditd.conf</html:code>. Add or modify the following line,
-substituting <html:i>ACTION</html:i> appropriately:
-<html:pre>disk_full_action = <html:i>ACTION</html:i></html:pre>
-Set this value to <html:code>single</html:code> to cause the system to switch to single-user
-mode for corrective action. Acceptable values also include <html:code>syslog</html:code>,
-<html:code>single</html:code>, and <html:code>halt</html:code>. For certain systems, the need for availability
-outweighs the need to log all actions, and a different setting should be
-determined. Details regarding all possible values for <html:i>ACTION</html:i> are described in the
-<html:code>auditd.conf</html:code> man page.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000140</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000047-GPOS-00023</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Taking appropriate action in case of a filled audit storage volume will minimize
-the possibility of losing audit records.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="auditd_data_disk_full_action_stig" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_data_disk_full_action_stig:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_data_disk_full_action_stig_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct" severity="medium">
-              <xccdf-1.2:title>Configure auditd mail_acct Action on Low Disk Space</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>auditd</html:code> service can be configured to send email to
-a designated account in certain situations. Add or correct the following line
-in <html:code>/etc/audit/auditd.conf</html:code> to ensure that administrators are notified
-via email for those situations:
-<html:pre>action_mail_acct = <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_auditd_action_mail_acct" use="legacy"/></html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000139</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001855</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.7.a</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000046-GPOS-00022</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000343-GPOS-00134</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000046-VMM-000210</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000343-VMM-001240</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Email sent to the root account is typically aliased to the
-administrators of the system, who can take appropriate action.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82675-0</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_auditd_action_mail_acct:var:1" value-id="xccdf_org.ssgproject.content_value_var_auditd_action_mail_acct"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_data_retention_action_mail_acct:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_data_retention_action_mail_acct_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action" severity="medium">
-              <xccdf-1.2:title>Configure auditd admin_space_left Action on Low Disk Space</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>auditd</html:code> service can be configured to take an action
-when disk space is running low but prior to running out of space completely.
-Edit the file <html:code>/etc/audit/auditd.conf</html:code>. Add or modify the following line,
-substituting <html:i>ACTION</html:i> appropriately:
-<html:pre>admin_space_left_action = <html:i>ACTION</html:i></html:pre>
-Set this value to <html:code>single</html:code> to cause the system to switch to single user
-mode for corrective action. Acceptable values also include <html:code>suspend</html:code> and
-<html:code>halt</html:code>. For certain systems, the need for availability
-outweighs the need to log all actions, and a different setting should be
-determined. Details regarding all possible values for <html:i>ACTION</html:i> are described in the
-<html:code>auditd.conf</html:code> man page.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000140</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001343</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001855</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000343-GPOS-00134</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Administrators should be made aware of an inability to record
-audit records. If a separate partition or logical volume of adequate size
-is used, running low on space for audit records should never occur.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82677-6</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="auditd_data_retention_admin_space_left_action" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_auditd_admin_space_left_action:var:1" value-id="xccdf_org.ssgproject.content_value_var_auditd_admin_space_left_action"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_data_retention_admin_space_left_action:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_data_retention_admin_space_left_action_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_data_retention_flush" severity="medium">
-              <xccdf-1.2:title>Configure auditd flush priority</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>auditd</html:code> service can be configured to
-synchronously write audit event data to disk. Add or correct the following
-line in <html:code>/etc/audit/auditd.conf</html:code> to ensure that audit event data is
-fully synchronized with the log files on the disk:
-<html:pre>flush = <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_auditd_flush" use="legacy"/></html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001576</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(d)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Audit data should be synchronously written to disk to ensure
-log integrity. These parameters assure that all audit event data is fully
-synchronized with the log files on the disk.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82508-3</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="auditd_data_retention_flush" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_auditd_flush:var:1" value-id="xccdf_org.ssgproject.content_value_var_auditd_flush"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_data_retention_flush:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_data_retention_flush_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file" severity="medium">
-              <xccdf-1.2:title>Configure auditd Max Log File Size</xccdf-1.2:title>
-              <xccdf-1.2:description>Determine the amount of audit data (in megabytes)
-which should be retained in each log file. Edit the file
-<html:code>/etc/audit/auditd.conf</html:code>. Add or modify the following line, substituting
-the correct value of <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_auditd_max_log_file" use="legacy"/> for <html:i>STOREMB</html:i>:
-<html:pre>max_log_file = <html:i>STOREMB</html:i></html:pre>
-Set the value to <html:code>6</html:code> (MB) or higher for general-purpose systems.
-Larger values, of course,
-support retention of even more audit data.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.7</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The total storage for audit log files must be large enough to retain
-log information over the period required. This is a function of the maximum
-log file size and the number of logs retained.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82694-1</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="auditd_data_retention_max_log_file" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_auditd_max_log_file:var:1" value-id="xccdf_org.ssgproject.content_value_var_auditd_max_log_file"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_data_retention_max_log_file:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_data_retention_max_log_file_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action" severity="medium">
-              <xccdf-1.2:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</xccdf-1.2:title>
-              <xccdf-1.2:description>The default action to take when the logs reach their maximum size
-is to rotate the log files, discarding the oldest one. To configure the action taken
-by <html:code>auditd</html:code>, add or correct the line in <html:code>/etc/audit/auditd.conf</html:code>:
-<html:pre>max_log_file_action = <html:i>ACTION</html:i></html:pre>
-Possible values for <html:i>ACTION</html:i> are described in the <html:code>auditd.conf</html:code> man
-page. These include:
-<html:ul><html:li><html:code>ignore</html:code></html:li><html:li><html:code>syslog</html:code></html:li><html:li><html:code>suspend</html:code></html:li><html:li><html:code>rotate</html:code></html:li><html:li><html:code>keep_logs</html:code></html:li></html:ul>
-Set the <html:code><html:i>ACTION</html:i></html:code> to <html:code>rotate</html:code> to ensure log rotation
-occurs. This is the default. The setting is case-insensitive.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000140</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000047-GPOS-00023</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Automatically rotating logs (by setting this to <html:code>rotate</html:code>)
-minimizes the chances of the system unexpectedly running out of disk space by
-being overwhelmed with log data. However, for systems that must never discard
-log data, or which use external processes to transfer it and reclaim space,
-<html:code>keep_logs</html:code> can be employed.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82680-0</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="auditd_data_retention_max_log_file_action" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_auditd_max_log_file_action:var:1" value-id="xccdf_org.ssgproject.content_value_var_auditd_max_log_file_action"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_data_retention_max_log_file_action:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action_stig" severity="medium">
-              <xccdf-1.2:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</xccdf-1.2:title>
-              <xccdf-1.2:description>The default action to take when the logs reach their maximum size
-is to rotate the log files, discarding the oldest one. To configure the action taken
-by <html:code>auditd</html:code>, add or correct the line in <html:code>/etc/audit/auditd.conf</html:code>:
-<html:pre>max_log_file_action = <html:i>ACTION</html:i></html:pre>
-Possible values for <html:i>ACTION</html:i> are described in the <html:code>auditd.conf</html:code> man
-page. These include:
-<html:ul><html:li><html:code>ignore</html:code></html:li><html:li><html:code>syslog</html:code></html:li><html:li><html:code>suspend</html:code></html:li><html:li><html:code>rotate</html:code></html:li><html:li><html:code>keep_logs</html:code></html:li></html:ul>
-Set the <html:code><html:i>ACTION</html:i></html:code> to <html:code>rotate</html:code> to ensure log rotation
-occurs. This is the default. The setting is case-insensitive.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000140</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000047-GPOS-00023</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Automatically rotating logs (by setting this to <html:code>rotate</html:code>)
-minimizes the chances of the system unexpectedly running out of disk space by
-being overwhelmed with log data. However, for systems that must never discard
-log data, or which use external processes to transfer it and reclaim space,
-<html:code>keep_logs</html:code> can be employed.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="auditd_data_retention_max_log_file_action_stig" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_data_retention_max_log_file_action_stig:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_data_retention_max_log_file_action_stig_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs" severity="medium">
-              <xccdf-1.2:title>Configure auditd Number of Logs Retained</xccdf-1.2:title>
-              <xccdf-1.2:description>Determine how many log files
-<html:code>auditd</html:code> should retain when it rotates logs.
-Edit the file <html:code>/etc/audit/auditd.conf</html:code>. Add or modify the following
-line, substituting <html:i>NUMLOGS</html:i> with the correct value of <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_auditd_num_logs" use="legacy"/>:
-<html:pre>num_logs = <html:i>NUMLOGS</html:i></html:pre>
-Set the value to 5 for general-purpose systems.
-Note that values less than 2 result in no log rotation.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.7</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The total storage for audit log files must be large enough to retain
-log information over the period required. This is a function of the maximum log
-file size and the number of logs retained.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82693-3</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="auditd_data_retention_num_logs" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_auditd_num_logs:var:1" value-id="xccdf_org.ssgproject.content_value_var_auditd_num_logs"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_data_retention_num_logs:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_data_retention_num_logs_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left" severity="medium">
-              <xccdf-1.2:title>Configure auditd space_left on Low Disk Space</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>auditd</html:code> service can be configured to take an action
-when disk space is running low but prior to running out of space completely.
-Edit the file <html:code>/etc/audit/auditd.conf</html:code>. Add or modify the following line,
-substituting <html:i>SIZE_in_MB</html:i> appropriately:
-<html:pre>space_left = <html:i>SIZE_in_MB</html:i></html:pre>
-Set this value to the appropriate size in Megabytes cause the system to
-notify the user of an issue.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001855</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000343-GPOS-00134</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000343-VMM-001240</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Notifying administrators of an impending disk space problem may allow them to
-take corrective action prior to any disruption.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82681-8</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="auditd_data_retention_space_left" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_auditd_space_left:var:1" value-id="xccdf_org.ssgproject.content_value_var_auditd_space_left"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_data_retention_space_left:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_data_retention_space_left_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_data_retention_space_left_action" severity="medium">
-              <xccdf-1.2:title>Configure auditd space_left Action on Low Disk Space</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>auditd</html:code> service can be configured to take an action
-when disk space <html:i>starts</html:i> to run low.
-Edit the file <html:code>/etc/audit/auditd.conf</html:code>. Modify the following line,
-substituting <html:i>ACTION</html:i> appropriately:
-<html:pre>space_left_action = <html:i>ACTION</html:i></html:pre>
-Possible values for <html:i>ACTION</html:i> are described in the <html:code>auditd.conf</html:code> man page.
-These include:
-<html:ul><html:li><html:code>syslog</html:code></html:li><html:li><html:code>email</html:code></html:li><html:li><html:code>exec</html:code></html:li><html:li><html:code>suspend</html:code></html:li><html:li><html:code>single</html:code></html:li><html:li><html:code>halt</html:code></html:li></html:ul>
-Set this to <html:code>email</html:code> (instead of the default,
-which is <html:code>suspend</html:code>) as it is more likely to get prompt attention. Acceptable values
-also include <html:code>suspend</html:code>, <html:code>single</html:code>, and <html:code>halt</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">19</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.4.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO12.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI08.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS02.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001855</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.16.1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">RS.AN-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000343-GPOS-00134</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000343-VMM-001240</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Notifying administrators of an impending disk space problem may
-allow them to take corrective action prior to any disruption.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82678-4</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="auditd_data_retention_space_left_action" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_auditd_space_left_action:var:1" value-id="xccdf_org.ssgproject.content_value_var_auditd_space_left_action"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_data_retention_space_left_action:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_data_retention_space_left_action_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_freq" severity="medium">
-              <xccdf-1.2:title>Set number of records to cause an explicit flush to audit logs</xccdf-1.2:title>
-              <xccdf-1.2:description>To configure Audit daemon to issue an explicit flush to disk command
-after writing 50 records, set <html:code>freq</html:code> to <html:code>50</html:code>
-in <html:code>/etc/audit/auditd.conf</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>If option <html:code>freq</html:code> isn't set to <html:code>50</html:code>, the flush to disk
-may happen after higher number of records, increasing the danger
-of audit loss.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82512-5</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="auditd_freq" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_freq:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_freq_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_local_events" severity="medium">
-              <xccdf-1.2:title>Include Local Events in Audit Logs</xccdf-1.2:title>
-              <xccdf-1.2:description>To configure Audit daemon to include local events in Audit logs, set
-<html:code>local_events</html:code> to <html:code>yes</html:code> in <html:code>/etc/audit/auditd.conf</html:code>.
-This is the default setting.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>If option <html:code>local_events</html:code> isn't set to <html:code>yes</html:code> only events from
-network will be aggregated.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82509-1</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="auditd_local_events" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_local_events:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_local_events_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_log_format" severity="medium">
-              <xccdf-1.2:title>Resolve information before writing to audit logs</xccdf-1.2:title>
-              <xccdf-1.2:description>To configure Audit daemon to resolve all uid, gid, syscall,
-architecture, and socket address information before writing the
-events to disk, set <html:code>log_format</html:code> to <html:code>ENRICHED</html:code>
-in <html:code>/etc/audit/auditd.conf</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000255-GPOS-00096</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>If option <html:code>log_format</html:code> isn't set to <html:code>ENRICHED</html:code>, the
-audit records will be stored in a format exactly as the kernel sends them.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82511-7</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="auditd_log_format" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_log_format:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_log_format_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_name_format" severity="medium">
-              <xccdf-1.2:title>Set hostname as computer node name in audit logs</xccdf-1.2:title>
-              <xccdf-1.2:description>To configure Audit daemon to use value returned by gethostname
-syscall as computer node name in the audit events,
-set <html:code>name_format</html:code> to <html:code>hostname</html:code>
-in <html:code>/etc/audit/auditd.conf</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001851</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000039-GPOS-00017</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>If option <html:code>name_format</html:code> is left at its default value of
-<html:code>none</html:code>, audit events from different computers may be hard
-to distinguish.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82513-3</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="auditd_name_format" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_name_format:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_name_format_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_overflow_action" severity="medium">
-              <xccdf-1.2:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</xccdf-1.2:title>
-              <xccdf-1.2:description>The audit system should have an action setup in the event the internal event queue becomes full.
-To setup an overflow action edit <html:code>/etc/audit/auditd.conf</html:code>. Set <html:code>overflow_action</html:code>
-to one of the following values: <html:code>syslog</html:code>, <html:code>single</html:code>, <html:code>halt</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001851</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The audit system should have an action setup in the event the internal event queue becomes full
-so that no data is lost.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_overflow_action:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_auditd_write_logs" severity="medium">
-              <xccdf-1.2:title>Write Audit Logs to the Disk</xccdf-1.2:title>
-              <xccdf-1.2:description>To configure Audit daemon to write Audit logs to the disk, set
-<html:code>write_logs</html:code> to <html:code>yes</html:code> in <html:code>/etc/audit/auditd.conf</html:code>.
-This is the default setting.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_STG.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>If <html:code>write_logs</html:code> isn't set to <html:code>yes</html:code>, the Audit logs will
-not be written to the disk.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#audit"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82510-9</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="auditd_write_logs" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20audit%20daemon%0A%23%0A%0Alocal_events%20%3D%20yes%0Awrite_logs%20%3D%20yes%0Alog_file%20%3D%20/var/log/audit/audit.log%0Alog_group%20%3D%20root%0Alog_format%20%3D%20ENRICHED%0Aflush%20%3D%20%7B%7B.var_auditd_flush%7D%7D%0Afreq%20%3D%2050%0Amax_log_file%20%3D%20%7B%7B.var_auditd_max_log_file%7D%7D%0Anum_logs%20%3D%20%7B%7B.var_auditd_num_logs%7D%7D%0Apriority_boost%20%3D%204%0Aname_format%20%3D%20hostname%0A%23%23name%20%3D%20mydomain%0Amax_log_file_action%20%3D%20%7B%7B.var_auditd_max_log_file_action%7D%7D%0Aspace_left%20%3D%20%7B%7B.var_auditd_space_left%7D%7D%0Aspace_left_action%20%3D%20%7B%7B.var_auditd_space_left_action%7D%7D%0Averify_email%20%3D%20yes%0Aaction_mail_acct%20%3D%20%7B%7B.var_auditd_action_mail_acct%7D%7D%0Aadmin_space_left%20%3D%2050%0Aadmin_space_left_action%20%3D%20syslog%0Adisk_full_action%20%3D%20%7B%7B.var_auditd_disk_full_action%7D%7D%0Adisk_error_action%20%3D%20%7B%7B.var_auditd_disk_error_action%7D%7D%0Ause_libwrap%20%3D%20yes%0A%23%23tcp_listen_port%20%3D%2060%0Atcp_listen_queue%20%3D%205%0Atcp_max_per_addr%20%3D%201%0A%23%23tcp_client_ports%20%3D%201024-65535%0Atcp_client_max_idle%20%3D%200%0Atransport%20%3D%20TCP%0Akrb5_principal%20%3D%20auditd%0A%23%23krb5_key_file%20%3D%20/etc/audit/audit.key%0Adistribute_network%20%3D%20no%0Aq_depth%20%3D%20400%0Aoverflow_action%20%3D%20syslog%0Amax_restarts%20%3D%2010%0Aplugin_dir%20%3D%20/etc/audit/plugins.d }}
-        mode: 0640
-        path: /etc/audit/auditd.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-auditd_write_logs:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-auditd_write_logs_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_policy_rules">
-            <xccdf-1.2:title>System Accounting with auditd</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code>auditd</html:code> program can perform comprehensive
-monitoring of system activity. This section makes use of recommended
-configuration settings for specific policies or use cases.
-The rules in this section make use of rules defined in <html:code>/usr/share/doc/audit-VERSION/rules</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_access_failed" severity="medium">
-              <xccdf-1.2:title>Configure auditing of unsuccessful file accesses</xccdf-1.2:title>
-              <xccdf-1.2:description>Ensure that unsuccessful attempts to access a file are audited.
-
-The following rules configure audit as described above:
-<html:pre>## Unsuccessful file access (any other opens) This has to go last.
--a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
--a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
--a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
--a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access    </html:pre>
-
-Load new Audit rules into kernel by running:
-<html:pre>augenrules --load</html:pre>
-
-Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="">0582</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0584</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">05885</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0586</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0846</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0957</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Unsuccessful attempts to access a file might be signs of malicious activity happening within the system. Auditing of such activities helps in their monitoring and investigation.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_access_failed">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%23%20Unsuccessful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-access
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_access_failed:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_access_failed_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_access_success" severity="medium">
-              <xccdf-1.2:title>Configure auditing of successful file accesses</xccdf-1.2:title>
-              <xccdf-1.2:description>Ensure that successful attempts to access a file are audited.
-
-The following rules configure audit as described above:
-<html:pre>## Successful file access (any other opens) This has to go last.
-## These next two are likely to result in a whole lot of events
--a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access
--a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access    </html:pre>
-
-Load new Audit rules into kernel by running:
-<html:pre>augenrules --load</html:pre>
-
-Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="">0582</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0584</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">05885</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0586</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0846</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0957</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Auditing of successful attempts to access a file helps in investigation of activities performed on the system.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_access_success">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%23%20Successful%20file%20access%20%28any%20other%20opens%29%20This%20has%20to%20go%20last.%0A%23%23%20These%20next%20two%20are%20likely%20to%20result%20in%20a%20whole%20lot%20of%20events%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%2Copenat%2Copen_by_handle_at%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-access
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_access_success:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_access_success_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_basic_configuration" severity="medium">
-              <xccdf-1.2:title>Configure basic parameters of Audit system</xccdf-1.2:title>
-              <xccdf-1.2:description>Perform basic configuration of Audit system.
-Make sure that any previously defined rules are cleared, the auditing system is configured to handle sudden bursts of events, and in cases of failure, messages are configured to be directed to system log.
-
-The following rules configure audit as described above:
-<html:pre>## First rule - delete all
--D
-
-## Increase the buffers to survive stress events.
-## Make this bigger for busy systems
--b 8192
-
-## This determine how long to wait in burst of events
---backlog_wait_time 60000
-
-## Set failure mode to syslog
--f 1    </html:pre>
-
-Load new Audit rules into kernel by running:
-<html:pre>augenrules --load</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="performance">It might happen that Audit buffer configured by this rule is not large enough for certain use cases. If that is the case, the buffer size can be overridden by placing <html:pre>-b larger_buffer_size</html:pre> into a file within <html:code>/etc/audit/rules.d</html:code> directory, replacing <html:code>larger_file_size</html:code> with the desired value. The file name should start with a number higher than 10 and lower than 99.</xccdf-1.2:warning>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Without basic configurations, audit may not perform as expected. It may not be able to correctly handle events under stressful conditions, or log events in case of failure.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_basic_configuration">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%23%20First%20rule%20-%20delete%20all%0A-D%0A%0A%23%23%20Increase%20the%20buffers%20to%20survive%20stress%20events.%0A%23%23%20Make%20this%20bigger%20for%20busy%20systems%0A-b%208192%0A%0A%23%23%20This%20determine%20how%20long%20to%20wait%20in%20burst%20of%20events%0A--backlog_wait_time%2060000%0A%0A%23%23%20Set%20failure%20mode%20to%20syslog%0A-f%201%0A
-        mode: 0600
-        path: /etc/audit/rules.d/10-base-config.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_basic_configuration:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_basic_configuration_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_create_failed" severity="medium">
-              <xccdf-1.2:title>Configure auditing of unsuccessful file creations</xccdf-1.2:title>
-              <xccdf-1.2:description>Ensure that unsuccessful attempts to create a file are audited.
-
-The following rules configure audit as described above:
-<html:pre>## Unsuccessful file creation (open with O_CREAT)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b32 -S open -F a1&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b64 -S open -F a1&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b32 -S open -F a1&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b64 -S open -F a1&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create    </html:pre>
-
-Load new Audit rules into kernel by running:
-<html:pre>augenrules --load</html:pre>
-
-Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Unsuccessful file creations might be a sign of a malicious action being performed on the system. Keeping log of such events helps in monitoring and investigation of such actions.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_create_failed:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_create_failed_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_create_success" severity="medium">
-              <xccdf-1.2:title>Configure auditing of successful file creations</xccdf-1.2:title>
-              <xccdf-1.2:description>Ensure that successful attempts to create a file are audited.
-
-The following rules configure audit as described above:
-<html:pre>## Successful file creation (open with O_CREAT)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S open -F a1&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S open -F a1&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S creat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S creat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create    </html:pre>
-
-Load new Audit rules into kernel by running:
-<html:pre>augenrules --load</html:pre>
-
-Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Auditing of successful attempts to create a file helps in investigation of actions which happened on the system.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_create_success:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_create_success_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_delete_failed" severity="medium">
-              <xccdf-1.2:title>Configure auditing of unsuccessful file deletions</xccdf-1.2:title>
-              <xccdf-1.2:description>Ensure that unsuccessful attempts to delete a file are audited.
-
-The following rules configure audit as described above:
-<html:pre>## Unsuccessful file delete
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete    </html:pre>
-
-Load new Audit rules into kernel by running:
-<html:pre>augenrules --load</html:pre>
-
-Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Unsuccessful attempts to delete a file might be signs of malicious activities. Auditing of such events help in monitoring and investigating of such activities.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_delete_failed">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%23%20Unsuccessful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EACCES%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20exit%3D-EPERM%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-delete
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_delete_failed:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_delete_failed_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_delete_success" severity="medium">
-              <xccdf-1.2:title>Configure auditing of successful file deletions</xccdf-1.2:title>
-              <xccdf-1.2:description>Ensure that successful attempts to delete a file are audited.
-
-The following rules configure audit as described above:
-<html:pre>## Successful file delete
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-delete
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-delete    </html:pre>
-
-Load new Audit rules into kernel by running:
-<html:pre>augenrules --load</html:pre>
-
-Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Auditing of successful attempts to delete a file may help in monitoring and investigation of activities performed on the system.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_delete_success">---
-
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%23%20Successful%20file%20delete%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-delete%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20unlink%2Cunlinkat%2Crename%2Crenameat%20-F%20success%3D1%20-F%20auid%26gt%3B%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsuccessful-delete }}
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_delete_success:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_delete_success_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_immutable_login_uids" severity="medium">
-              <xccdf-1.2:title>Configure immutable Audit login UIDs</xccdf-1.2:title>
-              <xccdf-1.2:description>Configure kernel to prevent modification of login UIDs once they are set.
-Changing login UIDs while this configuration is enforced requires special capabilities which
-are not available to unprivileged users.
-
-The following rules configure audit as described above:
-<html:pre>## Make the loginuid immutable. This prevents tampering with the auid.
---loginuid-immutable    </html:pre>
-
-Load new Audit rules into kernel by running:
-<html:pre>augenrules --load</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000162</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000163</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000164</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000057-GPOS-00027</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000058-GPOS-00028</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000059-GPOS-00029</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>If modification of login UIDs is not prevented, they can be changed by unprivileged users and
-make auditing complicated or impossible.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_immutable_login_uids">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%23%20Make%20the%20loginuid%20immutable.%20This%20prevents%20tampering%20with%20the%20auid.%0A--loginuid-immutable
-        mode: 0600
-        path: /etc/audit/rules.d/11-loginuid.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_immutable_login_uids:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_immutable_login_uids_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_modify_failed" severity="medium">
-              <xccdf-1.2:title>Configure auditing of unsuccessful file modifications</xccdf-1.2:title>
-              <xccdf-1.2:description>Ensure that unsuccessful attempts to modify a file are audited.
-
-The following rules configure audit as described above:
-<html:pre>## Unsuccessful file modifications (open for write or truncate)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification    </html:pre>
-
-Load new Audit rules into kernel by running:
-<html:pre>augenrules --load</html:pre>
-
-Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Unsuccessful file modifications might be a sign of a malicious action being performed on the system. Auditing of such events helps in detection and investigation of such actions.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_modify_failed">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%23%20Unsuccessful%20file%20modifications%20%28open%20for%20write%20or%20truncate%29%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EACCES%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2601003%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20truncate%2Cftruncate%20-F%20exit%3D-EPERM%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dunsuccessful-modification%0A
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules 
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_modify_failed:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_modify_failed_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_modify_success" severity="medium">
-              <xccdf-1.2:title>Configure auditing of successful file modifications</xccdf-1.2:title>
-              <xccdf-1.2:description>Ensure that successful attempts to modify a file are audited.
-
-The following rules configure audit as described above:
-<html:pre>## Successful file modifications (open for write or truncate)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;01003 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b32 -S open -F a1&amp;01003 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S open -F a1&amp;01003 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification    </html:pre>
-
-Load new Audit rules into kernel by running:
-<html:pre>augenrules --load</html:pre>
-
-Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Auditing of successful attempts to modify a file helps in investigation of actions which happened on the system.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_modify_success:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_modify_success_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_module_load" severity="medium">
-              <xccdf-1.2:title>Configure auditing of loading and unloading of kernel modules</xccdf-1.2:title>
-              <xccdf-1.2:description>Ensure that loading and unloading of kernel modules is audited.
-
-The following rules configure audit as described above:
-<html:pre>## These rules watch for kernel module insertion. By monitoring
-## the syscall, we do not need any watches on programs.
--a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
--a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
--a always,exit -F arch=b32 -S delete_module -F key=module-unload
--a always,exit -F arch=b64 -S delete_module -F key=module-unload    </html:pre>
-
-Load new Audit rules into kernel by running:
-<html:pre>augenrules --load</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00216</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000477-GPOS-00222</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Loading of a malicious kernel module introduces a risk to the system, as the module has access to sensitive data and perform actions at the operating system kernel level. Having such events audited helps in monitoring and investigating of malicious activities.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_module_load">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%23%20These%20rules%20watch%20for%20kernel%20module%20insertion.%20By%20monitoring%0A%23%23%20the%20syscall%2C%20we%20do%20not%20need%20any%20watches%20on%20programs.%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20init_module%2Cfinit_module%20-F%20key%3Dmodule-load%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20init_module%2Cfinit_module%20-F%20key%3Dmodule-load%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20delete_module%20-F%20key%3Dmodule-unload%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20delete_module%20-F%20key%3Dmodule-unload%0A
-        mode: 0600
-        path: /etc/audit/rules.d/43-module-load.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_module_load:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_module_load_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_ospp_general" severity="medium">
-              <xccdf-1.2:title>Perform general configuration of Audit for OSPP</xccdf-1.2:title>
-              <xccdf-1.2:description>Configure some basic <html:code>Audit</html:code> parameters specific for OSPP profile.
-In particular, configure <html:code>Audit</html:code> to watch for direct modification of files storing system user and group information, and usage of applications with special rights which can change system configuration.
-Further audited events include access to audit log it self, attempts to Alter Process and Session Initiation Information, and attempts to modify MAC controls.
-
-The following rules configure audit as described above:
-<html:pre>## The purpose of these rules is to meet the requirements for Operating
-## System Protection Profile (OSPP)v4.2. These rules depends on having
-## the following rule files copied to /etc/audit/rules.d:
-##
-## 10-base-config.rules, 11-loginuid.rules,
-## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
-## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
-## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
-## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
-## 30-ospp-v42-5-perm-change-failed.rules,
-## 30-ospp-v42-5-perm-change-success.rules,
-## 30-ospp-v42-6-owner-change-failed.rules,
-## 30-ospp-v42-6-owner-change-success.rules
-##
-## original copies may be found in /usr/share/audit/sample-rules/
-
-
-## User add delete modify. This is covered by pam. However, someone could
-## open a file and directly create or modify a user, so we'll watch passwd and
-## shadow for writes
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify
-
-## User enable and disable. This is entirely handled by pam.
-
-## Group add delete modify. This is covered by pam. However, someone could
-## open a file and directly create or modify a user, so we'll watch group and
-## gshadow for writes
--a always,exit -F path=/etc/passwd -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F path=/etc/shadow -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F path=/etc/group -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=group-modify
--a always,exit -F path=/etc/gshadow -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=group-modify
-
-
-## Use of special rights for config changes. This would be use of setuid
-## programs that relate to user accts. This is not all setuid apps because
-## requirements are only for ones that affect system configuration.
--a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/mount -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/umount -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/passwd -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/crontab -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/at -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
-
-## Privilege escalation via su or sudo. This is entirely handled by pam.
-
-## Watch for configuration changes to privilege escalation.
--a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
--a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
-
-## Audit log access
--a always,exit -F dir=/var/log/audit/ -F perm=r -F auid&gt;=1000 -F auid!=unset -F key=access-audit-trail
-## Attempts to Alter Process and Session Initiation Information
--a always,exit -F path=/var/run/utmp -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=session
--a always,exit -F path=/var/log/btmp -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=session
--a always,exit -F path=/var/log/wtmp -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=session
-
-## Attempts to modify MAC controls
--a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=MAC-policy
-
-## Software updates. This is entirely handled by rpm.
-
-## System start and shutdown. This is entirely handled by systemd
-
-## Kernel Module loading. This is handled in 43-module-load.rules
-
-## Application invocation. The requirements list an optional requirement
-## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
-## state results from that policy. This would be handled entirely by
-## that daemon.    </html:pre>
-
-Load new Audit rules into kernel by running:
-<html:pre>augenrules --load</html:pre>
-
-Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000004-GPOS-00004</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000241-GPOS-00091</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000476-GPOS-00221</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000327-GPOS-00127</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000239-GPOS-00089</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000274-GPOS-00104</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000275-GPOS-00105</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000303-GPOS-00120</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000304-GPOS-00121</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Auditing of events listed in the description provides data for monitoring and investigation of potentially malicious events e.g. tampering with <html:code>Audit</html:code> logs, malicious access to files storing information about system users and groups etc.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="audit_ospp_general">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%23%20The%20purpose%20of%20these%20rules%20is%20to%20meet%20the%20requirements%20for%20Operating%0A%23%23%20System%20Protection%20Profile%20%28OSPP%29v4.2.%20These%20rules%20depends%20on%20having%0A%23%23%20the%20following%20rule%20files%20copied%20to%20/etc/audit/rules.d%3A%0A%23%23%0A%23%23%2010-base-config.rules%2C%2011-loginuid.rules%2C%0A%23%23%2030-ospp-v42-1-create-failed.rules%2C%2030-ospp-v42-1-create-success.rules%2C%0A%23%23%2030-ospp-v42-2-modify-failed.rules%2C%2030-ospp-v42-2-modify-success.rules%2C%0A%23%23%2030-ospp-v42-3-access-failed.rules%2C%2030-ospp-v42-3-access-success.rules%2C%0A%23%23%2030-ospp-v42-4-delete-failed.rules%2C%2030-ospp-v42-4-delete-success.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-failed.rules%2C%0A%23%23%2030-ospp-v42-5-perm-change-success.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-failed.rules%2C%0A%23%23%2030-ospp-v42-6-owner-change-success.rules%0A%23%23%0A%23%23%20original%20copies%20may%20be%20found%20in%20/usr/share/audit/sample-rules/%0A%0A%0A%23%23%20User%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20passwd%20and%0A%23%23%20shadow%20for%20writes%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/passwd%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20openat%2Copen_by_handle_at%20-F%20a2%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db32%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20arch%3Db64%20-S%20open%20-F%20a1%2603%20-F%20path%3D/etc/shadow%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A%0A%23%23%20User%20enable%20and%20disable.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Group%20add%20delete%20modify.%20This%20is%20covered%20by%20pam.%20However%2C%20someone%20could%0A%23%23%20open%20a%20file%20and%20directly%20create%20or%20modify%20a%20user%2C%20so%20we%27ll%20watch%20group%20and%0A%23%23%20gshadow%20for%20writes%0A-a%20always%2Cexit%20-F%20path%3D/etc/passwd%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D/etc/shadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Duser-modify%0A-a%20always%2Cexit%20-F%20path%3D/etc/group%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A-a%20always%2Cexit%20-F%20path%3D/etc/gshadow%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dgroup-modify%0A%0A%0A%23%23%20Use%20of%20special%20rights%20for%20config%20changes.%20This%20would%20be%20use%20of%20setuid%0A%23%23%20programs%20that%20relate%20to%20user%20accts.%20This%20is%20not%20all%20setuid%20apps%20because%0A%23%23%20requirements%20are%20only%20for%20ones%20that%20affect%20system%20configuration.%0A-a%20always%2Cexit%20-F%20path%3D/usr/sbin/unix_chkpwd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/sbin/usernetctl%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/sbin/userhelper%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/sbin/seunshare%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/bin/mount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/bin/newgrp%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/bin/newuidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/bin/gpasswd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/bin/newgidmap%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/bin/umount%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/bin/passwd%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/bin/crontab%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A-a%20always%2Cexit%20-F%20path%3D/usr/bin/at%20-F%20perm%3Dx%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dspecial-config-changes%0A%0A%23%23%20Privilege%20escalation%20via%20su%20or%20sudo.%20This%20is%20entirely%20handled%20by%20pam.%0A%0A%23%23%20Audit%20log%20access%0A-a%20always%2Cexit%20-F%20dir%3D/var/log/audit/%20-F%20perm%3Dr%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Daccess-audit-trail%0A%23%23%20Attempts%20to%20Alter%20Process%20and%20Session%20Initiation%20Information%0A-a%20always%2Cexit%20-F%20path%3D/var/run/utmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D/var/log/btmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A-a%20always%2Cexit%20-F%20path%3D/var/log/wtmp%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dsession%0A%0A%23%23%20Attempts%20to%20modify%20MAC%20controls%0A-a%20always%2Cexit%20-F%20dir%3D/etc/selinux/%20-F%20perm%3Dwa%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3DMAC-policy%0A%0A%23%23%20Software%20updates.%20This%20is%20entirely%20handled%20by%20rpm.%0A%0A%23%23%20System%20start%20and%20shutdown.%20This%20is%20entirely%20handled%20by%20systemd%0A%0A%23%23%20Kernel%20Module%20loading.%20This%20is%20handled%20in%2043-module-load.rules%0A%0A%23%23%20Application%20invocation.%20The%20requirements%20list%20an%20optional%20requirement%0A%23%23%20FPT_SRP_EXT.1%20Software%20Restriction%20Policies.%20This%20event%20is%20intended%20to%0A%23%23%20state%20results%20from%20that%20policy.%20This%20would%20be%20handled%20entirely%20by%0A%23%23%20that%20daemon.%0A
-        mode: 0600
-        path: /etc/audit/rules.d/30-ospp-v42.rules
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_ospp_general:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_ospp_general_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_owner_change_failed" severity="medium">
-              <xccdf-1.2:title>Configure auditing of unsuccessful ownership changes</xccdf-1.2:title>
-              <xccdf-1.2:description>Ensure that unsuccessful attempts to change an ownership of files or directories are audited.
-
-The following rules configure audit as described above:
-<html:pre>## Unsuccessful ownership change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change    </html:pre>
-
-Load new Audit rules into kernel by running:
-<html:pre>augenrules --load</html:pre>
-
-Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Unsuccessful attempts to change an ownership of files or directories might be signs of a malicious activity. Having such events audited helps in monitoring and investigation of such activities.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_owner_change_failed:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_owner_change_failed_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_owner_change_success" severity="medium">
-              <xccdf-1.2:title>Configure auditing of successful ownership changes</xccdf-1.2:title>
-              <xccdf-1.2:description>Ensure that successful attempts to change an ownership of files or directories are audited.
-
-The following rules configure audit as described above:
-<html:pre>## Successful ownership change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-owner-change    </html:pre>
-
-Load new Audit rules into kernel by running:
-<html:pre>augenrules --load</html:pre>
-
-Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Auditing of successful ownership changes of files or directories helps in monitoring or investingating of activities performed on the system.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_owner_change_success:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_owner_change_success_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_perm_change_failed" severity="medium">
-              <xccdf-1.2:title>Configure auditing of unsuccessful permission changes</xccdf-1.2:title>
-              <xccdf-1.2:description>Ensure that unsuccessful attempts to change file or directory permissions are audited.
-
-The following rules configure audit as described above:
-<html:pre>## Unsuccessful permission change
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-perm-change
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-perm-change
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-perm-change
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-perm-change    </html:pre>
-
-Load new Audit rules into kernel by running:
-<html:pre>augenrules --load</html:pre>
-
-Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Unsuccessful attempts to change permissions of files or directories might be signs of malicious activity. Having such events audited helps in monitoring and investigation of such activities.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_perm_change_failed:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_perm_change_failed_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_perm_change_success" severity="medium">
-              <xccdf-1.2:title>Configure auditing of successful permission changes</xccdf-1.2:title>
-              <xccdf-1.2:description>Ensure that successful attempts to modify permissions of files or directories are audited.
-
-The following rules configure audit as described above:
-<html:pre>## Successful permission change
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-perm-change
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-perm-change    </html:pre>
-
-Load new Audit rules into kernel by running:
-<html:pre>augenrules --load</html:pre>
-
-Note: This rule uses a special set of Audit rules to comply with OSPP 4.2.1. You may reuse this rule in different profiles. If you decide to do so, it is recommended that you inspect contents of the file closely and make sure that they are alligned with your needs.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Auditing successful file or directory permission changes helps in monitoring and investigating of activities performed on the system.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_perm_change_success:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_perm_change_success_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_audit_rules_for_ospp" severity="medium">
-              <xccdf-1.2:title>Configure audit according to OSPP requirements</xccdf-1.2:title>
-              <xccdf-1.2:description>Configure audit to meet requirements for Operating System Protection Profile (OSPP) v4.2.1.
-
-Audit defines groups of rules in <html:code>/usr/share/doc/audit/rules</html:code> to satisfy specific policies.
-
-To fulfill requirements for compliance with OSPP v4.2.1, the following files are necessary:
-<html:ul><html:li>/usr/share/doc/audit/rules/10-base-config.rules</html:li><html:li>/usr/share/doc/audit/rules/11-loginuid.rules</html:li><html:li>/usr/share/doc/audit/rules/30-ospp-v42.rules</html:li><html:li>/usr/share/doc/audit/rules/43-module-load.rules</html:li></html:ul>
-
-Copy the files from <html:code>/usr/share/doc/audit/rules</html:code> to <html:code>/etc/audit/rules.d</html:code>:
-<html:pre>
-cp /usr/share/doc/audit*/rules/{10-base-config,11-loginuid,30-ospp-v42,43-module-load}.rules /etc/audit/rules.d/
-</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="performance">It might happen that Audit buffer configured by this rule is not large enough for certain use cases. If that is the case, the buffer size can be overridden by placing <html:pre>-b larger_buffer_size</html:pre> into a file within <html:code>/etc/audit/rules.d</html:code> directory, replacing <html:code>larger_file_size</html:code> with the desired value. The file name should start with a number higher than 10 and lower than 99.</xccdf-1.2:warning>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">NONE</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000004-GPOS-00004</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000240-GPOS-00090</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000241-GPOS-00091</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000303-GPOS-00120</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000476-GPOS-00221</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000327-GPOS-00127</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000064-GPOS-00033</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000365-GPOS-00152</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000458-GPOS-00203</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000461-GPOS-00205</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000462-GPOS-00206</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000463-GPOS-00207</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000465-GPOS-00209</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000466-GPOS-00210</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000468-GPOS-00212</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000470-GPOS-00214</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00216</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000472-GPOS-00217</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000474-GPOS-00219</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000475-GPOS-00220</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000477-GPOS-00222</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The audit rules defined in <html:code>/usr/share/doc/audit/rules</html:code> are the recommended way to meet compliance with OSPP v4.2.1.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-audit_rules_for_ospp:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-audit_rules_for_ospp_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_apparmor">
-          <xccdf-1.2:title>AppArmor</xccdf-1.2:title>
-          <xccdf-1.2:description>Many security vulnerabilities result from bugs in trusted programs. A trusted
-program runs with privileges that attackers want to possess. The program fails
-to keep that trust if there is a bug in the program that allows the attacker to
-acquire said privilege.
-<html:br/><html:br/>
-AppArmor&#xAE; is an application security solution designed specifically to apply
-privilege confinement to suspect programs. AppArmor allows the administrator to
-specify the domain of activities the program can perform by developing a
-security profile. A security profile is a listing of files that the program may
-access and the operations the program may perform. AppArmor secures
-applications by enforcing good application behavior without relying on attack
-signatures, so it can prevent attacks even if previously unknown
-vulnerabilities are being exploited.</xccdf-1.2:description>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_bootloader-grub2">
-          <xccdf-1.2:title>GRUB2 bootloader configuration</xccdf-1.2:title>
-          <xccdf-1.2:description>During the boot process, the boot loader is
-responsible for starting the execution of the kernel and passing
-options to it. The boot loader allows for the selection of
-different kernels - possibly on different partitions or media.
-The default Red Hat Enterprise Linux CoreOS 4 boot loader for x86 systems is called GRUB2.
-Options it can pass to the kernel include <html:i>single-user mode</html:i>, which
-provides root access without any authentication, and the ability to
-disable SELinux. To prevent local users from modifying the boot
-parameters and endangering security, protect the boot loader configuration
-with a password and ensure its configuration file's permissions
-are set properly.</xccdf-1.2:description>
-          <xccdf-1.2:platform idref="#grub2"/>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_l1tf_options" type="string">
-            <xccdf-1.2:title>L1TF vulnerability mitigation</xccdf-1.2:title>
-            <xccdf-1.2:description>Defines the L1TF vulneratility mitigations to employ.</xccdf-1.2:description>
-            <xccdf-1.2:value>flush</xccdf-1.2:value>
-            <xccdf-1.2:value selector="full">full</xccdf-1.2:value>
-            <xccdf-1.2:value selector="full_force">full,force</xccdf-1.2:value>
-            <xccdf-1.2:value selector="flush">flush</xccdf-1.2:value>
-            <xccdf-1.2:value selector="flush_nosmt">flush,nosmt</xccdf-1.2:value>
-            <xccdf-1.2:value selector="flush_nowarn">flush,nowarn</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mds_options" type="string">
-            <xccdf-1.2:title>MDS vulnerability mitigation</xccdf-1.2:title>
-            <xccdf-1.2:description>Defines the MDS vulneratility mitigation to employ.</xccdf-1.2:description>
-            <xccdf-1.2:value>full</xccdf-1.2:value>
-            <xccdf-1.2:value selector="full">full</xccdf-1.2:value>
-            <xccdf-1.2:value selector="full_nosmt">full,nosmt</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_rng_core_default_quality" type="string" interactive="true">
-            <xccdf-1.2:title>Confidence level on Hardware Random Number Generator</xccdf-1.2:title>
-            <xccdf-1.2:description>Defines the level of trust on the hardware random number generators available in the
-system and the percentage of entropy to credit.</xccdf-1.2:description>
-            <xccdf-1.2:value>500</xccdf-1.2:value>
-            <xccdf-1.2:value selector="500">500</xccdf-1.2:value>
-            <xccdf-1.2:value selector="512">512</xccdf-1.2:value>
-            <xccdf-1.2:value selector="1000">1000</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options" type="string">
-            <xccdf-1.2:title>Spec Store Bypass Mitigation</xccdf-1.2:title>
-            <xccdf-1.2:description>This controls how the Speculative Store Bypass (SSB) vulnerability is mitigated.</xccdf-1.2:description>
-            <xccdf-1.2:value>prctl</xccdf-1.2:value>
-            <xccdf-1.2:value selector="on">on</xccdf-1.2:value>
-            <xccdf-1.2:value selector="auto">auto</xccdf-1.2:value>
-            <xccdf-1.2:value selector="prctl">prctl</xccdf-1.2:value>
-            <xccdf-1.2:value selector="seccomp">seccomp</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument" severity="high">
-            <xccdf-1.2:title>Enable Kernel Page-Table Isolation (KPTI)</xccdf-1.2:title>
-            <xccdf-1.2:description>To enable Kernel page-table isolation, add the argument <html:code>pti=on</html:code> to all
-BLS (Boot Loader Specification) entries ('options' line) for the Linux
-operating system in <html:code>/boot/loader/entries/*.conf</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000433-GPOS-00193</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Kernel page-table isolation is a kernel feature that mitigates
-the Meltdown security vulnerability and hardens the kernel
-against attempts to bypass kernel address space layout
-randomization (KASLR).</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#grub2"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82497-9</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="coreos_pti_kernel_argument" complexity="low" disruption="medium" reboot="true" strategy="restrict">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-  kernelArguments:
-    - pti=on
-</xccdf-1.2:fix>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-coreos_pti_kernel_argument:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-coreos_pti_kernel_argument_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_coreos_vsyscall_kernel_argument" severity="medium">
-            <xccdf-1.2:title>Disable vsyscalls</xccdf-1.2:title>
-            <xccdf-1.2:description>To disable use of virtual syscalls, add the argument <html:code>vsyscall=none</html:code> to all
-BLS (Boot Loader Specification) entries ('options' line) for the Linux
-operating system in <html:code>/boot/loader/entries/*.conf</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Virtual Syscalls provide an opportunity of attack for a user who has control
-of the return instruction pointer.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#grub2"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82674-3</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="coreos_vsyscall_kernel_argument" complexity="low" disruption="medium" reboot="true" strategy="restrict">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-  kernelArguments:
-    - vsyscall=none
-</xccdf-1.2:fix>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-coreos_vsyscall_kernel_argument:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-coreos_vsyscall_kernel_argument_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_grub2_disable_recovery" severity="medium">
-            <xccdf-1.2:title>Disable Recovery Booting</xccdf-1.2:title>
-            <xccdf-1.2:description>Red Hat Enterprise Linux CoreOS 4 systems support an "recovery boot" option that can be used
-to prevent services from being started. The <html:code>GRUB_DISABLE_RECOVERY</html:code>
-configuration option in <html:code>/etc/default/grub</html:code> should be set to
-<html:code>true</html:code> to disable the generation of recovery mode menu entries. It is
-also required to change the runtime configuration, run:
-<html:pre>$ sudo grubby --update-kernel=ALL</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Using recovery boot, the console user could disable auditing, firewalls,
-or other services, weakening system security.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#grub2"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-grub2_disable_recovery:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_grub2_enable_iommu_force" severity="unknown">
-            <xccdf-1.2:title>IOMMU configuration directive</xccdf-1.2:title>
-            <xccdf-1.2:description>On x86 architecture supporting VT-d, the IOMMU manages the access control policy between the hardware devices and some
-    of the system critical units such as the memory.
-Configure the default Grub2 kernel command line to contain iommu=force as follows:
-<html:pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) iommu=force"</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="functionality">Depending on the hardware, devices and operating system used, enabling IOMMU can cause hardware instabilities. Proper function and stability should be assessed before applying remediation to production systems.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R11)</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>On x86 architectures, activating the I/OMMU prevents the system from arbitrary accesses potentially made by
-    hardware devices.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-grub2_enable_iommu_force:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-grub2_enable_iommu_force_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_grub2_l1tf_argument" severity="high">
-            <xccdf-1.2:title>Configure L1 Terminal Fault mitigations</xccdf-1.2:title>
-            <xccdf-1.2:description>L1 Terminal Fault (L1TF) is a hardware vulnerability which allows unprivileged
-speculative access to data which is available in the Level 1 Data Cache when
-the page table entry isn't present.
-
-Select the appropriate mitigation by adding the argument
-<html:code>l1tf=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_l1tf_options" use="legacy"/></html:code> to the default
-GRUB 2 command line for the Linux operating system.
-Configure the default Grub2 kernel command line to contain l1tf=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_l1tf_options" use="legacy"/> as follows:
-<html:pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) l1tf=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_l1tf_options" use="legacy"/>"</html:pre>
-
-Since Linux Kernel 4.19 you can check the L1TF vulnerability state with the
-following command:
-<html:code>cat /sys/devices/system/cpu/vulnerabilities/l1tf</html:code></xccdf-1.2:description>
-            <xccdf-1.2:warning category="performance">Enabling L1TF mitigations may impact performance of the system.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>The L1TF vulnerability allows an attacker to bypass memory access security controls imposed
-by the system or hypervisor. The L1TF vulnerability allows read access to any physical memory
-location that is cached in the L1 Data Cache.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-var_l1tf_options:var:1" value-id="xccdf_org.ssgproject.content_value_var_l1tf_options"/>
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-grub2_l1tf_argument:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-grub2_l1tf_argument_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_grub2_mce_argument" severity="medium">
-            <xccdf-1.2:title>Force kernel panic on uncorrected MCEs</xccdf-1.2:title>
-            <xccdf-1.2:description>A Machine Check Exception is an error generated by the CPU itdetects an error
-in itself, memory or I/O devices.
-These errors may be corrected and generate a check log entry, if an error
-cannot be corrected the kernel may panic or SIGBUS.
-
-To force the kernel to panic on any uncorrected error reported by Machine Check
-set the MCE tolerance to zero by adding <html:code>mce=0</html:code>
-to the default GRUB 2 command line for the Linux operating system.
-Configure the default Grub2 kernel command line to contain mce=0 as follows:
-<html:pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) mce=0"</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:rationale>Allowing uncorrected errors to result on a SIGBUS may allow an attacker to continue
-trying to exploit a vulnerability such as Rowhammer.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-grub2_mce_argument:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-grub2_mce_argument_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_grub2_nosmap_argument_absent" severity="medium">
-            <xccdf-1.2:title>Ensure SMAP is not disabled during boot</xccdf-1.2:title>
-            <xccdf-1.2:description>The SMAP is used to prevent the supervisor mode from unintentionally reading/writing into
-memory pages in the user space, it is enabled by default since Linux kernel 3.7.
-But it could be disabled through kernel boot parameters.
-
-Ensure that Supervisor Mode Access Prevention (SMAP) is not disabled by
-the <html:code>nosmap</html:code> boot paramenter option.
-
-Check that the line <html:pre>GRUB_CMDLINE_LINUX="..."</html:pre> within <html:code>/etc/default/grub</html:code>
-doesn't contain the argument <html:code>nosmap</html:code>.
-Run the following command to update command line for already installed kernels:
-<html:pre># grubby --update-kernel=ALL --remove-args="nosmap"</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:rationale>Disabling SMAP can facilitate exploitation of vulnerabilities caused by unintended access and
-manipulation of data in the user space.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-grub2_nosmap_argument_absent:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-grub2_nosmap_argument_absent_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_grub2_nosmep_argument_absent" severity="medium">
-            <xccdf-1.2:title>Ensure SMEP is not disabled during boot</xccdf-1.2:title>
-            <xccdf-1.2:description>The SMEP is used to prevent the supervisor mode from executing user space code,
-it is enabled by default since Linux kernel 3.0. But it could be disabled through
-kernel boot parameters.
-
-Ensure that Supervisor Mode Execution Prevention (SMEP) is not disabled by
-the <html:code>nosmep</html:code> boot paramenter option.
-
-Check that the line <html:pre>GRUB_CMDLINE_LINUX="..."</html:pre> within <html:code>/etc/default/grub</html:code>
-doesn't contain the argument <html:code>nosmep</html:code>.
-Run the following command to update command line for already installed kernels:
-<html:pre># grubby --update-kernel=ALL --remove-args="nosmep"</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:rationale>Disabling SMEP can facilitate exploitation of certain vulnerabilities because it allows
-the kernel to unintentionally execute code in less privileged memory space.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-grub2_nosmep_argument_absent:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-grub2_nosmep_argument_absent_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument" severity="low">
-            <xccdf-1.2:title>Configure the confidence in TPM for entropy</xccdf-1.2:title>
-            <xccdf-1.2:description>The TPM security chip that is available in most modern systems has a hardware RNG.
-It is also used to feed the entropy pool, but generally not credited entropy.
-
-Use <html:code>rng_core.default_quality</html:code> in the kernel command line to set the trust
-level on the hardware generators. The trust level defines the amount of entropy to credit.
-A value of <html:code>0</html:code> tells the system not to trust the hardware random number generators
-available, and doesn't credit any entropy to the pool.
-A value of <html:code>1000</html:code> assigns full confidence in the generators, and credits all the
-entropy it provides to the pool.
-
-Note that the value of <html:code>rng_core.default_quality</html:code> is global, affecting the trust
-on all hardware random number generators.
-
-Select the appropriate confidence by adding the argument
-<html:code>rng_core.default_quality=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_rng_core_default_quality" use="legacy"/></html:code> to the default
-GRUB 2 command line for the Linux operating system.
-Configure the default Grub2 kernel command line to contain rng_core.default_quality=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_rng_core_default_quality" use="legacy"/> as follows:
-<html:pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) rng_core.default_quality=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_rng_core_default_quality" use="legacy"/>"</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:rationale>A system may struggle to initialize its entropy pool and end up starving. Crediting entropy
-from the hardware number generators available in the system helps fill up the entropy pool.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-var_rng_core_default_quality:var:1" value-id="xccdf_org.ssgproject.content_value_var_rng_core_default_quality"/>
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-grub2_rng_core_default_quality_argument:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-grub2_rng_core_default_quality_argument_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_grub2_slab_nomerge_argument" severity="medium">
-            <xccdf-1.2:title>Disable merging of slabs with similar size</xccdf-1.2:title>
-            <xccdf-1.2:description>The kernel may merge similar slabs together to reduce overhead and increase
-cache hotness of objects.
-Disabling merging of slabs keeps the slabs separate and reduces the risk of
-kernel heap overflows overwriting objects in merged caches.
-
-To disable merging of slabs in the Kernel add the argument <html:code>slab_nomerge=yes</html:code>
-to the default GRUB 2 command line for the Linux operating system.
-Configure the default Grub2 kernel command line to contain slab_nomerge=yes as follows:
-<html:pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) slab_nomerge=yes"</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="performance">Disabling merge of slabs will slightly increase kernel memory utilization.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>Disabling the merge of slabs of similar sizes prevents the kernel from
-merging a seemingly useless but vulnerable slab with a useful and valuable slab.
-This increase the risk that a heap overflow could overwrite objects from merged caches,
-with unmerged caches the heap overflow would only affect the objects in the same cache.
-Overall, this reduces the kernel attack surface area by isolating slabs from each other.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-grub2_slab_nomerge_argument:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-grub2_slab_nomerge_argument_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_grub2_spec_store_bypass_disable_argument" severity="medium">
-            <xccdf-1.2:title>Configure Speculative Store Bypass Mitigation</xccdf-1.2:title>
-            <xccdf-1.2:description>Certain CPUs are vulnerable to an exploit against a common wide industry wide performance
-optimization known as Speculative Store Bypass (SSB).
-
-In such cases, recent stores to the same memory location cannot always be observed by later
-loads during speculative execution. However, such stores are unlikely and thus they can be
-detected prior to instruction retirement at the end of a particular speculation execution
-window.
-
-Since Linux Kernel 4.17 you can check the SSB mitigation state with the following command:
-<html:code>cat /sys/devices/system/cpu/vulnerabilities/spec_store_bypass</html:code>
-
-Select the appropriate SSB state by adding the argument
-<html:code>spec_store_bypass_disable=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options" use="legacy"/></html:code> to the default
-GRUB 2 command line for the Linux operating system.
-Configure the default Grub2 kernel command line to contain spec_store_bypass_disable=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options" use="legacy"/> as follows:
-<html:pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) spec_store_bypass_disable=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options" use="legacy"/>"</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:warning category="performance">Disabling Speculative Store Bypass may impact performance of the system.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>In vulnerable processsors, the speculatively forwarded store can be used in a cache side channel
-attack. An example of this is reading memory to which the attacker does not directly have access,
-for example inside the sandboxed code.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-var_spec_store_bypass_disable_options:var:1" value-id="xccdf_org.ssgproject.content_value_var_spec_store_bypass_disable_options"/>
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-grub2_spec_store_bypass_disable_argument:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-grub2_spec_store_bypass_disable_argument_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_grub2_spectre_v2_argument" severity="high">
-            <xccdf-1.2:title>Enforce Spectre v2 mitigation</xccdf-1.2:title>
-            <xccdf-1.2:description>Spectre V2 is an indirect branch poisoning attack that can lead to data leakage.
-An exploit for Spectre V2 tricks the indirect branch predictor into executing
-code from a future indirect branch chosen by the attacker, even if the privilege
-level is different.
-
-Since Linux Kernel 4.15 you can check the Spectre V2 mitigation state with the following command:
-<html:code>cat /sys/devices/system/cpu/vulnerabilities/spectre_v2</html:code>
-
-Enforce the Spectre V2 mitigation by adding the argument
-<html:code>spectre_v2=on</html:code> to the default
-GRUB 2 command line for the Linux operating system.
-Configure the default Grub2 kernel command line to contain spectre_v2=on) as follows:
-<html:pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) spectre_v2=on)"</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:rationale>The Spectre V2 vulnerability allows an attacker to read memory that he should not have
-access to.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-grub2_spectre_v2_argument:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-grub2_spectre_v2_argument_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_grub2_systemd_debug-shell_argument_absent" severity="medium">
-            <xccdf-1.2:title>Ensure debug-shell service is not enabled during boot</xccdf-1.2:title>
-            <xccdf-1.2:description>systemd's <html:code>debug-shell</html:code> service is intended to
-diagnose systemd related boot issues with various <html:code>systemctl</html:code>
-commands. Once enabled and following a system reboot, the root shell
-will be available on <html:code>tty9</html:code> which is access by pressing
-<html:code>CTRL-ALT-F9</html:code>. The <html:code>debug-shell</html:code> service should only be used
-for systemd related issues and should otherwise be disabled.
-<html:br/><html:br/>
-By default, the <html:code>debug-shell</html:code> systemd service is already disabled.
-
-Ensure the debug-shell is not enabled by the <html:code>systemd.debug-shel=1</html:code>
-boot paramenter option.
-
-Check that the line <html:pre>GRUB_CMDLINE_LINUX="..."</html:pre> within <html:code>/etc/default/grub</html:code>
-doesn't contain the argument <html:code>systemd.debug-shell=1</html:code>.
-Run the following command to update command line for already installed kernels:
-<html:pre># grubby --update-kernel=ALL --remove-args="systemd.debug-shell"</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>This prevents attackers with physical access from trivially bypassing security
-on the machine through valid troubleshooting configurations and gaining root
-access when the system is rebooted.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-grub2_systemd_debug-shell_argument_absent:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-grub2_systemd_debug-shell_argument_absent_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_non-uefi">
-            <xccdf-1.2:title>Non-UEFI GRUB2 bootloader configuration</xccdf-1.2:title>
-            <xccdf-1.2:description>Non-UEFI GRUB2 bootloader configuration</xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#non-uefi"/>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_uefi">
-            <xccdf-1.2:title>UEFI GRUB2 bootloader configuration</xccdf-1.2:title>
-            <xccdf-1.2:description>UEFI GRUB2 bootloader configuration</xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#uefi"/>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username" severity="medium">
-              <xccdf-1.2:title>Set the UEFI Boot Loader Admin Username to a Non-Default Value</xccdf-1.2:title>
-              <xccdf-1.2:description>The grub2 boot loader should have a superuser account and password
-protection enabled to protect boot-time settings.
-<html:br/><html:br/>
-To maximize the protection, select a password-protected superuser account with unique name, and modify the
-<html:code>/etc/grub.d/01_users</html:code> configuration file to reflect the account name change.
-<html:br/><html:br/>
-It is highly suggested not to use common administrator account names like root,
-admin, or administrator for the grub2 superuser account.
-<html:br/><html:br/>
-Change the superuser to a different username (The default is 'root').
-<html:pre>$ sed -i 's/\(set superusers=\).*/\1"&lt;unique user ID&gt;"/g' /etc/grub.d/01_users</html:pre>
-<html:br/><html:br/>
-Once the superuser account has been added,
-update the
-<html:code>grub.cfg</html:code> file by running:
-<html:pre>grubby --update-kernel=ALL</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">To prevent hard-coded admin usernames, automatic remediation of this control is not available. Remediation
-must be automated as a component of machine provisioning, or followed manually as outlined above.
-
-Also, do NOT manually add the superuser account and password to the
-<html:code>grub.cfg</html:code> file as the grub2-mkconfig command overwrites this file.</xccdf-1.2:warning>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R17)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000213</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000080-GPOS-00048</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Having a non-default grub superuser username makes password-guessing attacks less effective.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83540-5</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-grub2_uefi_admin_username:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-grub2_uefi_admin_username_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_grub2_uefi_password" severity="high">
-              <xccdf-1.2:title>Set the UEFI Boot Loader Password</xccdf-1.2:title>
-              <xccdf-1.2:description>The grub2 boot loader should have a superuser account and password
-protection enabled to protect boot-time settings.
-<html:br/><html:br/>
-Since plaintext passwords are a security risk, generate a hash for the password
-by running the following command:
-
-<html:pre># grub2-setpassword</html:pre>
-
-When prompted, enter the password that was selected.
-<html:br/><html:br/></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">To prevent hard-coded passwords, automatic remediation of this control is not available. Remediation
-must be automated as a component of machine provisioning, or followed manually as outlined above.
-
-Also, do NOT manually add the superuser account and password to the
-<html:code>grub.cfg</html:code> file as the grub2-mkconfig command overwrites this file.</xccdf-1.2:warning>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R17)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000213</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(B)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(7)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(a)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000080-GPOS-00048</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Password protection on the boot loader configuration ensures
-users with physical access cannot trivially alter
-important bootloader settings. These include which kernel to use,
-and whether to enter single-user mode.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82552-1</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-grub2_uefi_password:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-grub2_uefi_password_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_bootloader-zipl">
-          <xccdf-1.2:title>zIPL bootloader configuration</xccdf-1.2:title>
-          <xccdf-1.2:description>During the boot process, the bootloader is
-responsible for starting the execution of the kernel and passing
-options to it.
-The default Red Hat Enterprise Linux CoreOS 4 boot loader for s390x systems is called zIPL.</xccdf-1.2:description>
-          <xccdf-1.2:platform idref="#s390x_arch"/>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_zipl_audit_argument" severity="medium">
-            <xccdf-1.2:title>Enable Auditing to Start Prior to the Audit Daemon in zIPL</xccdf-1.2:title>
-            <xccdf-1.2:description>To ensure all processes can be audited, even those which start prior to the audit daemon,
-check that all boot entries in <html:code>/boot/loader/entries/*.conf</html:code> have <html:code>audit=1</html:code>
-included in its options.<html:br/>
-
-To ensure that new kernels and boot entries continue to enable audit,
-add <html:code>audit=1</html:code> to <html:code>/etc/kernel/cmdline</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Each process on the system carries an "auditable" flag which indicates whether
-its activities can be audited. Although <html:code>auditd</html:code> takes care of enabling
-this for all processes which launch after it does, adding the kernel argument
-ensures it is set for every process during boot.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-zipl_audit_argument:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-zipl_audit_argument_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_zipl_audit_backlog_limit_argument" severity="medium">
-            <xccdf-1.2:title>Extend Audit Backlog Limit for the Audit Daemon in zIPL</xccdf-1.2:title>
-            <xccdf-1.2:description>To improve the kernel capacity to queue all log events, even those which start prior to the audit daemon,
-check that all boot entries in <html:code>/boot/loader/entries/*.conf</html:code> have <html:code>audit_backlog_limit=8192</html:code>
-included in its options.<html:br/>
-To ensure that new kernels and boot entries continue to extend the audit log events queue,
-add <html:code>audit_backlog_limit=8192</html:code> to <html:code>/etc/kernel/cmdline</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_STG.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_STG.3</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>audit_backlog_limit sets the queue length for audit events awaiting transfer
-to the audit daemon. Until the audit daemon is up and running, all log messages
-are stored in this queue.  If the queue is overrun during boot process, the action
-defined by audit failure flag is taken.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-zipl_audit_backlog_limit_argument:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-zipl_audit_backlog_limit_argument_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_zipl_bls_entries_only" severity="medium">
-            <xccdf-1.2:title>Ensure all zIPL boot entries are BLS compliant</xccdf-1.2:title>
-            <xccdf-1.2:description>Ensure that zIPL boot entries fully adheres to Boot Loader Specification (BLS)
-by checking that <html:code>/etc/zipl.conf</html:code> doesn't contain <html:code>image = </html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">To prevent breakage or removal of all boot entries oconfigured in /etc/zipl.conf
-automated remediation for this rule is not available.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>Red Hat Enterprise Linux CoreOS 4 adheres to Boot Loader Specification (BLS) and is the prefered method of
-configuration.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-zipl_bls_entries_only:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-zipl_bls_entries_only_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_zipl_bootmap_is_up_to_date" severity="medium">
-            <xccdf-1.2:title>Ensure zIPL bootmap is up to date</xccdf-1.2:title>
-            <xccdf-1.2:description>Make sure that <html:code>/boot/bootmap</html:code> is up to date.<html:br/>
-Every time a boot entry or zIPL configuration is changed <html:code>/boot/bootmap</html:code> needs to
-be updated to reflect the changes.<html:br/>
-Run <html:code>zipl</html:code> command to generate an updated <html:code>/boot/bootmap</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:rationale>The file <html:code>/boot/bootmap</html:code> contains all boot data, keeping it up to date is crucial to
-boot correct kernel and options.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-zipl_bootmap_is_up_to_date:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-zipl_bootmap_is_up_to_date_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_zipl_enable_selinux" severity="medium">
-            <xccdf-1.2:title>Ensure SELinux Not Disabled in zIPL</xccdf-1.2:title>
-            <xccdf-1.2:description>To ensure SELinux is not disabled at boot time,
-check that no boot entry in <html:code>/boot/loader/entries/*.conf</html:code> has <html:code>selinux=0</html:code>
-included in its options.<html:br/></xccdf-1.2:description>
-            <xccdf-1.2:rationale>Disabling a major host protection feature, such as SELinux, at boot time prevents
-it from confining system services at boot time.  Further, it increases
-the chances that it will remain off during system operation.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-zipl_enable_selinux_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_zipl_page_poison_argument" severity="medium">
-            <xccdf-1.2:title>Enable page allocator poisoning in zIPL</xccdf-1.2:title>
-            <xccdf-1.2:description>To enable poisoning of free pages,
-check that all boot entries in <html:code>/boot/loader/entries/*.conf</html:code> have <html:code>page_poison=1</html:code>
-included in its options.<html:br/>
-To ensure that new kernels and boot entries continue to enable page poisoning,
-add <html:code>page_poison=1</html:code> to <html:code>/etc/kernel/cmdline</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:rationale>Poisoning writes an arbitrary value to freed pages, so any modification or
-reference to that page after being freed or before being initialized will be
-detected and prevented.
-This prevents many types of use-after-free vulnerabilities at little performance cost.
-Also prevents leak of data and detection of corrupted memory.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-zipl_page_poison_argument:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-zipl_page_poison_argument_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_zipl_slub_debug_argument" severity="medium">
-            <xccdf-1.2:title>Enable SLUB/SLAB allocator poisoning in zIPL</xccdf-1.2:title>
-            <xccdf-1.2:description>To enable poisoning of SLUB/SLAB objects,
-check that all boot entries in <html:code>/boot/loader/entries/*.conf</html:code> have <html:code>slub_debug=P</html:code>
-included in its options.<html:br/>
-To ensure that new kernels and boot entries continue to enable poisoning of SLUB/SLAB objects,
-add <html:code>slub_debug=P</html:code> to <html:code>/etc/kernel/cmdline</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:rationale>Poisoning writes an arbitrary value to freed objects, so any modification or
-reference to that object after being freed or before being initialized will be
-detected and prevented.
-This prevents many types of use-after-free vulnerabilities at little performance cost.
-Also prevents leak of data and detection of corrupted memory.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-zipl_slub_debug_argument:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-zipl_slub_debug_argument_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_zipl_systemd_debug-shell_argument_absent" severity="medium">
-            <xccdf-1.2:title>Ensure debug-shell service is not enabled in zIPL</xccdf-1.2:title>
-            <xccdf-1.2:description>systemd's <html:code>debug-shell</html:code> service is intended to
-diagnose systemd related boot issues with various <html:code>systemctl</html:code>
-commands. Once enabled and following a system reboot, the root shell
-will be available on <html:code>tty9</html:code> which is access by pressing
-<html:code>CTRL-ALT-F9</html:code>. The <html:code>debug-shell</html:code> service should only be used
-for systemd related issues and should otherwise be disabled.
-<html:br/><html:br/>
-By default, the <html:code>debug-shell</html:code> systemd service is already disabled.
-
-Ensure the debug-shell is not enabled by the <html:code>systemd.debug-shel=1</html:code>
-boot paramenter option.
-
-Check that not boot entries in <html:code>/boot/loader/entries/*.conf</html:code> have
-<html:code>systemd.debug-shell=1</html:code> included in its options.<html:br/>
-To ensure that new kernels and boot entries don't enable the debug-shell, check
-that <html:code>systemd.debug-shell=1</html:code> is not present in <html:code>/etc/kernel/cmdline</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>This prevents attackers with physical access from trivially bypassing security
-on the machine through valid troubleshooting configurations and gaining root
-access when the system is rebooted.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-zipl_systemd_debug-shell_argument_absent:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-zipl_systemd_debug-shell_argument_absent_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_zipl_vsyscall_argument" severity="medium">
-            <xccdf-1.2:title>Disable vsyscalls in zIPL</xccdf-1.2:title>
-            <xccdf-1.2:description>To disable use of virtual syscalls,
-check that all boot entries in <html:code>/boot/loader/entries/*.conf</html:code> have <html:code>vsyscall=none</html:code>
-included in its options.<html:br/>
-To ensure that new kernels and boot entries continue to disable virtual syscalls,
-add <html:code>vsyscall=none</html:code> to <html:code>/etc/kernel/cmdline</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FPT_ASLR_EXT.1</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Virtual Syscalls provide an opportunity of attack for a user who has control
-of the return instruction pointer.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-zipl_vsyscall_argument:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-zipl_vsyscall_argument_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_entropy">
-          <xccdf-1.2:title>Protect Random-Number Entropy Pool</xccdf-1.2:title>
-          <xccdf-1.2:description>The I/O operations of the Linux kernel block layer due to their inherently
-unpredictable execution times have been traditionally considered as a reliable
-source to contribute to random-number entropy pool of the Linux kernel. This
-has changed with introduction of solid-state storage devices (SSDs) though.</xccdf-1.2:description>
-          <xccdf-1.2:platform idref="#machine"/>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_disable_entropy_contribution_for_solid_state_drives" severity="medium">
-            <xccdf-1.2:title>Ensure Solid State Drives Do Not Contribute To Random-Number Entropy Pool</xccdf-1.2:title>
-            <xccdf-1.2:description>For each solid-state drive on the system, run:
-<html:pre> # echo 0 &gt; /sys/block/DRIVE/queue/add_random</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:rationale>In contrast to traditional electromechanical magnetic disks, containing
-spinning disks and / or movable read / write heads, the solid-state storage
-devices (SSDs) do not contain moving / mechanical components. Therefore the
-I/O operation completion times are much more predictable for them.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-          </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_kernel_build_config">
-          <xccdf-1.2:title>Kernel Configuration</xccdf-1.2:title>
-          <xccdf-1.2:description>Contains rules that check the kernel configuration that was used to build it.</xccdf-1.2:description>
-          <xccdf-1.2:platform idref="#machine"/>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_hash" type="string">
-            <xccdf-1.2:title>Hash function for kernel module signing</xccdf-1.2:title>
-            <xccdf-1.2:description>The hash function to use when signing modules during kernel build process.</xccdf-1.2:description>
-            <xccdf-1.2:value>sha512</xccdf-1.2:value>
-            <xccdf-1.2:value selector="sha1">sha1</xccdf-1.2:value>
-            <xccdf-1.2:value selector="sha224">sha224</xccdf-1.2:value>
-            <xccdf-1.2:value selector="sha256">sha256</xccdf-1.2:value>
-            <xccdf-1.2:value selector="sha384">sha384</xccdf-1.2:value>
-            <xccdf-1.2:value selector="sha512">sha512</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_key" type="string" interactive="true">
-            <xccdf-1.2:title>Key and certificate for kernel module signing</xccdf-1.2:title>
-            <xccdf-1.2:description>The private key and certificate to use when signing modules during kernel build process.
-On systems where the OpenSSL ENGINE_pkcs11 is functional &#x2014; a PKCS#11 URI as defined by RFC7512
-In the latter case, the PKCS#11 URI should reference both a certificate and a private key.</xccdf-1.2:description>
-            <xccdf-1.2:value>certs/signing_key.pem</xccdf-1.2:value>
-            <xccdf-1.2:value selector="kernel_default">certs/signing_key.pem</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kernel_config_panic_timeout" type="string" interactive="true">
-            <xccdf-1.2:title>Kernel panic timeout</xccdf-1.2:title>
-            <xccdf-1.2:description>The time, in seconds, to wait until a reboot occurs.
-If the value is <html:code>0</html:code> the system never reboots.
-If the value is less than <html:code>0</html:code> the system reboots immediately.</xccdf-1.2:description>
-            <xccdf-1.2:value>0</xccdf-1.2:value>
-            <xccdf-1.2:value selector="never">0</xccdf-1.2:value>
-            <xccdf-1.2:value selector="5_minutes">300</xccdf-1.2:value>
-            <xccdf-1.2:value selector="1_minute">60</xccdf-1.2:value>
-            <xccdf-1.2:value selector="immediately">-1</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_acpi_custom_method" severity="low">
-            <xccdf-1.2:title>Do not allow ACPI methods to be inserted/replaced at run time</xccdf-1.2:title>
-            <xccdf-1.2:description>This debug facility allows ACPI AML methods to be inserted and/or replaced without rebooting
-the system.
-This configuration is available from kernel 3.0.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_ACPI_CUSTOM_METHOD</html:code>, run the following command:
-    <html:code>grep CONFIG_ACPI_CUSTOM_METHOD /boot/config-*</html:code>
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>Enabling this feature allows arbitrary kernel memory to be written to by root (uid=0) users,
-allowing them to bypass certain security measures</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_acpi_custom_method:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_acpi_custom_method_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_binfmt_misc" severity="medium">
-            <xccdf-1.2:title>Disable kernel support for MISC binaries</xccdf-1.2:title>
-            <xccdf-1.2:description>Enabling <html:code>CONFIG_BINFMT_MISC</html:code> makes it possible to plug wrapper-driven binary formats
-into the kernel. This is specially useful for programs that need an interpreter to run like
-Java, Python and DOS emulators. Once you have registered such a binary class with the kernel,
-you can start one of those programs simply by typing in its name at a shell prompt.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_BINFMT_MISC</html:code>, run the following command:
-    <html:code>grep CONFIG_BINFMT_MISC /boot/config-*</html:code>
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>This disables arbitrary binary format support and helps reduce attack surface.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_binfmt_misc:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_binfmt_misc_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_bug" severity="medium">
-            <xccdf-1.2:title>Enable support for BUG()</xccdf-1.2:title>
-            <xccdf-1.2:description>Disabling this option eliminates support for BUG and WARN, reducing the size of your kernel
-image and potentially quietly ignoring numerous fatal conditions. You should only consider
-disabling this option for embedded systems with no facilities for reporting errors.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_BUG</html:code>, run the following command:
-    <html:code>grep CONFIG_BUG /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>Not setting this variable may hide a number of critical errors.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_bug:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_bug_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_compat_brk" severity="medium">
-            <xccdf-1.2:title>Disable compatibility with brk()</xccdf-1.2:title>
-            <xccdf-1.2:description>Enabling compatiliby with <html:code>brk()</html:code> allows legacy binaries to run (i.e. those linked
-against libc5). But this compatibility comes at the cost of not being able to randomize
-the heap placement (ASLR).
-
-Unless legacy binaries need to run on the system, set <html:code>CONFIG_COMPAT_BRK</html:code> to <html:code>"n"</html:code>.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_COMPAT_BRK</html:code>, run the following command:
-    <html:code>grep CONFIG_COMPAT_BRK /boot/config-*</html:code>
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>Enabling compatibility with brk() disables support for ASLR.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_compat_brk:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_compat_brk_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_compat_vdso" severity="low">
-            <xccdf-1.2:title>Disable the 32-bit vDSO</xccdf-1.2:title>
-            <xccdf-1.2:description>Certain buggy versions of glibc (2.3.3) will crash if they are presented with a 32-bit vDSO
-that is not mapped at the address indicated in its segment table.
-Setting <html:code>CONFIG_COMPAT_VDSO</html:code> to <html:code>y</html:code> turns off the 32-bit VDSO and works
-aroud the glibc bug.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_COMPAT_VDSO</html:code>, run the following command:
-    <html:code>grep CONFIG_COMPAT_VDSO /boot/config-*</html:code>
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>Enabling VDSO compatibility hurts performance and disables ASLR.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_compat_vdso:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_compat_vdso_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_debug_credentials" severity="low">
-            <xccdf-1.2:title>Enable checks on credential management</xccdf-1.2:title>
-            <xccdf-1.2:description>Enable this to turn on some debug checking for credential management. The additional code keeps
-track of the number of pointers from task_structs to any given cred struct, and checks to see
-that this number never exceeds the usage count of the cred struct.
-
-Furthermore, if SELinux is enabled, this also checks that the security pointer in the cred
-struct is never seen to be invalid.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_DEBUG_CREDENTIALS</html:code>, run the following command:
-    <html:code>grep CONFIG_DEBUG_CREDENTIALS /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>This adds sanity checks and validations to credential data structures.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_debug_credentials:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_debug_credentials_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_debug_fs" severity="low">
-            <xccdf-1.2:title>Disable kernel debugfs</xccdf-1.2:title>
-            <xccdf-1.2:description><html:code>debugfs</html:code> is a virtual file system that kernel developers use to put debugging files
-into. Enable this option to be able to read and write to these files.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_DEBUG_FS</html:code>, run the following command:
-    <html:code>grep CONFIG_DEBUG_FS /boot/config-*</html:code>
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>To reduce the attack surface, this file system should be disabled if not in use.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_debug_fs:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_debug_fs_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_debug_list" severity="low">
-            <xccdf-1.2:title>Enable checks on linked list manipulation</xccdf-1.2:title>
-            <xccdf-1.2:description>Enable this to turn on extended checks in the linked-list walking routines.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_DEBUG_LIST</html:code>, run the following command:
-    <html:code>grep CONFIG_DEBUG_LIST /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>This add sanity checks to manipulation of linked lists structures in the kernel and may
-prevent exploits such as CVE-2017-1661, where a race condition and simultaneos operations
-caused a list to corrupt.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_debug_list:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_debug_list_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_debug_notifiers" severity="low">
-            <xccdf-1.2:title>Enable checks on notifier call chains</xccdf-1.2:title>
-            <xccdf-1.2:description>Enable this to turn on sanity checking for notifier call chains. This is most useful for kernel
-developers to make sure that modules properly unregister themselves from notifier chains.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_DEBUG_NOTIFIERS</html:code>, run the following command:
-    <html:code>grep CONFIG_DEBUG_NOTIFIERS /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>This provides validation of notifier chains, it checks whether the notifiers are from the
-kernel or a module that is still loaded prior to being invoked.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_debug_notifiers:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_debug_notifiers_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_debug_sg" severity="low">
-            <xccdf-1.2:title>Enable checks on scatter-gather (SG) table operations</xccdf-1.2:title>
-            <xccdf-1.2:description>Scatter-gather tables are mechanism used for high performance I/O on DMA devices.
-Enable this to turn on checks on scatter-gather tables.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_DEBUG_SG</html:code>, run the following command:
-    <html:code>grep CONFIG_DEBUG_SG /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>This can help find problems with drivers that do not properly initialize their SG tables.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_debug_sg:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_debug_sg_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_default_mmap_min_addr" severity="medium">
-            <xccdf-1.2:title>Configure low address space to protect from user allocation</xccdf-1.2:title>
-            <xccdf-1.2:description>This is the portion of low virtual memory which should be protected from userspace allocation.
-This configuration is available from kernel 3.14, but may be available if backported
-by distros.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_DEFAULT_MMAP_MIN_ADDR</html:code>, run the following command:
-    <html:code>grep CONFIG_DEFAULT_MMAP_MIN_ADDR /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "65536" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>Keeping a user from writing to low pages can help reduce the impact of kernel NULL pointer bugs.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_default_mmap_min_addr:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_default_mmap_min_addr_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_devkmem" severity="low">
-            <xccdf-1.2:title>Disable /dev/kmem virtual device support</xccdf-1.2:title>
-            <xccdf-1.2:description>Disable support for the /dev/kmem device.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_DEVKMEM</html:code>, run the following command:
-    <html:code>grep CONFIG_DEVKMEM /boot/config-*</html:code>
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>The /dev/kmem device is rarely used, but can be used for certain kind of kernel debugging
-operations.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_devkmem:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_devkmem_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_hibernation" severity="medium">
-            <xccdf-1.2:title>Disable hibernation</xccdf-1.2:title>
-            <xccdf-1.2:description>Enable the suspend to disk (STD) functionality, which is usually called "hibernation" in user
-interfaces. STD checkpoints the system and powers it off; and restores that checkpoint on
-reboot.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_HIBERNATION</html:code>, run the following command:
-    <html:code>grep CONFIG_HIBERNATION /boot/config-*</html:code>
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>Suspending to disk allows one to replace the running kernel.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_hibernation:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_hibernation_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_ia32_emulation" severity="medium">
-            <xccdf-1.2:title>Disable IA32 emulation</xccdf-1.2:title>
-            <xccdf-1.2:description>Disables support for legacy 32-bit programs under a 64-bit kernel.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_IA32_EMULATION</html:code>, run the following command:
-    <html:code>grep CONFIG_IA32_EMULATION /boot/config-*</html:code>
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:warning category="general">Only disable support for 32-bit programs if you are sure you don't need any 32-bit program.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>Disabling 32-bit backwards compatibility helps reduce the attack surface.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_ia32_emulation:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_ia32_emulation_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_ipv6" severity="medium">
-            <xccdf-1.2:title>Disable the IPv6 protocol</xccdf-1.2:title>
-            <xccdf-1.2:description>Disable support for IP version 6 (IPv6).
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_IPV6</html:code>, run the following command:
-    <html:code>grep CONFIG_IPV6 /boot/config-*</html:code>
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>Any unnecessary network stacks, including IPv6, should be disabled to reduce
-the vulnerability to exploitation.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_ipv6:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_ipv6_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_kexec" severity="low">
-            <xccdf-1.2:title>Disable kexec system call</xccdf-1.2:title>
-            <xccdf-1.2:description><html:code>kexec</html:code> is a system call that implements the ability to shutdown your current kernel,
-and to start another kernel. It is like a reboot but it is independent of the system firmware.
-And like a reboot you can start any kernel with it, not just Linux.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_KEXEC</html:code>, run the following command:
-    <html:code>grep CONFIG_KEXEC /boot/config-*</html:code>
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>Prohibits the execution of a new kernel image after reboot.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_kexec:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_legacy_ptys" severity="medium">
-            <xccdf-1.2:title>Disable legacy (BSD) PTY support</xccdf-1.2:title>
-            <xccdf-1.2:description>Disable the Linux traditional BSD-like terminal names /dev/ptyxx for masters and /dev/ttyxx for
-slaves of pseudo terminals, and use only the modern ptys (devpts) interface.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_LEGACY_PTYS</html:code>, run the following command:
-    <html:code>grep CONFIG_LEGACY_PTYS /boot/config-*</html:code>
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>The legacy scheme has a number of security problems.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_legacy_ptys:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_legacy_ptys_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_module_sig" severity="medium">
-            <xccdf-1.2:title>Enable module signature verification</xccdf-1.2:title>
-            <xccdf-1.2:description>Check modules for valid signatures upon load.
-Note that this option adds the OpenSSL development packages as a kernel build dependency so
-that the signing tool can use its crypto library.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_MODULE_SIG</html:code>, run the following command:
-    <html:code>grep CONFIG_MODULE_SIG /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>Loaded modules must be signed.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_module_sig:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_module_sig_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_module_sig_all" severity="medium">
-            <xccdf-1.2:title>Enable automatic signing of all modules</xccdf-1.2:title>
-            <xccdf-1.2:description>Sign all modules during make modules_install. Without this option, modules must be signed
-manually, using the scripts/sign-file tool.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_MODULE_SIG_ALL</html:code>, run the following command:
-    <html:code>grep CONFIG_MODULE_SIG_ALL /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>This ensures the modules are signed during install process.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_module_sig_all:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_module_sig_all_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_module_sig_force" severity="medium">
-            <xccdf-1.2:title>Require modules to be validly signed</xccdf-1.2:title>
-            <xccdf-1.2:description>Reject unsigned modules or signed modules with an unknown key.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_MODULE_SIG_FORCE</html:code>, run the following command:
-    <html:code>grep CONFIG_MODULE_SIG_FORCE /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>Prevent loading modules that are unsigned or signed with an unknown key.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_module_sig_force:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_module_sig_force_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_module_sig_hash" severity="medium">
-            <xccdf-1.2:title>Specify the hash to use when signing modules</xccdf-1.2:title>
-            <xccdf-1.2:description>This configures the kernel to build and sign modules using
-<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_hash" use="legacy"/> as the hash function.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_MODULE_SIG_HASH</html:code>, run the following command:
-    <html:code>grep CONFIG_MODULE_SIG_HASH /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_hash" use="legacy"/>" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>Use of strong hash function is important to secure the module against counterfeit signatures.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-var_kernel_config_module_sig_hash:var:1" value-id="xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_hash"/>
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_module_sig_hash:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_module_sig_hash_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_module_sig_key" severity="medium">
-            <xccdf-1.2:title>Specify module signing key to use</xccdf-1.2:title>
-            <xccdf-1.2:description>Setting this option to something other than its default of <html:code>certs/signing_key.pem</html:code> will
-disable the autogeneration of signing keys and allow the kernel modules to be signed with a key
-of your choosing.
-
-The string provided should identify a file containing both a private key and
-its corresponding X.509 certificate in PEM form, or &#x2014; on systems where the OpenSSL ENGINE_pkcs11
-is functional &#x2014; a PKCS#11 URI as defined by RFC7512. In the latter case, the PKCS#11 URI should
-reference both a certificate and a private key.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_MODULE_SIG_KEY</html:code>, run the following command:
-    <html:code>grep CONFIG_MODULE_SIG_KEY /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_key" use="legacy"/>" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>A key and certificate is required to sign the built modules.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-var_kernel_config_module_sig_key:var:1" value-id="xccdf_org.ssgproject.content_value_var_kernel_config_module_sig_key"/>
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_module_sig_key:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_module_sig_key_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_module_sig_sha512" severity="medium">
-            <xccdf-1.2:title>Sign kernel modules with SHA-512</xccdf-1.2:title>
-            <xccdf-1.2:description>This configures the kernel to build and sign modules using SHA512 as the hash function.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_MODULE_SIG_SHA512</html:code>, run the following command:
-    <html:code>grep CONFIG_MODULE_SIG_SHA512 /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>Use of strong hash function is important to secure the module against counterfeit signatures.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_module_sig_sha512:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_module_sig_sha512_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_page_poisoning_no_sanity" severity="medium">
-            <xccdf-1.2:title>Enable poison without sanity check</xccdf-1.2:title>
-            <xccdf-1.2:description>Skip the sanity checking on alloc, only fill the pages with poison on free. This reduces some
-of the overhead of the poisoning feature.
-This configuration is available from kernel 4.6.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_PAGE_POISONING_NO_SANITY</html:code>, run the following command:
-    <html:code>grep CONFIG_PAGE_POISONING_NO_SANITY /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>This configuration helps alleviates the performance impact of poisonining.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_page_poisoning_no_sanity:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_page_poisoning_no_sanity_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_page_poisoning_zero" severity="medium">
-            <xccdf-1.2:title>Use zero for poisoning instead of debugging value</xccdf-1.2:title>
-            <xccdf-1.2:description>Instead of using the existing poison value, fill the pages with zeros. This makes it harder to
-detect when errors are occurring due to sanitization but the zeroing at free means that it is
-no longer necessary to write zeros when GFP_ZERO is used on allocation.
-This configuration is available from kernel 4.19.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_PAGE_POISONING_ZERO</html:code>, run the following command:
-    <html:code>grep CONFIG_PAGE_POISONING_ZERO /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>This configuration helps alleviates the performance impact of poisonining.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_page_poisoning_zero:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_page_poisoning_zero_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_page_table_isolation" severity="high">
-            <xccdf-1.2:title>Remove the kernel mapping in user mode</xccdf-1.2:title>
-            <xccdf-1.2:description>This feature reduces the number of hardware side channels by ensuring that the majority of
-kernel addresses are not mapped into userspace.
-This configuration is available from kernel 4.15, but may be available if backported
-by distros.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_PAGE_TABLE_ISOLATION</html:code>, run the following command:
-    <html:code>grep CONFIG_PAGE_TABLE_ISOLATION /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>This is a countermeasure to the Meltdown attack.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_page_table_isolation:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_page_table_isolation_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_panic_on_oops" severity="medium">
-            <xccdf-1.2:title>Kernel panic oops</xccdf-1.2:title>
-            <xccdf-1.2:description>Enable the kernel to panic when it oopses.
-This has the same effect as setting oops=panic on the kernel command line.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_PANIC_ON_OOPS</html:code>, run the following command:
-    <html:code>grep CONFIG_PANIC_ON_OOPS /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>This feature ensures that the kernel does not do anything erroneous after an oops which
-could result in data corruption or other issues.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_panic_on_oops:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_panic_on_oops_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_panic_timeout" severity="medium">
-            <xccdf-1.2:title>Kernel panic timeout</xccdf-1.2:title>
-            <xccdf-1.2:description>Set the timeout value (in seconds) until a reboot occurs when the kernel panics.
-A timeout of 0 configures the system to wait forever. With a timeout value greater than 0,
-the system will wait the specified amount of seconds before rebooting. While a timeout value
-less than 0 makes the system reboot immediately.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_PANIC_TIMEOUT</html:code>, run the following command:
-    <html:code>grep CONFIG_PANIC_TIMEOUT /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_kernel_config_panic_timeout" use="legacy"/>" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>This is required to enable protection against Spectre v2.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-var_kernel_config_panic_timeout:var:1" value-id="xccdf_org.ssgproject.content_value_var_kernel_config_panic_timeout"/>
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_panic_timeout:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_panic_timeout_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_proc_kcore" severity="low">
-            <xccdf-1.2:title>Disable support for /proc/kkcore</xccdf-1.2:title>
-            <xccdf-1.2:description>Provides a virtual ELF core file of the live kernel.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_PROC_KCORE</html:code>, run the following command:
-    <html:code>grep CONFIG_PROC_KCORE /boot/config-*</html:code>
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>This feature exposes the memory to the userspace and can assist an attacker in discovering
-attack vectors.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_proc_kcore:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_proc_kcore_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_randomize_base" severity="medium">
-            <xccdf-1.2:title>Randomize the address of the kernel image (KASLR)</xccdf-1.2:title>
-            <xccdf-1.2:description>In support of Kernel Address Space Layout Randomization (KASLR), this randomizes the physical
-address at which the kernel image is decompressed and the virtual address where the kernel
-image is mapped.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_RANDOMIZE_BASE</html:code>, run the following command:
-    <html:code>grep CONFIG_RANDOMIZE_BASE /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>An unpredictable kernel address makes it more difficult to succeed with exploits that rely on
-knowledge of the location of kernel code internals.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_randomize_base:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_randomize_base_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_randomize_memory" severity="medium">
-            <xccdf-1.2:title>Randomize the kernel memory sections</xccdf-1.2:title>
-            <xccdf-1.2:description>Randomizes the base virtual address of kernel memory sections (physical memory mapping,
-vmalloc &amp; vmemmap).
-This configuration is available from kernel 4.8, but may be available if backported
-by distros.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_RANDOMIZE_MEMORY</html:code>, run the following command:
-    <html:code>grep CONFIG_RANDOMIZE_MEMORY /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>This security feature makes exploits relying on predictable memory locations less reliable.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_randomize_memory:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_randomize_memory_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_retpoline" severity="medium">
-            <xccdf-1.2:title>Avoid speculative indirect branches in kernel</xccdf-1.2:title>
-            <xccdf-1.2:description>Compile kernel with the retpoline compiler options to guard against kernel-to-user data leaks
-by avoiding speculative indirect branches.
-Requires a compiler with -mindirect-branch=thunk-extern support for full protection.
-The kernel may run slower.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_RETPOLINE</html:code>, run the following command:
-    <html:code>grep CONFIG_RETPOLINE /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>This is required to enable protection against Spectre v2.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_retpoline:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_retpoline_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_seccomp" severity="medium">
-            <xccdf-1.2:title>Enable seccomp to safely compute untrusted bytecode</xccdf-1.2:title>
-            <xccdf-1.2:description>This kernel feature is useful for number crunching applications that may need to compute
-untrusted bytecode during their execution. By using pipes or other transports made available
-to the process as file descriptors supporting the read/write syscalls, it's possible to isolate
-those applications in their own address space using seccomp.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_SECCOMP</html:code>, run the following command:
-    <html:code>grep CONFIG_SECCOMP /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale><html:code>seccomp</html:code> enables the ability to filter system calls made by an application, effectively
-isolating the system's resources from it.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_seccomp:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_seccomp_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_seccomp_filter" severity="medium">
-            <xccdf-1.2:title>Enable use of Berkeley Packet Filter with seccomp</xccdf-1.2:title>
-            <xccdf-1.2:description>Enable tasks to build secure computing environments defined in terms of Berkeley Packet Filter
-programs which implement task-defined system call filtering polices.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_SECCOMP_FILTER</html:code>, run the following command:
-    <html:code>grep CONFIG_SECCOMP_FILTER /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>Use of BPF filters allows for expressive filtering of system calls using a filter program
-language with a long history of being exposed to userland.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_seccomp_filter:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_seccomp_filter_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_security" severity="medium">
-            <xccdf-1.2:title>Enable different security models</xccdf-1.2:title>
-            <xccdf-1.2:description>This allows you to choose different security modules to be configured into your kernel.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_SECURITY</html:code>, run the following command:
-    <html:code>grep CONFIG_SECURITY /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>This is enables kernel security primitives required by the LSM framework.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_security:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_security_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_security_dmesg_restrict" severity="medium">
-            <xccdf-1.2:title>Restrict unprivileged access to the kernel syslog</xccdf-1.2:title>
-            <xccdf-1.2:description>Enforce restrictions on unprivileged users reading the kernel syslog via dmesg(8).
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_SECURITY_DMESG_RESTRICT</html:code>, run the following command:
-    <html:code>grep CONFIG_SECURITY_DMESG_RESTRICT /boot/config-*</html:code>
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>Prevents unprivileged users from retrieving kernel addresses with dmesg.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_security_dmesg_restrict:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_security_dmesg_restrict_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_security_writable_hooks" severity="medium">
-            <xccdf-1.2:title>Disable mutable hooks</xccdf-1.2:title>
-            <xccdf-1.2:description>Ensure kernel structures associated with LSMs are always mapped as read-only after system boot.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_SECURITY_WRITABLE_HOOKS</html:code>, run the following command:
-    <html:code>grep CONFIG_SECURITY_WRITABLE_HOOKS /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>If CONFIG_SECURITY_WRITABLE_HOOKS is enabled, then hooks can be loaded at runtime and
-being able to manipulate hooks is a way to bypass all LSMs.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_security_writable_hooks:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_security_writable_hooks_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_security_yama" severity="medium">
-            <xccdf-1.2:title>Enable Yama support</xccdf-1.2:title>
-            <xccdf-1.2:description>This enables support for LSM module Yama, which extends DAC support with additional system-wide
-security settings beyond regular Linux discretionary access controls. The module will limit the
-use of the system call <html:code>ptrace()</html:code>.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_SECURITY_YAMA</html:code>, run the following command:
-    <html:code>grep CONFIG_SECURITY_YAMA /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>Unrestricted usage of ptrace allows compromised binaries to run ptrace
-on another processes of the user.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_security_yama:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_security_yama_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_slub_debug" severity="medium">
-            <xccdf-1.2:title>Enable SLUB debugging support</xccdf-1.2:title>
-            <xccdf-1.2:description>SLUB has extensive debug support features and this allows the allocator validation checking to
-be enabled.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_SLUB_DEBUG</html:code>, run the following command:
-    <html:code>grep CONFIG_SLUB_DEBUG /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>This activates the checking of the memory allocator structures and resets to zero the zones
-allocated when they are released.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_slub_debug:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_slub_debug_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_syn_cookies" severity="medium">
-            <xccdf-1.2:title>Enable TCP/IP syncookie support</xccdf-1.2:title>
-            <xccdf-1.2:description>Normal TCP/IP networking is open to an attack known as SYN flooding.
-It is denial-of-service attack that prevents legitimate remote users from being able to connect
-to your computer during an ongoing attack.
-
-When enabled the TCP/IP stack will use a cryptographic challenge protocol known as SYN cookies
-to enable legitimate users to continue to connect, even when your machine is under attack.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_SYN_COOKIES</html:code>, run the following command:
-    <html:code>grep CONFIG_SYN_COOKIES /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>SYN cookies provide protection against SYN flooding attacks.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_syn_cookies:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_syn_cookies_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_unmap_kernel_at_el0" severity="medium">
-            <xccdf-1.2:title>Unmap kernel when running in userspace (aka KAISER)</xccdf-1.2:title>
-            <xccdf-1.2:description>Speculation attacks against some high-performance processors can be used to bypass MMU
-permission checks and leak kernel data to userspace. This can be defended against by unmapping
-the kernel when running in userspace, mapping it back in on exception entry via a trampoline
-page in the vector table.
-This configuration is available from kernel 4.16, but may be available if backported
-by distros.
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_UNMAP_KERNEL_AT_EL0</html:code>, run the following command:
-    <html:code>grep CONFIG_UNMAP_KERNEL_AT_EL0 /boot/config-*</html:code>
-    
-    For each kernel installed, a line with value "y" should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>This is a countermeasure to the Meltdown attack.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#aarch64_arch"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_unmap_kernel_at_el0:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_unmap_kernel_at_el0_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_config_x86_vsyscall_emulation" severity="low">
-            <xccdf-1.2:title>Disable x86 vsyscall emulation</xccdf-1.2:title>
-            <xccdf-1.2:description>Disabling it is roughly equivalent to booting with vsyscall=none, except that it will also
-disable the helpful warning if a program tries to use a vsyscall. With this option set to N,
-offending programs will just segfault, citing addresses of the form 0xffffffffff600?00.
-This configuration is available from kernel 3.19.
-
-The configuration that was used to build kernel is available at <html:code>/boot/config-*</html:code>.
-    To check the configuration value for <html:code>CONFIG_X86_VSYSCALL_EMULATION</html:code>, run the following command:
-    <html:code>grep CONFIG_X86_VSYSCALL_EMULATION /boot/config-*</html:code>
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    </xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.</xccdf-1.2:warning>
-            <xccdf-1.2:rationale>The vsyscall table is no longer required and is a potential source of ROP gadgets.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_config_x86_vsyscall_emulation:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_config_x86_vsyscall_emulation_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_gcc_plugin">
-            <xccdf-1.2:title>Kernel GCC plugin configuration</xccdf-1.2:title>
-            <xccdf-1.2:description>Contains rules that check the configuration of GCC plugins used by the compiler</xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#machine"/>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_logging">
-          <xccdf-1.2:title>Configure Syslog</xccdf-1.2:title>
-          <xccdf-1.2:description>The syslog service has been the default Unix logging mechanism for
-many years. It has a number of downsides, including inconsistent log format,
-lack of authentication for received messages, and lack of authentication,
-encryption, or reliable transport for messages sent over a network. However,
-due to its long history, syslog is a de facto standard which is supported by
-almost all Unix applications.
-<html:br/>
-<html:br/>
-In Red Hat Enterprise Linux CoreOS 4, rsyslog has replaced ksyslogd as the
-syslog daemon of choice, and it includes some additional security features
-such as reliable, connection-oriented (i.e. TCP) transmission of logs, the
-option to log to database formats, and the encryption of log data en route to
-a central logging server.
-This section discusses how to configure rsyslog for
-best effect, and how to use tools provided with the system to maintain and
-monitor logs.</xccdf-1.2:description>
-          <xccdf-1.2:platform idref="#machine"/>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_rsyslog_installed" severity="medium">
-            <xccdf-1.2:title>Ensure rsyslog is Installed</xccdf-1.2:title>
-            <xccdf-1.2:description>Rsyslog is installed by default. The <html:code>rsyslog</html:code> package can be installed with the following command: <html:pre/></xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001311</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001312</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000051-GPOS-00024</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The rsyslog package provides the rsyslog daemon, which provides
-system logging services.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_rsyslog_installed:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_rsyslog_enabled" severity="medium">
-            <xccdf-1.2:title>Enable rsyslog Service</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code>rsyslog</html:code> service provides syslog-style logging by default on Red Hat Enterprise Linux CoreOS 4.
-
-The <html:code>rsyslog</html:code> service can be enabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-rsyslog-enable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: rsyslog.service
-        enabled: true
-</html:pre>
-<html:p>
-This will enable the <html:code>rsyslog</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R46)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001311</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001312</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001557</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001851</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(ii)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The <html:code>rsyslog</html:code> service must be running in order to provide
-logging services, which are essential to system administration.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_rsyslog_enabled:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_configure_logwatch_on_logserver">
-            <xccdf-1.2:title>Configure Logwatch on the Central Log Server</xccdf-1.2:title>
-            <xccdf-1.2:description>Is this system the central log server? If so, edit the file <html:code>/etc/logwatch/conf/logwatch.conf</html:code> as shown below.</xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#machine"/>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_ensure_rsyslog_log_file_configuration">
-            <xccdf-1.2:title>Ensure Proper Configuration of Log Files</xccdf-1.2:title>
-            <xccdf-1.2:description>The file <html:code>/etc/rsyslog.conf</html:code> controls where log message are written.
-These are controlled by lines called <html:i>rules</html:i>, which consist of a
-<html:i>selector</html:i> and an <html:i>action</html:i>.
-These rules are often customized depending on the role of the system, the
-requirements of the environment, and whatever may enable
-the administrator to most effectively make use of log data.
-The default rules in Red Hat Enterprise Linux CoreOS 4 are:
-<html:pre>*.info;mail.none;authpriv.none;cron.none                /var/log/messages
-authpriv.*                                              /var/log/secure
-mail.*                                                  -/var/log/maillog
-cron.*                                                  /var/log/cron
-*.emerg                                                 *
-uucp,news.crit                                          /var/log/spooler
-local7.*                                                /var/log/boot.log</html:pre>
-See the man page <html:code>rsyslog.conf(5)</html:code> for more information.
-<html:i>Note that the <html:code>rsyslog</html:code> daemon can be configured to use a timestamp format that
-some log processing programs may not understand. If this occurs,
-edit the file <html:code>/etc/rsyslog.conf</html:code> and add or edit the following line:</html:i>
-<html:pre>$ ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_file_groupowner_logfiles_value" type="string">
-              <xccdf-1.2:title>group who owns log files</xccdf-1.2:title>
-              <xccdf-1.2:description>Specify group owner of all logfiles specified in
-<html:code>/etc/rsyslog.conf.</html:code></xccdf-1.2:description>
-              <xccdf-1.2:value>root</xccdf-1.2:value>
-              <xccdf-1.2:value selector="adm">adm</xccdf-1.2:value>
-              <xccdf-1.2:value selector="root">root</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_file_owner_logfiles_value" type="string">
-              <xccdf-1.2:title>User who owns log files</xccdf-1.2:title>
-              <xccdf-1.2:description>Specify user owner of all logfiles specified in
-<html:code>/etc/rsyslog.conf</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:value>root</xccdf-1.2:value>
-              <xccdf-1.2:value selector="adm">adm</xccdf-1.2:value>
-              <xccdf-1.2:value selector="root">root</xccdf-1.2:value>
-              <xccdf-1.2:value selector="syslog">syslog</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode" severity="medium">
-              <xccdf-1.2:title>Ensure Rsyslog Authenticates Off-Loaded Audit Records</xccdf-1.2:title>
-              <xccdf-1.2:description>Rsyslogd is a system utility providing support for message logging. Support
-for both internet and UNIX domain sockets enables this utility to support both local
-and remote logging.  Couple this utility with <html:code>gnutls</html:code> (which is a secure communications
-library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
-encrypt and off-load auditing.
-
-When using <html:code>rsyslogd</html:code> to off-load logs the remote system must be authenticated.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001851</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The audit records generated by Rsyslog contain valuable information regarding system
-configuration, user authentication, and other such information. Audit records should be
-protected from unauthorized access.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode" severity="medium">
-              <xccdf-1.2:title>Ensure Rsyslog Encrypts Off-Loaded Audit Records</xccdf-1.2:title>
-              <xccdf-1.2:description>Rsyslogd is a system utility providing support for message logging. Support
-for both internet and UNIX domain sockets enables this utility to support both local
-and remote logging.  Couple this utility with <html:code>gnutls</html:code> (which is a secure communications
-library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
-encrypt and off-load auditing.
-
-When using <html:code>rsyslogd</html:code> to off-load logs off a encrpytion system must be used.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001851</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The audit records generated by Rsyslog contain valuable information regarding system
-configuration, user authentication, and other such information. Audit records should be
-protected from unauthorized access.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver" severity="medium">
-              <xccdf-1.2:title>Ensure Rsyslog Encrypts Off-Loaded Audit Records</xccdf-1.2:title>
-              <xccdf-1.2:description>Rsyslogd is a system utility providing support for message logging. Support
-for both internet and UNIX domain sockets enables this utility to support both local
-and remote logging.  Couple this utility with <html:code>gnutls</html:code> (which is a secure communications
-library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
-encrypt and off-load auditing.
-
-When using <html:code>rsyslogd</html:code> to off-load logs off an encryption system must be used.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001851</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The audit records generated by Rsyslog contain valuable information regarding system
-configuration, user authentication, and other such information. Audit records should be
-protected from unauthorized access.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rsyslog_files_groupownership" severity="medium">
-              <xccdf-1.2:title>Ensure Log Files Are Owned By Appropriate Group</xccdf-1.2:title>
-              <xccdf-1.2:description>The group-owner of all log files written by
-<html:code>rsyslog</html:code> should be <html:code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_file_groupowner_logfiles_value" use="legacy"/></html:code>.
-These log files are determined by the second part of each Rule line in
-<html:code>/etc/rsyslog.conf</html:code> and typically all appear in <html:code>/var/log</html:code>.
-For each log file <html:i>LOGFILE</html:i> referenced in <html:code>/etc/rsyslog.conf</html:code>,
-run the following command to inspect the file's group owner:
-<html:pre>$ ls -l <html:i>LOGFILE</html:i></html:pre>
-If the owner is not <html:code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_file_groupowner_logfiles_value" use="legacy"/></html:code>, run the following command to
-correct this:
-<html:pre>$ sudo chgrp <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_file_groupowner_logfiles_value" use="legacy"/> <html:i>LOGFILE</html:i></html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0988</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1405</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The log files generated by rsyslog contain valuable information regarding system
-configuration, user authentication, and other such information. Log files should be
-protected from unauthorized access.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-rsyslog_files_groupownership:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rsyslog_files_ownership" severity="medium">
-              <xccdf-1.2:title>Ensure Log Files Are Owned By Appropriate User</xccdf-1.2:title>
-              <xccdf-1.2:description>The owner of all log files written by
-<html:code>rsyslog</html:code> should be <html:code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_file_owner_logfiles_value" use="legacy"/></html:code>.
-These log files are determined by the second part of each Rule line in
-<html:code>/etc/rsyslog.conf</html:code> and typically all appear in <html:code>/var/log</html:code>.
-For each log file <html:i>LOGFILE</html:i> referenced in <html:code>/etc/rsyslog.conf</html:code>,
-run the following command to inspect the file's owner:
-<html:pre>$ ls -l <html:i>LOGFILE</html:i></html:pre>
-If the owner is not <html:code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_file_owner_logfiles_value" use="legacy"/></html:code>, run the following command to
-correct this:
-<html:pre>$ sudo chown <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_file_owner_logfiles_value" use="legacy"/> <html:i>LOGFILE</html:i></html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0988</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1405</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The log files generated by rsyslog contain valuable information regarding system
-configuration, user authentication, and other such information. Log files should be
-protected from unauthorized access.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-rsyslog_files_ownership:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rsyslog_files_permissions" severity="medium">
-              <xccdf-1.2:title>Ensure System Log Files Have Correct Permissions</xccdf-1.2:title>
-              <xccdf-1.2:description>The file permissions for all log files written by <html:code>rsyslog</html:code> should
-be set to 600, or more restrictive. These log files are determined by the
-second part of each Rule line in <html:code>/etc/rsyslog.conf</html:code> and typically
-all appear in <html:code>/var/log</html:code>. For each log file <html:i>LOGFILE</html:i>
-referenced in <html:code>/etc/rsyslog.conf</html:code>, run the following command to
-inspect the file's permissions:
-<html:pre>$ ls -l <html:i>LOGFILE</html:i></html:pre>
-If the permissions are not 600 or more restrictive, run the following
-command to correct this:
-<html:pre>$ sudo chmod 0600 <html:i>LOGFILE</html:i></html:pre>"</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0988</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1405</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Log files can contain valuable information regarding system
-configuration. If the system log files are not protected unauthorized
-users could change the logged data, eliminating their forensic value.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-rsyslog_files_permissions:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_journald">
-            <xccdf-1.2:title>systemd-journald</xccdf-1.2:title>
-            <xccdf-1.2:description>systemd-journald is a system service that collects and stores
-logging data. It creates and maintains structured, indexed
-journals based on logging information that is received from a
-variety of sources.
-
-For more information on <html:code>systemd-journald </html:code> and additional <html:code>systemd-journald</html:code> configuration options, see
-<html:b><html:a href="https://systemd.io/">https://systemd.io/</html:a></html:b>.</xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_systemd-journald_enabled" severity="medium">
-              <xccdf-1.2:title>Enable systemd-journald Service</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>systemd-journald</html:code> service is an essential component of
-systemd.
-
-The <html:code>systemd-journald</html:code> service can be enabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-systemd-journald-enable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: systemd-journald.service
-        enabled: true
-</html:pre>
-<html:p>
-This will enable the <html:code>systemd-journald</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001665</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-24</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000269-GPOS-00103</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>In the event of a system failure, Red Hat Enterprise Linux CoreOS 4 must preserve any information necessary to determine cause of failure and any information necessary to return to operations with least disruption to system processes.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_systemd-journald_enabled:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_systemd-journald_enabled_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_log_rotation">
-            <xccdf-1.2:title>Ensure All Logs are Rotated by logrotate</xccdf-1.2:title>
-            <xccdf-1.2:description>
-Edit the file <html:code>/etc/logrotate.d/syslog</html:code>. Find the first
-
-line, which should look like this (wrapped for clarity):
-<html:pre>/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler \
-  /var/log/boot.log /var/log/cron {</html:pre>
-Edit this line so that it contains a one-space-separated
-listing of each log file referenced in <html:code>/etc/rsyslog.conf</html:code>.
-<html:br/><html:br/>
-All logs in use on a system must be rotated regularly, or the
-log files will consume disk space over time, eventually interfering
-with system operation. The file <html:code>/etc/logrotate.d/syslog</html:code> is the
-configuration file used by the <html:code>logrotate</html:code> program to maintain all
-log files written by <html:code>syslog</html:code>. By default, it rotates logs weekly and
-stores four archival copies of each log. These settings can be
-modified by editing <html:code>/etc/logrotate.conf</html:code>, but the defaults are
-sufficient for purposes of this guide.
-<html:br/><html:br/>
-Note that <html:code>logrotate</html:code> is run nightly by the cron job
-<html:code>/etc/cron.daily/logrotate</html:code>. If particularly active logs need to be
-rotated more often than once a day, some other mechanism must be
-used.</xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_ensure_logrotate_activated" severity="medium">
-              <xccdf-1.2:title>Ensure Logrotate Runs Periodically</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>logrotate</html:code> utility allows for the automatic rotation of
-log files.  The frequency of rotation is specified in <html:code>/etc/logrotate.conf</html:code>,
-which triggers a cron task.  To configure logrotate to run daily, add or correct
-the following line in <html:code>/etc/logrotate.conf</html:code>:
-<html:pre># rotate log files <html:i>frequency</html:i>
-daily</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT12(R18)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.7</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Log files that are not properly rotated run the risk of growing so large
-that they fill up the /var/log partition. Valuable logging information could be lost
-if the /var/log partition becomes full.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82689-1</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="ensure_logrotate_activated" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%20see%20%22man%20logrotate%22%20for%20details%0A%23%20rotate%20log%20files%20daily%0Adaily%0A%0A%23%20keep%204%20weeks%20worth%20of%20backlogs%0Arotate%2030%0A%0A%23%20create%20new%20%28empty%29%20log%20files%20after%20rotating%20old%20ones%0Acreate%0A%0A%23%20use%20date%20as%20a%20suffix%20of%20the%20rotated%20file%0Adateext%0A%0A%23%20uncomment%20this%20if%20you%20want%20your%20log%20files%20compressed%0A%23compress%0A%0A%23%20RPM%20packages%20drop%20log%20rotation%20information%20into%20this%20directory%0Ainclude%20/etc/logrotate.d%0A%0A%23%20system-specific%20logs%20may%20be%20also%20be%20configured%20here. }}
-        mode: 0644
-        path: /etc/logrotate.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-ensure_logrotate_activated:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_rsyslog_accepting_remote_messages">
-            <xccdf-1.2:title>Configure rsyslogd to Accept Remote Messages If Acting as a Log Server</xccdf-1.2:title>
-            <xccdf-1.2:description>By default, <html:code>rsyslog</html:code> does not listen over the network
-for log messages. If needed, modules can be enabled to allow
-the rsyslog daemon to receive messages from other systems and for the system
-thus to act as a log server.
-If the system is not a log server, then lines concerning these modules
-should remain commented out.
-<html:br/><html:br/></xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_syslogng_installed" severity="medium">
-              <xccdf-1.2:title>Ensure syslog-ng is Installed</xccdf-1.2:title>
-              <xccdf-1.2:description>syslog-ng can be installed in replacement of rsyslog.
-The <html:code>syslog-ng-core</html:code> package can be installed with the following command:
-<html:pre/></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001311</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001312</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The syslog-ng-core package provides the syslog-ng daemon, which provides
-system logging services.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_syslogng_installed:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_syslogng_enabled" severity="medium">
-              <xccdf-1.2:title>Enable syslog-ng Service</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>syslog-ng</html:code> service (in replacement of rsyslog) provides syslog-style logging by default on Debian.
-
-The <html:code>syslog-ng</html:code> service can be enabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-syslog-ng-enable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: syslog-ng.service
-        enabled: true
-</html:pre>
-<html:p>
-This will enable the <html:code>syslog-ng</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R46)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R5)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA01.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001311</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001312</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001557</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001851</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.2.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.SC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The <html:code>syslog-ng</html:code> service must be running in order to provide
-logging services, which are essential to system administration.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_syslogng_enabled:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_tcp" severity="unknown">
-              <xccdf-1.2:title>Enable rsyslog to Accept Messages via TCP, if Acting As Log Server</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>rsyslog</html:code> daemon should not accept remote messages
-unless the system acts as a log server.
-If the system needs to act as a central log server, add the following lines to
-<html:code>/etc/rsyslog.conf</html:code> to enable reception of messages over TCP:
-<html:pre>$ModLoad imtcp
-$InputTCPServerRun 514</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-6(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-6(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>If the system needs to act as a log server, this ensures that it can receive
-messages over a reliable TCP connection.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rsyslog_accept_remote_messages_udp" severity="unknown">
-              <xccdf-1.2:title>Enable rsyslog to Accept Messages via UDP, if Acting As Log Server</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>rsyslog</html:code> daemon should not accept remote messages
-unless the system acts as a log server.
-If the system needs to act as a central log server, add the following lines to
-<html:code>/etc/rsyslog.conf</html:code> to enable reception of messages over UDP:
-<html:pre>$ModLoad imudp
-$UDPServerRun 514</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-6(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-6(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Many devices, such as switches, routers, and other Unix-like systems, may only support
-the traditional syslog transmission over UDP. If the system must act as a log server,
-this enables it to receive their messages as well.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_rsyslog_sending_messages">
-            <xccdf-1.2:title>Rsyslog Logs Sent To Remote Host</xccdf-1.2:title>
-            <xccdf-1.2:description>If system logs are to be useful in detecting malicious
-activities, it is necessary to send logs to a remote server. An
-intruder who has compromised the root account on a system may
-delete the log entries which indicate that the system was attacked
-before they are seen by an administrator.
-<html:br/><html:br/>
-However, it is recommended that logs be stored on the local
-host in addition to being sent to the loghost, especially if
-<html:code>rsyslog</html:code> has been configured to use the UDP protocol to send
-messages over a network. UDP does not guarantee reliable delivery,
-and moderately busy sites will lose log messages occasionally,
-especially in periods of high traffic which may be the result of an
-attack. In addition, remote <html:code>rsyslog</html:code> messages are not
-authenticated in any way by default, so it is easy for an attacker to
-introduce spurious messages to the central log server. Also, some
-problems cause loss of network connectivity, which will prevent the
-sending of messages to the central server. For all of these reasons, it is
-better to store log messages both centrally and on each host, so
-that they can be correlated if necessary.</xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address" type="string" interactive="true">
-              <xccdf-1.2:title>Remote Log Server</xccdf-1.2:title>
-              <xccdf-1.2:description>Specify an URI or IP address of a remote host where the log messages will be sent and stored.</xccdf-1.2:description>
-              <xccdf-1.2:value>logcollector</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_rsyslog_remote_loghost" severity="medium">
-              <xccdf-1.2:title>Ensure Logs Sent To Remote Host</xccdf-1.2:title>
-              <xccdf-1.2:description>To configure rsyslog to send logs to a remote log server,
-open <html:code>/etc/rsyslog.conf</html:code> and read and understand the last section of the file,
-which describes the multiple directives necessary to activate remote
-logging.
-Along with these other directives, the system can be configured
-to forward its logs to a particular log server by
-adding or correcting one of the following lines,
-substituting <html:code><html:i><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address" use="legacy"/></html:i></html:code> appropriately.
-The choice of protocol depends on the environment of the system;
-although TCP and RELP provide more reliable message delivery,
-they may not be supported in all environments.
-<html:br/>
-To use UDP for log message delivery:
-<html:pre>*.* @<html:i><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address" use="legacy"/></html:i></html:pre>
-<html:br/>
-To use TCP for log message delivery:
-<html:pre>*.* @@<html:i><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address" use="legacy"/></html:i></html:pre>
-<html:br/>
-To use RELP for log message delivery:
-<html:pre>*.* :omrelp:<html:i><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address" use="legacy"/></html:i></html:pre>
-<html:br/>
-There must be a resolvable DNS CNAME or Alias record set to "<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_rsyslog_remote_loghost_address" use="legacy"/>" for logs to be sent correctly to the centralized logging utility.</xccdf-1.2:description>
-              <xccdf-1.2:warning category="functionality">It is important to configure queues in case the client is sending log
-messages to a remote server. If queues are not configured,
-the system will stop functioning when the connection
-to the remote server is not available. Please consult Rsyslog
-documentation for more information about configuration of queues. The
-example configuration which should go into <html:code>/etc/rsyslog.conf</html:code>
-can look like the following lines:
-<html:pre>
-$ActionQueueType LinkedList
-$ActionQueueFileName queuefilename
-$ActionQueueMaxDiskSpace 1g
-$ActionQueueSaveOnShutdown on
-$ActionResumeRetryCount -1
-</html:pre></xccdf-1.2:warning>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R7)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT28(R43)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT12(R5)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001348</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000136</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001851</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(B)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(5)(ii)(C)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(6)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(8)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(a)(2)(i)(C)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.314(a)(2)(iii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0988</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1405</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-4(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1.1.c</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000479-GPOS-00224</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000342-GPOS-00133</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000032-VMM-000130</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>A log server (loghost) receives syslog messages from one or more
-systems. This data can be used as an additional log source in the event a
-system is compromised and its local logs are suspect. Forwarding log messages
-to a remote loghost also provides system administrators with a centralized
-place to view the status of multiple hosts within the enterprise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-rsyslog_remote_loghost:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_network">
-          <xccdf-1.2:title>Network Configuration and Firewalls</xccdf-1.2:title>
-          <xccdf-1.2:description>Most systems must be connected to a network of some
-sort, and this brings with it the substantial risk of network
-attack. This section discusses the security impact of decisions
-about networking which must be made when configuring a system.
-<html:br/><html:br/>
-This section also discusses firewalls, network access
-controls, and other network security frameworks, which allow
-system-level rules to be written that can limit an attackers' ability
-to connect to your system. These rules can specify that network
-traffic should be allowed or denied from certain IP addresses,
-hosts, and networks. The rules can also specify which of the
-system's network services are available to particular hosts or
-networks.</xccdf-1.2:description>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_network_nmcli_permissions" severity="medium">
-            <xccdf-1.2:title>Prevent non-Privileged Users from Modifying Network Interfaces using nmcli</xccdf-1.2:title>
-            <xccdf-1.2:description>By default, non-privileged users are given permissions to modify networking
-interfaces and configurations using the <html:code>nmcli</html:code> command. Non-privileged
-users should not be making configuration changes to network configurations. To
-ensure that non-privileged users do not have permissions to make changes to the
-network configuration using <html:code>nmcli</html:code>, create the following configuration in
-<html:code>/etc/polkit-1/localauthority/20-org.d/10-nm-harden-access.pkla</html:code>:
-<html:pre>
-[Disable General User Access to NetworkManager]
-Identity=default
-Action=org.freedesktop.NetworkManager.*
-ResultAny=no
-ResultInactive=no
-ResultActive=auth_admin
-</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">0418</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1055</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1402</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(4)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Allowing non-privileged users to make changes to network settings can allow
-untrusted access, prevent system availability, and/or can lead to a compromise or
-attack.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#polkit"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82696-6</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-network_nmcli_permissions:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-network_nmcli_permissions_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_network-firewalld">
-            <xccdf-1.2:title>firewalld</xccdf-1.2:title>
-            <xccdf-1.2:description>The dynamic firewall daemon <html:code>firewalld</html:code> provides a
-dynamically managed firewall with support for network &#x201C;zones&#x201D; to assign
-a level of trust to a network and its associated connections and interfaces.
-It has support for IPv4 and IPv6 firewall settings. It supports Ethernet
-bridges and has a separation of runtime and permanent configuration options.
-It also has an interface for services or applications to add firewall rules
-directly.
-<html:br/>
-A graphical configuration tool, <html:code>firewall-config</html:code>, is used to configure
-<html:code>firewalld</html:code>, which in turn uses <html:code>iptables</html:code> tool to communicate
-with <html:code>Netfilter</html:code> in the kernel which implements packet filtering.
-<html:br/>
-The firewall service provided by <html:code>firewalld</html:code> is dynamic rather than
-static because changes to the configuration can be made at anytime and are
-immediately implemented. There is no need to save or apply the changes. No
-unintended disruption of existing network connections occurs as no part of
-the firewall has to be reloaded.</xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_firewalld_activation">
-              <xccdf-1.2:title>Inspect and Activate Default firewalld Rules</xccdf-1.2:title>
-              <xccdf-1.2:description>Firewalls can be used to separate networks into different zones
-based on the level of trust the user has decided to place on the devices and
-traffic within that network. <html:code>NetworkManager</html:code> informs firewalld to which
-zone an interface belongs. An interface's assigned zone can be changed by
-<html:code>NetworkManager</html:code> or via the <html:code>firewall-config</html:code> tool.
-<html:br/>
-The zone settings in <html:code>/etc/firewalld/</html:code> are a range of preset settings
-which can be quickly applied to a network interface. These are the zones
-provided by firewalld sorted according to the default trust level of the
-zones from untrusted to trusted:
-<html:ul><html:li><html:code>drop</html:code><html:br/><html:p>Any incoming network packets are dropped, there is no
-reply. Only outgoing network connections are possible.</html:p></html:li><html:li><html:code>block</html:code><html:br/><html:p>Any incoming network connections are rejected with an
-<html:code>icmp-host-prohibited</html:code> message for IPv4 and <html:code>icmp6-adm-prohibited</html:code>
-for IPv6. Only network connections initiated from within the system are
-possible.</html:p></html:li><html:li><html:code>public</html:code><html:br/><html:p>For use in public areas. You do not trust the other
-computers on the network to not harm your computer. Only selected incoming
-connections are accepted.</html:p></html:li><html:li><html:code>external</html:code><html:br/><html:p>For use on external networks with masquerading enabled
-especially for routers. You do not trust the other computers on the network to
-not harm your computer. Only selected incoming connections are accepted.</html:p></html:li><html:li><html:code>dmz</html:code><html:br/><html:p>For computers in your demilitarized zone that are
-publicly-accessible with limited access to your internal network. Only selected
-incoming connections are accepted.</html:p></html:li><html:li><html:code>work</html:code><html:br/><html:p>For use in work areas. You mostly trust the other computers
-on networks to not harm your computer. Only selected incoming connections are
-accepted.</html:p></html:li><html:li><html:code>home</html:code><html:br/><html:p>For use in home areas. You mostly trust the other computers
-on networks to not harm your computer. Only selected incoming connections are
-accepted.</html:p></html:li><html:li><html:code>internal</html:code><html:br/><html:p>For use on internal networks. You mostly trust the
-other computers on the networks to not harm your computer. Only selected
-incoming connections are accepted.</html:p></html:li><html:li><html:code>trusted</html:code><html:br/><html:p>All network connections are accepted.</html:p></html:li></html:ul>
-<html:br/>
-It is possible to designate one of these zones to be the default zone. When
-interface connections are added to <html:code>NetworkManager</html:code>, they are assigned
-to the default zone. On installation, the default zone in firewalld is set to
-be the public zone.
-<html:br/>
-To find out all the settings of a zone, for example the <html:code>public zone,</html:code>
-enter the following command as root:
-<html:pre># firewall-cmd --zone=public --list-all</html:pre>
-Example output of this command might look like the following:
-<html:pre>
-# firewall-cmd --zone=public --list-all
-public
-  interfaces:
-  services: mdns dhcpv6-client ssh
-  ports:
-  forward-ports:
-  icmp-blocks: source-quench
-</html:pre>
-To view the network zones currently active, enter the following command as root:
-<html:pre># firewall-cmd --get-service</html:pre>
-The following listing displays the result of this command
-on common Red Hat Enterprise Linux CoreOS 4 system:
-<html:pre>
-# firewall-cmd --get-service
-amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp
-high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd
-ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn
-pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind
-samba samba-client smtp ssh telnet tftp tftp-client transmission-client
-vnc-server wbem-https
-</html:pre>
-Finally to view the network zones that will be active after the next firewalld
-service reload, enter the following command as root:
-<html:pre># firewall-cmd --get-service --permanent</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_firewalld_installed" severity="medium">
-                <xccdf-1.2:title>Install firewalld Package</xccdf-1.2:title>
-                <xccdf-1.2:description>The <html:code>firewalld</html:code> package can be installed with the following command:
-<html:pre/></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002314</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000096-GPOS-00050</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000297-GPOS-00115</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000298-GPOS-00116</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00232</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>"Firewalld" provides an easy and effective way to block/limit remote access to the system via ports, services, and protocols.
-
-Remote access services, such as those providing remote access to network devices and information systems, which lack automated control capabilities, increase risk and make remote user access management difficult at best.
-
-Remote access is access to DoD nonpublic information systems by an authorized user (or an information system) communicating through an external, non-organization-controlled network. Remote access methods include, for example, dial-up, broadband, and wireless.
-
-Red Hat Enterprise Linux CoreOS 4 functionality (e.g., SSH) must be capable of taking enforcement action if the audit reveals unauthorized activity.
-Automated control of remote access sessions allows organizations to ensure ongoing compliance with remote access policies by enforcing connection rules of remote access applications on a variety of information system components (e.g., servers, workstations, notebook computers, smartphones, and tablets)."</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82521-6</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_firewalld_installed:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_firewalld_installed_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_firewalld_enabled" severity="medium">
-                <xccdf-1.2:title>Verify firewalld Enabled</xccdf-1.2:title>
-                <xccdf-1.2:description>
-The <html:code>firewalld</html:code> service can be enabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-firewalld-enable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: firewalld.service
-        enabled: true
-</html:pre>
-<html:p>
-This will enable the <html:code>firewalld</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000382</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002314</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(5)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000096-GPOS-00050</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000297-GPOS-00115</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00231</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00232</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Access control methods provide the ability to enhance system security posture
-by restricting services and known good IP addresses and address ranges. This
-prevents connections from unknown hosts and protocols.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82554-7</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_firewalld_enabled:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_firewalld_enabled_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_ruleset_modifications">
-              <xccdf-1.2:title>Strengthen the Default Ruleset</xccdf-1.2:title>
-              <xccdf-1.2:description>The default rules can be strengthened. The system
-scripts that activate the firewall rules expect them to be defined
-in configuration files under the <html:code>/etc/firewalld/services</html:code>
-and <html:code>/etc/firewalld/zones</html:code> directories.
-<html:br/><html:br/>
-The following recommendations describe how to strengthen the
-default ruleset configuration file. An alternative to editing this
-configuration file is to create a shell script that makes calls to
-the <html:code>firewall-cmd</html:code> program to load in rules under the <html:code>/etc/firewalld/services</html:code>
-and <html:code>/etc/firewalld/zones</html:code> directories.
-<html:br/><html:br/>
-Instructions apply to both unless otherwise noted. Language and address
-conventions for regular firewalld rules are used throughout this section.</xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">The program <html:code>firewall-config</html:code>
-allows additional services to penetrate the default firewall rules
-and automatically adjusts the <html:code>firewalld</html:code> ruleset(s).</xccdf-1.2:warning>
-              <xccdf-1.2:platform idref="#machine"/>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_network-ipsec">
-            <xccdf-1.2:title>IPSec Support</xccdf-1.2:title>
-            <xccdf-1.2:description>Support for Internet Protocol Security (IPsec)
-is provided with Libreswan.</xccdf-1.2:description>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_libreswan_installed" severity="medium">
-              <xccdf-1.2:title>Install libreswan Package</xccdf-1.2:title>
-              <xccdf-1.2:description>The Libreswan package provides an implementation of IPsec
-and IKE, which permits the creation of secure tunnels over
-untrusted networks. The <html:code>libreswan</html:code> package can be installed with the following command:
-<html:pre/></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001130</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001131</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.15.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.MA-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Providing the ability for remote users or systems
-to initiate a secure VPN connection protects information when it is
-transmitted over a wide area network.</xccdf-1.2:rationale>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82525-7</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_libreswan_installed:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_libreswan_installed_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_network-iptables">
-            <xccdf-1.2:title>iptables and ip6tables</xccdf-1.2:title>
-            <xccdf-1.2:description>A host-based firewall called <html:code>netfilter</html:code> is included as
-part of the Linux kernel distributed with the system. It is
-activated by default. This firewall is controlled by the program
-<html:code>iptables</html:code>, and the entire capability is frequently referred to by
-this name. An analogous program called <html:code>ip6tables</html:code> handles filtering
-for IPv6.
-<html:br/><html:br/>
-Unlike TCP Wrappers, which depends on the network server
-program to support and respect the rules written, <html:code>netfilter</html:code>
-filtering occurs at the kernel level, before a program can even
-process the data from the network packet. As such, any program on
-the system is affected by the rules written.
-<html:br/><html:br/>
-This section provides basic information about strengthening
-the <html:code>iptables</html:code> and <html:code>ip6tables</html:code> configurations included with the system.
-For more complete information that may allow the construction of a
-sophisticated ruleset tailored to your environment, please consult
-the references at the end of this section.</xccdf-1.2:description>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_iptables_installed" severity="medium">
-              <xccdf-1.2:title>Install iptables Package</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>iptables</html:code> package can be installed with the following command:
-<html:pre/></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale><html:code>iptables</html:code> controls the Linux kernel network packet filtering
-code. <html:code>iptables</html:code> allows system operators to set up firewalls and IP
-masquerading, etc.</xccdf-1.2:rationale>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82522-4</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_iptables_installed:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_iptables_installed_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_iptables_activation">
-              <xccdf-1.2:title>Inspect and Activate Default Rules</xccdf-1.2:title>
-              <xccdf-1.2:description>View the currently-enforced <html:code>iptables</html:code> rules by running
-the command:
-<html:pre>$ sudo iptables -nL --line-numbers</html:pre>
-The command is analogous for <html:code>ip6tables</html:code>.
-<html:br/><html:br/>
-If the firewall does not appear to be active (i.e., no rules
-appear), activate it and ensure that it starts at boot by issuing
-the following commands (and analogously for <html:code>ip6tables</html:code>):
-<html:pre>$ sudo service iptables restart</html:pre>
-The default iptables rules are:
-<html:pre>Chain INPUT (policy ACCEPT)
-num  target     prot opt source       destination
-1    ACCEPT     all  --  0.0.0.0/0    0.0.0.0/0    state RELATED,ESTABLISHED 
-2    ACCEPT     icmp --  0.0.0.0/0    0.0.0.0/0
-3    ACCEPT     all  --  0.0.0.0/0    0.0.0.0/0
-4    ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0    state NEW tcp dpt:22 
-5    REJECT     all  --  0.0.0.0/0    0.0.0.0/0    reject-with icmp-host-prohibited 
-
-Chain FORWARD (policy ACCEPT)
-num  target     prot opt source       destination
-1    REJECT     all  --  0.0.0.0/0    0.0.0.0/0    reject-with icmp-host-prohibited 
-
-Chain OUTPUT (policy ACCEPT)
-num  target     prot opt source       destination</html:pre>
-The <html:code>ip6tables</html:code> default rules are essentially the same.</xccdf-1.2:description>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_ip6tables_enabled" severity="medium">
-                <xccdf-1.2:title>Verify ip6tables Enabled if Using IPv6</xccdf-1.2:title>
-                <xccdf-1.2:description>
-The <html:code>ip6tables</html:code> service can be enabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-ip6tables-enable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: ip6tables.service
-        enabled: true
-</html:pre>
-<html:p>
-This will enable the <html:code>ip6tables</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(5)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>ip6tables</html:code> service provides the system's host-based firewalling
-capability for IPv6 and ICMPv6.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_ip6tables_enabled:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_ip6tables_enabled_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_iptables_enabled" severity="medium">
-                <xccdf-1.2:title>Verify iptables Enabled</xccdf-1.2:title>
-                <xccdf-1.2:description>
-The <html:code>iptables</html:code> service can be enabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-iptables-enable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: iptables.service
-        enabled: true
-</html:pre>
-<html:p>
-This will enable the <html:code>iptables</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(5)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>iptables</html:code> service provides the system's host-based firewalling
-capability for IPv4 and ICMP.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_iptables_enabled:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_iptables_enabled_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_set_ip6tables_default_rule" severity="medium">
-                <xccdf-1.2:title>Set Default ip6tables Policy for Incoming Packets</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the default policy to DROP (instead of ACCEPT) for
-the built-in INPUT chain which processes incoming packets,
-add or correct the following line in
-<html:code>/etc/sysconfig/ip6tables</html:code>:
-<html:pre>:INPUT DROP [0:0]</html:pre>
-If changes were required, reload the ip6tables rules:
-<html:pre>$ sudo service ip6tables reload</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(5)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>In <html:code>ip6tables</html:code>, the default policy is applied only after all
-the applicable rules in the table are examined for a match. Setting the
-default policy to <html:code>DROP</html:code> implements proper design for a firewall, i.e.
-any packets which are not explicitly permitted should not be
-accepted.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-set_ip6tables_default_rule_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_iptables_ruleset_modifications">
-              <xccdf-1.2:title>Strengthen the Default Ruleset</xccdf-1.2:title>
-              <xccdf-1.2:description>The default rules can be strengthened. The system
-scripts that activate the firewall rules expect them to be defined
-in the configuration files <html:code>iptables</html:code> and <html:code>ip6tables</html:code> in the directory
-<html:code>/etc/sysconfig</html:code>. Many of the lines in these files are similar
-to the command line arguments that would be provided to the programs
-<html:code>/sbin/iptables</html:code> or <html:code>/sbin/ip6tables</html:code> - but some are quite
-different.
-<html:br/><html:br/>
-The following recommendations describe how to strengthen the
-default ruleset configuration file. An alternative to editing this
-configuration file is to create a shell script that makes calls to
-the iptables program to load in rules, and then invokes service
-iptables save to write those loaded rules to
-<html:code>/etc/sysconfig/iptables.</html:code>
-<html:br/><html:br/>
-The following alterations can be made directly to
-<html:code>/etc/sysconfig/iptables</html:code> and <html:code>/etc/sysconfig/ip6tables</html:code>.
-Instructions apply to both unless otherwise noted. Language and address
-conventions for regular iptables are used throughout this section;
-configuration for ip6tables will be either analogous or explicitly
-covered.</xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">The program <html:code>system-config-securitylevel</html:code>
-allows additional services to penetrate the default firewall rules
-and automatically adjusts <html:code>/etc/sysconfig/iptables</html:code>. This program
-is only useful if the default ruleset meets your security
-requirements. Otherwise, this program should not be used to make
-changes to the firewall configuration because it re-writes the
-saved configuration file.</xccdf-1.2:warning>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_set_iptables_default_rule" severity="medium">
-                <xccdf-1.2:title>Set Default iptables Policy for Incoming Packets</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the default policy to DROP (instead of ACCEPT) for
-the built-in INPUT chain which processes incoming packets,
-add or correct the following line in
-<html:code>/etc/sysconfig/iptables</html:code>:
-<html:pre>:INPUT DROP [0:0]</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(5)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(23)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>In <html:code>iptables</html:code> the default policy is applied only after all
-the applicable rules in the table are examined for a match. Setting the
-default policy to <html:code>DROP</html:code> implements proper design for a firewall, i.e.
-any packets which are not explicitly permitted should not be
-accepted.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-set_iptables_default_rule_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_set_iptables_default_rule_forward" severity="medium">
-                <xccdf-1.2:title>Set Default iptables Policy for Forwarded Packets</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the default policy to DROP (instead of ACCEPT) for
-the built-in FORWARD chain which processes packets that will be forwarded from
-one interface to another,
-add or correct the following line in
-<html:code>/etc/sysconfig/iptables</html:code>:
-<html:pre>:FORWARD DROP [0:0]</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CA-3(5)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(23)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>In <html:code>iptables</html:code>, the default policy is applied only after all
-the applicable rules in the table are examined for a match. Setting the
-default policy to <html:code>DROP</html:code> implements proper design for a firewall, i.e.
-any packets which are not explicitly permitted should not be
-accepted.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_iptables_icmp_disabled">
-                <xccdf-1.2:title>Restrict ICMP Message Types</xccdf-1.2:title>
-                <xccdf-1.2:description>In <html:code>/etc/sysconfig/iptables</html:code>, the accepted ICMP messages
-types can be restricted. To accept only ICMP echo reply, destination
-unreachable, and time exceeded messages, remove the line:<html:br/>
-<html:pre>-A INPUT -p icmp --icmp-type any -j ACCEPT</html:pre>
-and insert the lines:
-<html:pre>-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
--A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
--A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT</html:pre>
-To allow the system to respond to pings, also insert the following line:
-<html:pre>-A INPUT -p icmp --icmp-type echo-request -j ACCEPT</html:pre>
-Ping responses can also be limited to certain networks or hosts by using the -s
-option in the previous rule.  Because IPv6 depends so heavily on ICMPv6, it is
-preferable to deny the ICMPv6 packets you know you don't need (e.g. ping
-requests) in <html:code>/etc/sysconfig/ip6tables</html:code>, while letting everything else
-through:
-<html:pre>-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP</html:pre>
-If you are going to statically configure the system's address, it should
-ignore Router Advertisements which could add another IPv6 address to the
-interface or alter important network settings:
-<html:pre>-A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP</html:pre>
-Restricting ICMPv6 message types in <html:code>/etc/sysconfig/ip6tables</html:code> is not
-recommended because the operation of IPv6 depends heavily on ICMPv6. Thus, great
-care must be taken if any other ICMPv6 types are blocked.</xccdf-1.2:description>
-              </xccdf-1.2:Group>
-              <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_iptables_log_and_drop_suspicious">
-                <xccdf-1.2:title>Log and Drop Packets with Suspicious Source Addresses</xccdf-1.2:title>
-                <xccdf-1.2:description>Packets with non-routable source addresses should be rejected, as they may indicate spoofing. Because the
-modified policy will reject non-matching packets, you only need to add these rules if you are interested in also
-logging these spoofing or suspicious attempts before they are dropped. If you do choose to log various suspicious
-traffic, add identical rules with a target of <html:code>DROP</html:code> after each <html:i>LOG</html:i>.
-To log and then drop these IPv4 packets, insert the following rules in <html:code>/etc/sysconfig/iptables</html:code> (excepting
-any that are intentionally used):
-<html:pre>-A INPUT -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF A: "
--A INPUT -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF B: "
--A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF C: "
--A INPUT -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST D: "
--A INPUT -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF E: "
--A INPUT -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK: "</html:pre>
-Similarly, you might wish to log packets containing some IPv6 reserved addresses if they are not expected
-on your network:
-<html:pre>-A INPUT -i eth0 -s ::1 -j LOG --log-prefix "IPv6 DROP LOOPBACK: "
--A INPUT -s 2002:E000::/20 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
--A INPUT -s 2002:7F00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
--A INPUT -s 2002:0000::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
--A INPUT -s 2002:FF00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
--A INPUT -s 2002:0A00::/24 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
--A INPUT -s 2002:AC10::/28 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "
--A INPUT -s 2002:C0A8::/32 -j LOG --log-prefix "IPv6 6to4 TRAFFIC: "</html:pre>
-If you are not expecting to see site-local multicast or auto-tunneled traffic, you can log those:
-<html:pre>-A INPUT -s FF05::/16 -j LOG --log-prefix "IPv6 SITE-LOCAL MULTICAST: "
--A INPUT -s ::0.0.0.0/96 -j LOG --log-prefix "IPv4 COMPATIBLE IPv6 ADDR: "</html:pre>
-If you wish to block multicasts to all link-local nodes (e.g. if you are not using router auto-configuration and
-do not plan to have any services that multicast to the entire local network), you can block the link-local
-all-nodes multicast address (before accepting incoming ICMPv6):
-<html:pre>-A INPUT -d FF02::1 -j LOG --log-prefix "Link-local All-Nodes Multicast: "</html:pre>
-However, if you're going to allow IPv4 compatible IPv6 addresses (of the form ::0.0.0.0/96), you should
-then consider logging the non-routable IPv4-compatible addresses:
-<html:pre>-A INPUT -s ::0.0.0.0/104 -j LOG --log-prefix "IP NON-ROUTABLE ADDR: "
--A INPUT -s ::127.0.0.0/104 -j LOG --log-prefix "IP DROP LOOPBACK: "
--A INPUT -s ::224.0.0.0.0/100 -j LOG --log-prefix "IP DROP MULTICAST D: "
--A INPUT -s ::255.0.0.0/104 -j LOG --log-prefix "IP BROADCAST: "</html:pre>
-If you are not expecting to see any IPv4 (or IPv4-compatible) traffic on your network, consider logging it before it gets dropped:
-<html:pre>-A INPUT -s ::FFFF:0.0.0.0/96 -j LOG --log-prefix "IPv4 MAPPED IPv6 ADDR: "
--A INPUT -s 2002::/16 -j LOG --log-prefix "IPv6 6to4 ADDR: "</html:pre>
-The following rule will log all traffic originating from a site-local address, which is deprecated address space:
-<html:pre>-A INPUT -s FEC0::/10 -j LOG --log-prefix "SITE-LOCAL ADDRESS TRAFFIC: "</html:pre></xccdf-1.2:description>
-              </xccdf-1.2:Group>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_network-ipv6">
-            <xccdf-1.2:title>IPv6</xccdf-1.2:title>
-            <xccdf-1.2:description>The system includes support for Internet Protocol
-version 6. A major and often-mentioned improvement over IPv4 is its
-enormous increase in the number of available addresses. Another
-important feature is its support for automatic configuration of
-many network settings.</xccdf-1.2:description>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_disabling_ipv6">
-              <xccdf-1.2:title>Disable Support for IPv6 Unless Needed</xccdf-1.2:title>
-              <xccdf-1.2:description>Despite configuration that suggests support for IPv6 has
-been disabled, link-local IPv6 address auto-configuration occurs
-even when only an IPv4 address is assigned. The only way to
-effectively prevent execution of the IPv6 networking stack is to
-instruct the system not to activate the IPv6 kernel module.</xccdf-1.2:description>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_grub2_ipv6_disable_argument" severity="low">
-                <xccdf-1.2:title>Ensure IPv6 is disabled through kernel boot parameter</xccdf-1.2:title>
-                <xccdf-1.2:description>To disable IPv6 protocol support in the Linux kernel,
-add the argument <html:code>ipv6.disable=1</html:code> to the default
-GRUB2 command line for the Linux operating system.
-Configure the default Grub2 kernel command line to contain ipv6.disable=1 as follows:
-<html:pre># grub2-editenv - set "$(grub2-editenv - list | grep kernelopts) ipv6.disable=1"</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:rationale>Any unnecessary network stacks, including IPv6, should be disabled to reduce
-the vulnerability to exploitation.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#grub2"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-grub2_ipv6_disable_argument:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-grub2_ipv6_disable_argument_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_ipv6_option_disabled" severity="medium">
-                <xccdf-1.2:title>Disable IPv6 Networking Support Automatic Loading</xccdf-1.2:title>
-                <xccdf-1.2:description>To prevent the IPv6 kernel module (<html:code>ipv6</html:code>) from binding to the
-IPv6 networking stack, add the following line to
-<html:code>/etc/modprobe.d/disabled.conf</html:code> (or another file in
-<html:code>/etc/modprobe.d</html:code>):
-<html:pre>options ipv6 disable=1</html:pre>
-This permits the IPv6 module to be loaded (and thus satisfy other modules that
-depend on it), while disabling support for the IPv6 protocol.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
-the vulnerability to exploitation.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_ipv6_option_disabled:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_module_ipv6_option_disabled_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_disable_ipv6" severity="medium">
-                <xccdf-1.2:title>Disable IPv6 Addressing on All IPv6 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To disable support for (<html:code>ipv6</html:code>) addressing on all interface add the following line to
-<html:code>/etc/sysctl.d/ipv6.conf</html:code> (or another file in <html:code>/etc/sysctl.d</html:code>):
-<html:pre>net.ipv6.conf.all.disable_ipv6 = 1</html:pre>
-This disables IPv6 on all network interfaces as other services and system
-functionality require the IPv6 stack loaded to work.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001551</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
-the vulnerability to exploitation.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv6_conf_all_disable_ipv6:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_disable_ipv6" severity="medium">
-                <xccdf-1.2:title>Disable IPv6 Addressing on IPv6 Interfaces by Default</xccdf-1.2:title>
-                <xccdf-1.2:description>To disable support for (<html:code>ipv6</html:code>) addressing on interfaces by default add the following line to
-<html:code>/etc/sysctl.d/ipv6.conf</html:code> (or another file in <html:code>/etc/sysctl.d</html:code>):
-<html:pre>net.ipv6.conf.default.disable_ipv6 = 1</html:pre>
-This disables IPv6 on network interfaces by default as other services and system
-functionality require the IPv6 stack loaded to work.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001551</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Any unnecessary network stacks - including IPv6 - should be disabled, to reduce
-the vulnerability to exploitation.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv6_conf_default_disable_ipv6:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv6_conf_default_disable_ipv6_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_configuring_ipv6">
-              <xccdf-1.2:title>Configure IPv6 Settings if Necessary</xccdf-1.2:title>
-              <xccdf-1.2:description>A major feature of IPv6 is the extent to which systems
-implementing it can automatically configure their networking
-devices using information from the network. From a security
-perspective, manually configuring important configuration
-information is preferable to accepting it from the network
-in an unauthenticated fashion.</xccdf-1.2:description>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysconfig_network_IPV6_AUTOCONF_value" type="string">
-                <xccdf-1.2:title>IPV6_AUTOCONF</xccdf-1.2:title>
-                <xccdf-1.2:description>Toggle global IPv6 auto-configuration (only, if global
-forwarding is disabled)</xccdf-1.2:description>
-                <xccdf-1.2:value>no</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">no</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">yes</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_ra_defrtr_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.all.accept_ra_defrtr</xccdf-1.2:title>
-                <xccdf-1.2:description>Accept default router in router advertisements?</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_ra_pinfo_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.all.accept_ra_pinfo</xccdf-1.2:title>
-                <xccdf-1.2:description>Accept prefix information in router advertisements?</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_ra_rtr_pref_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.all.accept_ra_rtr_pref</xccdf-1.2:title>
-                <xccdf-1.2:description>Accept router preference in router advertisements?</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_ra_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.all.accept_ra</xccdf-1.2:title>
-                <xccdf-1.2:description>Accept all router advertisements?</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_redirects_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.all.accept_redirects</xccdf-1.2:title>
-                <xccdf-1.2:description>Toggle ICMP Redirect Acceptance</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_source_route_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.all.accept_source_route</xccdf-1.2:title>
-                <xccdf-1.2:description>Trackers could be using source-routed packets to
-generate traffic that seems to be intra-net, but actually was
-created outside and has been redirected.</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_autoconf_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.all.autoconf</xccdf-1.2:title>
-                <xccdf-1.2:description>Enable auto configuration on IPv6 interfaces</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_forwarding_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.all.forwarding</xccdf-1.2:title>
-                <xccdf-1.2:description>Toggle IPv6 Forwarding</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_max_addresses_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.all.max_addresses</xccdf-1.2:title>
-                <xccdf-1.2:description>Maximum number of autoconfigured IPv6 addresses</xccdf-1.2:description>
-                <xccdf-1.2:value>1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_router_solicitations_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.all.router_solicitations</xccdf-1.2:title>
-                <xccdf-1.2:description>Accept all router solicitations?</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_ra_defrtr_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.default.accept_ra_defrtr</xccdf-1.2:title>
-                <xccdf-1.2:description>Accept default router in router advertisements?</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_ra_pinfo_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.default.accept_ra_pinfo</xccdf-1.2:title>
-                <xccdf-1.2:description>Accept prefix information in router advertisements?</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_ra_rtr_pref_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.default.accept_ra_rtr_pref</xccdf-1.2:title>
-                <xccdf-1.2:description>Accept router preference in router advertisements?</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_ra_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.default.accept_ra</xccdf-1.2:title>
-                <xccdf-1.2:description>Accept default router advertisements by default?</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_redirects_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.default.accept_redirects</xccdf-1.2:title>
-                <xccdf-1.2:description>Toggle ICMP Redirect Acceptance By Default</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_source_route_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.default.accept_source_route</xccdf-1.2:title>
-                <xccdf-1.2:description>Trackers could be using source-routed packets to
-generate traffic that seems to be intra-net, but actually was
-created outside and has been redirected.</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_autoconf_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.default.autoconf</xccdf-1.2:title>
-                <xccdf-1.2:description>Enable auto configuration on IPv6 interfaces</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_forwarding_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.default.forwarding</xccdf-1.2:title>
-                <xccdf-1.2:description>Toggle IPv6 default Forwarding</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_max_addresses_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.default.max_addresses</xccdf-1.2:title>
-                <xccdf-1.2:description>Maximum number of autoconfigured IPv6 addresses</xccdf-1.2:description>
-                <xccdf-1.2:value>1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_router_solicitations_value" type="number">
-                <xccdf-1.2:title>net.ipv6.conf.default.router_solicitations</xccdf-1.2:title>
-                <xccdf-1.2:description>Accept all router solicitations by default?</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_disabling_ipv6_autoconfig" severity="unknown">
-                <xccdf-1.2:title>Disable Automatic Configuration</xccdf-1.2:title>
-                <xccdf-1.2:description>Disable the system's acceptance of router
-advertisements and redirects by adding or correcting the following
-line in <html:code>/etc/sysconfig/network</html:code> (note that this does not disable
-sending router solicitations):
-<html:pre>IPV6_AUTOCONF=no</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:rationale>TBD</xccdf-1.2:rationale>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_ra" severity="medium">
-                <xccdf-1.2:title>Configure Accepting Router Advertisements on All IPv6 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv6.conf.all.accept_ra</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv6.conf.all.accept_ra=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv6.conf.all.accept_ra = 0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>An illicit router advertisement message could result in a man-in-the-middle attack.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82467-2</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv6_conf_all_accept_ra">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv6.conf.all.accept_ra%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_ra.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv6_conf_all_accept_ra_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_ra_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv6_conf_all_accept_ra:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_redirects" severity="medium">
-                <xccdf-1.2:title>Disable Accepting ICMP Redirects for All IPv6 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv6.conf.all.accept_redirects</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv6.conf.all.accept_redirects=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv6.conf.all.accept_redirects = 0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001551</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6.1(iv)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>An illicit ICMP redirect message could result in a man-in-the-middle attack.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82471-4</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv6_conf_all_accept_redirects">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv6.conf.all.accept_redirects%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_redirects.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_redirects_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv6_conf_all_accept_redirects_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_all_accept_source_route" severity="medium">
-                <xccdf-1.2:title>Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv6.conf.all.accept_source_route</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv6.conf.all.accept_source_route=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv6.conf.all.accept_source_route = 0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Source-routed packets allow the source of the packet to suggest routers
-forward the packet along a different path than configured on the router, which can
-be used to bypass network security measures. This requirement applies only to the
-forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
-the system is functioning as a router.
-<html:br/><html:br/>
-Accepting source-routed packets in the IPv6 protocol has few legitimate
-uses. It should be disabled unless it is absolutely required.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82480-5</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv6_conf_all_accept_source_route">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv6.conf.all.accept_source_route%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_all_accept_source_route.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_all_accept_source_route_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv6_conf_all_accept_source_route_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_ra" severity="medium">
-                <xccdf-1.2:title>Disable Accepting Router Advertisements on all IPv6 Interfaces by Default</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv6.conf.default.accept_ra</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv6.conf.default.accept_ra=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv6.conf.default.accept_ra = 0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>An illicit router advertisement message could result in a man-in-the-middle attack.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82468-0</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv6_conf_default_accept_ra">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv6.conf.default.accept_ra%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_ra.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv6_conf_default_accept_ra_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_ra_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv6_conf_default_accept_ra:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_redirects" severity="medium">
-                <xccdf-1.2:title>Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv6.conf.default.accept_redirects</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv6.conf.default.accept_redirects=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv6.conf.default.accept_redirects = 0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001551</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>An illicit ICMP redirect message could result in a man-in-the-middle attack.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82477-1</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv6_conf_default_accept_redirects">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv6.conf.default.accept_redirects%20%3D%200%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_redirects.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_redirects_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv6_conf_default_accept_redirects_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv6_conf_default_accept_source_route" severity="medium">
-                <xccdf-1.2:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv6.conf.default.accept_source_route</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv6.conf.default.accept_source_route=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv6.conf.default.accept_source_route = 0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6.1(iv)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Source-routed packets allow the source of the packet to suggest routers
-forward the packet along a different path than configured on the router, which can
-be used to bypass network security measures. This requirement applies only to the
-forwarding of source-routerd traffic, such as when IPv6 forwarding is enabled and
-the system is functioning as a router.
-
-Accepting source-routed packets in the IPv6 protocol has few legitimate
-uses. It should be disabled unless it is absolutely required.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82481-3</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv6_conf_default_accept_source_route">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv6.conf.default.accept_source_route%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv6_conf_default_accept_source_route.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv6_conf_default_accept_source_route_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_network_ipv6_limit_requests">
-                <xccdf-1.2:title>Limit Network-Transmitted Configuration if Using Static IPv6 Addresses</xccdf-1.2:title>
-                <xccdf-1.2:description>To limit the configuration information requested from other
-systems and accepted from the network on a system that uses
-statically-configured IPv6 addresses, add the following lines to
-<html:code>/etc/sysctl.conf</html:code>:
-<html:pre>net.ipv6.conf.default.router_solicitations = 0
-net.ipv6.conf.default.accept_ra_rtr_pref = 0
-net.ipv6.conf.default.accept_ra_pinfo = 0
-net.ipv6.conf.default.accept_ra_defrtr = 0
-net.ipv6.conf.default.autoconf = 0
-net.ipv6.conf.default.dad_transmits = 0
-net.ipv6.conf.default.max_addresses = 1</html:pre>
-The <html:code>router_solicitations</html:code> setting determines how many router
-solicitations are sent when bringing up the interface. If addresses are
-statically assigned, there is no need to send any solicitations.
-<html:br/><html:br/>
-The <html:code>accept_ra_pinfo</html:code> setting controls whether the system will accept
-prefix info from the router.
-<html:br/><html:br/>
-The <html:code>accept_ra_defrtr</html:code> setting controls whether the system will accept
-Hop Limit settings from a router advertisement. Setting it to 0 prevents a
-router from changing your default IPv6 Hop Limit for outgoing packets.
-<html:br/><html:br/>
-The <html:code>autoconf</html:code> setting controls whether router advertisements can cause
-the system to assign a global unicast address to an interface.
-<html:br/><html:br/>
-The <html:code>dad_transmits</html:code> setting determines how many neighbor solicitations
-to send out per address (global and link-local) when bringing up an interface
-to ensure the desired address is unique on the network.
-<html:br/><html:br/>
-The <html:code>max_addresses</html:code> setting determines how many global unicast IPv6
-addresses can be assigned to each interface.  The default is 16, but it should
-be set to exactly the number of statically configured global addresses
-required.</xccdf-1.2:description>
-              </xccdf-1.2:Group>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_network-kernel">
-            <xccdf-1.2:title>Kernel Parameters Which Affect Networking</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code>sysctl</html:code> utility is used to set
-parameters which affect the operation of the Linux kernel. Kernel parameters
-which affect networking and have security implications are described here.</xccdf-1.2:description>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_network_host_and_router_parameters">
-              <xccdf-1.2:title>Network Related Kernel Runtime Parameters for Hosts and Routers</xccdf-1.2:title>
-              <xccdf-1.2:description>Certain kernel parameters should be set for systems which are
-acting as either hosts or routers to improve the system's ability defend
-against certain types of IPv4 protocol attacks.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_accept_redirects_value" type="number">
-                <xccdf-1.2:title>net.ipv4.conf.all.accept_redirects</xccdf-1.2:title>
-                <xccdf-1.2:description>Disable ICMP Redirect Acceptance</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_accept_source_route_value" type="number">
-                <xccdf-1.2:title>net.ipv4.conf.all.accept_source_route</xccdf-1.2:title>
-                <xccdf-1.2:description>Trackers could be using source-routed packets to
-generate traffic that seems to be intra-net, but actually was
-created outside and has been redirected.</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_filter_value" type="number">
-                <xccdf-1.2:title>net.ipv4.conf.default.arp_filter</xccdf-1.2:title>
-                <xccdf-1.2:description>Controls whether the ARP filter is enabled or not.
-
-1 - Allows you to have multiple network interfaces on the same subnet, and have the ARPs for each
-interface be answered based on whether or not the kernel would route a packet from the ARP&#x2019;d IP out that interface.
-In other words it allows control of which cards (usually 1) will respond to an ARP request.
-
-0 - (default) The kernel can respond to arp requests with addresses from other interfaces.
-This may seem wrong but it usually makes sense, because it increases the chance of successful communication.
-IP addresses are owned by the complete host on Linux, not by particular interfaces.</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_ignore_value" type="number">
-                <xccdf-1.2:title>net.ipv4.conf.default.arp_ignore</xccdf-1.2:title>
-                <xccdf-1.2:description>Control the response modes for ARP queries that resolve local target IP addresses:
-
-0 - (default): reply for any local target IP address, configured on any interface
-1 - reply only if the target IP address is local address configured on the incoming interface
-2 - reply only if the target IP address is local address configured on the incoming interface and both with the sender&#x2019;s IP address are part from same subnet on this interface
-3 - do not reply for local addresses configured with scope host, only resolutions for global and link addresses are replied
-4-7 - reserved
-8 - do not reply for all local addresses</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="0">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="1">1</xccdf-1.2:value>
-                <xccdf-1.2:value selector="2">2</xccdf-1.2:value>
-                <xccdf-1.2:value selector="3">3</xccdf-1.2:value>
-                <xccdf-1.2:value selector="8">8</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_forwarding_value" type="number">
-                <xccdf-1.2:title>net.ipv4.conf.all.forwarding</xccdf-1.2:title>
-                <xccdf-1.2:description>Toggle IPv4 Forwarding</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_log_martians_value" type="number">
-                <xccdf-1.2:title>net.ipv4.conf.all.log_martians</xccdf-1.2:title>
-                <xccdf-1.2:description>Disable so you don't Log Spoofed Packets, Source
-Routed Packets, Redirect Packets</xccdf-1.2:description>
-                <xccdf-1.2:value>1</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_rp_filter_value" type="number">
-                <xccdf-1.2:title>net.ipv4.conf.all.rp_filter</xccdf-1.2:title>
-                <xccdf-1.2:description>Enable to enforce sanity checking, also called ingress
-filtering or egress filtering. The point is to drop a packet if the
-source and destination IP addresses in the IP header do not make
-sense when considered in light of the physical interface on which
-it arrived.</xccdf-1.2:description>
-                <xccdf-1.2:value>1</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-                <xccdf-1.2:value selector="loose">2</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_secure_redirects_value" type="number">
-                <xccdf-1.2:title>net.ipv4.conf.all.secure_redirects</xccdf-1.2:title>
-                <xccdf-1.2:description>Enable to prevent hijacking of routing path by only
-allowing redirects from gateways known in routing
-table. Disable to refuse acceptance of secure ICMP redirected packets on all interfaces.</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_shared_media_value" type="number">
-                <xccdf-1.2:title>net.ipv4.conf.all.shared_media</xccdf-1.2:title>
-                <xccdf-1.2:description>Controls whether the system can send (router) or accept (host) RFC1620 shared media redirects.
-<html:code>shared_media</html:code> for the interface will be enabled if at least one of conf/{all,interface}/shared_media
-is set to TRUE, it will be disabled otherwise.</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value" type="number">
-                <xccdf-1.2:title>net.ipv4.conf.default.accept_redirects</xccdf-1.2:title>
-                <xccdf-1.2:description>Disable ICMP Redirect Acceptance?</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_source_route_value" type="number">
-                <xccdf-1.2:title>net.ipv4.conf.default.accept_source_route</xccdf-1.2:title>
-                <xccdf-1.2:description>Disable IP source routing?</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_log_martians_value" type="number">
-                <xccdf-1.2:title>net.ipv4.conf.default.log_martians</xccdf-1.2:title>
-                <xccdf-1.2:description>Disable so you don't Log Spoofed Packets, Source
-Routed Packets, Redirect Packets</xccdf-1.2:description>
-                <xccdf-1.2:value>1</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_rp_filter_value" type="number">
-                <xccdf-1.2:title>net.ipv4.conf.default.rp_filter</xccdf-1.2:title>
-                <xccdf-1.2:description>Enables source route verification</xccdf-1.2:description>
-                <xccdf-1.2:value>1</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_secure_redirects_value" type="number">
-                <xccdf-1.2:title>net.ipv4.conf.default.secure_redirects</xccdf-1.2:title>
-                <xccdf-1.2:description>Enable to prevent hijacking of routing path by only
-allowing redirects from gateways known in routing
-table. Disable to refuse acceptance of secure ICMP redirected packages by default.</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_shared_media_value" type="number">
-                <xccdf-1.2:title>net.ipv4.conf.default.shared_media</xccdf-1.2:title>
-                <xccdf-1.2:description>Controls whether the system can send(router) or accept(host) RFC1620 shared media redirects.
-<html:code>shared_media</html:code> for the interface will be enabled if at least one of conf/{all,interface}/shared_media
-is set to TRUE, it will be disabled otherwise.</xccdf-1.2:description>
-                <xccdf-1.2:value>0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value" type="number">
-                <xccdf-1.2:title>net.ipv4.icmp_echo_ignore_broadcasts</xccdf-1.2:title>
-                <xccdf-1.2:description>Ignore all ICMP ECHO and TIMESTAMP requests sent to it
-via broadcast/multicast</xccdf-1.2:description>
-                <xccdf-1.2:value>1</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value" type="number">
-                <xccdf-1.2:title>net.ipv4.icmp_ignore_bogus_error_responses</xccdf-1.2:title>
-                <xccdf-1.2:description>Enable to prevent unnecessary logging</xccdf-1.2:description>
-                <xccdf-1.2:value>1</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_tcp_invalid_ratelimit_value" type="number">
-                <xccdf-1.2:title>net.ipv4.tcp_invalid_ratelimit</xccdf-1.2:title>
-                <xccdf-1.2:description>Configure  the maximal rate for sending duplicate acknowledgments in
-response to incoming invalid TCP packets.</xccdf-1.2:description>
-                <xccdf-1.2:value>500</xccdf-1.2:value>
-                <xccdf-1.2:value selector="one_thousand">1000</xccdf-1.2:value>
-                <xccdf-1.2:value selector="five_hundred">500</xccdf-1.2:value>
-                <xccdf-1.2:value selector="two_hundred_fifty">250</xccdf-1.2:value>
-                <xccdf-1.2:value selector="one_hundred">100</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_tcp_rfc1337_value" type="number">
-                <xccdf-1.2:title>net.ipv4.tcp_rfc1337</xccdf-1.2:title>
-                <xccdf-1.2:description>Enable to enable TCP behavior conformant with RFC 1337</xccdf-1.2:description>
-                <xccdf-1.2:value>1</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_tcp_syncookies_value" type="number">
-                <xccdf-1.2:title>net.ipv4.tcp_syncookies</xccdf-1.2:title>
-                <xccdf-1.2:description>Enable to turn on TCP SYN Cookie
-Protection</xccdf-1.2:description>
-                <xccdf-1.2:value>1</xccdf-1.2:value>
-                <xccdf-1.2:value selector="disabled">0</xccdf-1.2:value>
-                <xccdf-1.2:value selector="enabled">1</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_local" severity="medium">
-                <xccdf-1.2:title>Disable Accepting Packets Routed Between Local Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.conf.all.accept_local</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.conf.all.accept_local=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.conf.all.accept_local = 0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:rationale>Configure <html:code>net.ipv4.conf.all.accept_local=0</html:code> to consider as invalid the packets
-received from outside whose source is the 127.0.0.0/8 address block.
-In combination with suitable routing, this can be used to direct packets between two
-local interfaces over the wire and have them accepted properly.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_conf_all_accept_local:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_all_accept_local_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_redirects" severity="medium">
-                <xccdf-1.2:title>Disable Accepting ICMP Redirects for All IPv4 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.conf.all.accept_redirects</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.conf.all.accept_redirects=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.conf.all.accept_redirects = 0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001503</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001551</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>ICMP redirect messages are used by routers to inform hosts that a more
-direct route exists for a particular destination. These messages modify the
-host's route table and are unauthenticated. An illicit ICMP redirect
-message could result in a man-in-the-middle attack.
-<html:br/>
-This feature of the IPv4 protocol has few legitimate uses. It should be
-disabled unless absolutely required."</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82469-8</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv4_conf_all_accept_redirects">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.all.accept_redirects%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_redirects.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_accept_redirects_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_all_accept_redirects_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_accept_source_route" severity="medium">
-                <xccdf-1.2:title>Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.conf.all.accept_source_route</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.conf.all.accept_source_route=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.conf.all.accept_source_route = 0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Source-routed packets allow the source of the packet to suggest routers
-forward the packet along a different path than configured on the router,
-which can be used to bypass network security measures. This requirement
-applies only to the forwarding of source-routerd traffic, such as when IPv4
-forwarding is enabled and the system is functioning as a router.
-<html:br/><html:br/>
-Accepting source-routed packets in the IPv4 protocol has few legitimate
-uses. It should be disabled unless it is absolutely required.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82478-9</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv4_conf_all_accept_source_route">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.all.accept_source_route%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_accept_source_route.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_accept_source_route_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_all_accept_source_route_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_filter" severity="medium">
-                <xccdf-1.2:title>Configure ARP filtering for All IPv4 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.conf.all.arp_filter</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.conf.all.arp_filter=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_filter_value" use="legacy"/></html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.conf.all.arp_filter = <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_filter_value" use="legacy"/></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="functionality">This behaviour may cause problems to system on a high availability or load balancing configuration.</xccdf-1.2:warning>
-                <xccdf-1.2:rationale>Prevents the Linux Kernel from handling the ARP table globally.
-By default, the kernel may respond to an ARP request from a certain interface with information
-from another interface.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv4_conf_all_arp_filter_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_filter_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_conf_all_arp_filter:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_arp_ignore" severity="medium">
-                <xccdf-1.2:title>Configure Response Mode of ARP Requests for All IPv4 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.conf.all.arp_ignore</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.conf.all.arp_ignore=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_ignore_value" use="legacy"/></html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.conf.all.arp_ignore = <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_ignore_value" use="legacy"/></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="functionality">The ARP response mode may impact behaviour of workloads and firewalls on the system.</xccdf-1.2:warning>
-                <xccdf-1.2:rationale>Avoids ARP Flux on system that have more than one interface on the same subnet.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv4_conf_all_arp_ignore_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_arp_ignore_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_conf_all_arp_ignore:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_log_martians" severity="unknown">
-                <xccdf-1.2:title>Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.conf.all.log_martians</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.conf.all.log_martians=1</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.conf.all.log_martians = 1</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000126</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(3)(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The presence of "martian" packets (which have impossible addresses)
-as well as spoofed packets, source-routed packets, and redirects could be a
-sign of nefarious network activity. Logging these packets enables this activity
-to be detected.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82486-2</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv4_conf_all_log_martians">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.all.log_martians%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_log_martians.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv4_conf_all_log_martians_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_log_martians_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_all_log_martians_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_route_localnet" severity="medium">
-                <xccdf-1.2:title>Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.conf.all.route_localnet</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.conf.all.route_localnet=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.conf.all.route_localnet = 0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:rationale>Refuse the routing of packets whose source or destination address is the local loopback.
-This prohibits the use of network 127/8 for local routing purposes.
-Enabling <html:code>route_localnet</html:code> can expose applications listening on localhost to external traffic.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_conf_all_route_localnet:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_all_route_localnet_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter" severity="medium">
-                <xccdf-1.2:title>Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.conf.all.rp_filter</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.conf.all.rp_filter=1</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.conf.all.rp_filter = 1</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001551</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Enabling reverse path filtering drops packets with source addresses
-that should not have been able to be received on the interface they were
-received on. It should not be used on systems which are routers for
-complicated networks, but is helpful for end hosts and routers serving small
-networks.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82488-8</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv4_conf_all_rp_filter">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.all.rp_filter%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_rp_filter.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv4_conf_all_rp_filter_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_rp_filter_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_all_rp_filter_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_secure_redirects" severity="medium">
-                <xccdf-1.2:title>Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.conf.all.secure_redirects</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.conf.all.secure_redirects=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.conf.all.secure_redirects = 0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001503</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001551</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Accepting "secure" ICMP redirects (from those gateways listed as
-default gateways) has few legitimate uses. It should be disabled unless it is
-absolutely required.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82482-1</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv4_conf_all_secure_redirects">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.all.secure_redirects%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_secure_redirects.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_secure_redirects_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_all_secure_redirects_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_shared_media" severity="medium">
-                <xccdf-1.2:title>Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.conf.all.shared_media</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.conf.all.shared_media=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_shared_media_value" use="legacy"/></html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.conf.all.shared_media = <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_shared_media_value" use="legacy"/></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:rationale>This setting should be aligned with <html:code>net.ipv4.conf.all.secure_redirects</html:code> because it overrides it.
-If <html:code>shared_media</html:code> is enabled for an interface <html:code>secure_redirects</html:code> will be enabled too.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv4_conf_all_shared_media_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_all_shared_media_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_conf_all_shared_media:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_all_shared_media_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_redirects" severity="medium">
-                <xccdf-1.2:title>Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.conf.default.accept_redirects</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.conf.default.accept_redirects=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.conf.default.accept_redirects = 0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001551</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>ICMP redirect messages are used by routers to inform hosts that a more
-direct route exists for a particular destination. These messages modify the
-host's route table and are unauthenticated. An illicit ICMP redirect
-message could result in a man-in-the-middle attack.
-<html:br/>This feature of the IPv4 protocol has few legitimate uses. It should
-be disabled unless absolutely required.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82470-6</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv4_conf_default_accept_redirects">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.default.accept_redirects%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_redirects.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_redirects_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_accept_source_route" severity="medium">
-                <xccdf-1.2:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.conf.default.accept_source_route</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.conf.default.accept_source_route=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.conf.default.accept_source_route = 0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001551</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Source-routed packets allow the source of the packet to suggest routers
-forward the packet along a different path than configured on the router,
-which can be used to bypass network security measures.
-<html:br/>
-Accepting source-routed packets in the IPv4 protocol has few legitimate
-uses. It should be disabled unless it is absolutely required, such as when
-IPv4 forwarding is enabled and the system is legitimately functioning as a
-router.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82479-7</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv4_conf_default_accept_source_route">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.default.accept_source_route%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_accept_source_route.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_accept_source_route_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_default_accept_source_route_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_log_martians" severity="unknown">
-                <xccdf-1.2:title>Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.conf.default.log_martians</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.conf.default.log_martians=1</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.conf.default.log_martians = 1</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000126</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(3)(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The presence of "martian" packets (which have impossible addresses)
-as well as spoofed packets, source-routed packets, and redirects could be a
-sign of nefarious network activity. Logging these packets enables this activity
-to be detected.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82487-0</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv4_conf_default_log_martians">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.default.log_martians%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_log_martians.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv4_conf_default_log_martians_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_log_martians_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_conf_default_log_martians:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_default_log_martians_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_rp_filter" severity="medium">
-                <xccdf-1.2:title>Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.conf.default.rp_filter</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.conf.default.rp_filter=1</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.conf.default.rp_filter = 1</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Enabling reverse path filtering drops packets with source addresses
-that should not have been able to be received on the interface they were
-received on. It should not be used on systems which are routers for
-complicated networks, but is helpful for end hosts and routers serving small
-networks.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82489-6</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv4_conf_default_rp_filter">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.default.rp_filter%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_rp_filter.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv4_conf_default_rp_filter_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_rp_filter_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_default_rp_filter_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_secure_redirects" severity="medium">
-                <xccdf-1.2:title>Configure Kernel Parameter for Accepting Secure Redirects By Default</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.conf.default.secure_redirects</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.conf.default.secure_redirects=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.conf.default.secure_redirects = 0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001551</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Accepting "secure" ICMP redirects (from those gateways listed as
-default gateways) has few legitimate uses. It should be disabled unless it is
-absolutely required.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82483-9</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv4_conf_default_secure_redirects">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.default.secure_redirects%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_secure_redirects.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_secure_redirects_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_shared_media" severity="medium">
-                <xccdf-1.2:title>Configure Sending and Accepting Shared Media Redirects by Default</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.conf.default.shared_media</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.conf.default.shared_media=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_shared_media_value" use="legacy"/></html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.conf.default.shared_media = <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_shared_media_value" use="legacy"/></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:rationale>This setting should be aligned with <html:code>net.ipv4.conf.default.secure_redirects</html:code> because it overrides it.
-If <html:code>shared_media</html:code> is enabled for an interface <html:code>secure_redirects</html:code> will be enabled too.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv4_conf_default_shared_media_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_conf_default_shared_media_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_conf_default_shared_media:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_default_shared_media_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_echo_ignore_broadcasts" severity="medium">
-                <xccdf-1.2:title>Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.icmp_echo_ignore_broadcasts</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.icmp_echo_ignore_broadcasts = 1</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Responding to broadcast (ICMP) echoes facilitates network mapping
-and provides a vector for amplification attacks.
-<html:br/>
-Ignoring ICMP echo requests (pings) sent to broadcast or multicast
-addresses makes the system slightly more difficult to enumerate on the network.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82491-2</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv4_icmp_echo_ignore_broadcasts">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.icmp_echo_ignore_broadcasts%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_echo_ignore_broadcasts.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_icmp_ignore_bogus_error_responses" severity="unknown">
-                <xccdf-1.2:title>Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.icmp_ignore_bogus_error_responses</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.icmp_ignore_bogus_error_responses = 1</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Ignoring bogus ICMP error responses reduces
-log size, although some activity would not be logged.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82490-4</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv4_icmp_ignore_bogus_error_responses">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.icmp_ignore_bogus_error_responses%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_icmp_ignore_bogus_error_responses.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_invalid_ratelimit" severity="medium">
-                <xccdf-1.2:title>Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments</xccdf-1.2:title>
-                <xccdf-1.2:description>Make sure that the system is configured to limit the maximal rate for sending
-duplicate acknowledgments in response to incoming TCP packets that are for
-an existing connection but that are invalid due to any of these reasons:
-
-(a) out-of-window sequence number, (b) out-of-window acknowledgment number,
-or (c) PAWS (Protection Against Wrapped Sequence numbers) check failure
-This measure protects against or limits effects of DoS attacks against the system.
-Set the system to implement rate-limiting measures by adding the following line to
-<html:code>/etc/sysctl.conf</html:code> or a configuration file in the <html:code>/etc/sysctl.d/</html:code> directory
-(or modify the line to have the required value):
-<html:pre>net.ipv4.tcp_invalid_ratelimit = <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_tcp_invalid_ratelimit_value" use="legacy"/></html:pre>
-Issue the following command to make the changes take effect:
-<html:pre># sysctl --system</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002385</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000420-GPOS-00186</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">SRG-OS-000420-VMM-001690</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Denial of Service (DoS) is a condition when a resource is not available for legitimate users. When
-this occurs, the organization either cannot accomplish its mission or must
-operate at degraded capacity.
-<html:br/><html:br/>
-This can help mitigate simple &#x201C;ack loop&#x201D; DoS attacks, wherein a buggy or
-malicious middlebox or man-in-the-middle can rewrite TCP header fields in
-manner that causes each endpoint to think that the other is sending invalid
-TCP segments, thus causing each side to send an unterminating stream of
-duplicate acknowledgments for invalid segments.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_tcp_invalid_ratelimit_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_tcp_syncookies" severity="medium">
-                <xccdf-1.2:title>Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.tcp_syncookies</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.tcp_syncookies=1</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.tcp_syncookies = 1</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001095</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5(3)(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000420-GPOS-00186</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000142-GPOS-00071</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>A TCP SYN flood attack can cause a denial of service by filling a
-system's TCP connection table with connections in the SYN_RCVD state.
-Syncookies can be used to track a connection when a subsequent ACK is received,
-verifying the initiator is attempting a valid connection and is not a flood
-source. This feature is activated when a flood condition is detected, and
-enables the system to continue servicing valid connection requests.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82492-0</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv4_tcp_syncookies">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.tcp_syncookies%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_tcp_syncookies.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_net_ipv4_tcp_syncookies_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_net_ipv4_tcp_syncookies_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_tcp_syncookies_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_network_host_parameters">
-              <xccdf-1.2:title>Network Parameters for Hosts Only</xccdf-1.2:title>
-              <xccdf-1.2:description>If the system is not going to be used as a router, then setting certain
-kernel parameters ensure that the host will not perform routing
-of network traffic.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_send_redirects" severity="medium">
-                <xccdf-1.2:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.conf.all.send_redirects</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.conf.all.send_redirects=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.conf.all.send_redirects = 0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>ICMP redirect messages are used by routers to inform hosts that a more
-direct route exists for a particular destination. These messages contain information
-from the system's route table possibly revealing portions of the network topology.
-<html:br/>
-The ability to send ICMP redirects is only appropriate for systems acting as routers.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82484-7</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv4_conf_all_send_redirects">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.all.send_redirects%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_all_send_redirects.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_all_send_redirects_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_default_send_redirects" severity="medium">
-                <xccdf-1.2:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.conf.default.send_redirects</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.conf.default.send_redirects=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.conf.default.send_redirects = 0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>ICMP redirect messages are used by routers to inform hosts that a more
-direct route exists for a particular destination. These messages contain information
-from the system's route table possibly revealing portions of the network topology.
-<html:br/>
-The ability to send ICMP redirects is only appropriate for systems acting as routers.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82485-4</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_ipv4_conf_default_send_redirects">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.ipv4.conf.default.send_redirects%3D0%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_ipv4_conf_default_send_redirects.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_forward" severity="medium">
-                <xccdf-1.2:title>Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>net.ipv4.ip_forward</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.ipv4.ip_forward=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.ipv4.ip_forward = 0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:warning category="functionality">Certain technologies such as virtual machines, containers, etc. rely on IPv4 forwarding to enable and use networking.
-Disabling IPv4 forwarding would cause those technologies to stop working. Therefore, this rule should not be used in
-profiles or benchmarks that target usage of IPv4 forwarding.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R22)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.20</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Routing protocol daemons are typically used on routers to exchange
-network topology information with other routers. If this capability is used when
-not required, system network information may be unnecessarily transmitted across
-the network.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_ipv4_ip_forward:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_ipv4_ip_forward_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_network-susefirewall2">
-            <xccdf-1.2:title>SuSEfirewall2</xccdf-1.2:title>
-            <xccdf-1.2:description>The SuSEfirewall2 provides a managed firewall.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_network-ufw">
-            <xccdf-1.2:title>Uncomplicated Firewall (ufw)</xccdf-1.2:title>
-            <xccdf-1.2:description>The Linux kernel in Ubuntu provides a packet filtering system called
-netfilter, and the traditional interface for manipulating netfilter are
-the iptables suite of commands. iptables provide a complete firewall
-solution that is both highly configurable and highly flexible.
-
-Becoming proficient in iptables takes time, and getting started with
-netfilter firewalling using only iptables can be a daunting task. As a
-result, many frontends for iptables have been created over the years,
-each trying to achieve a different result and targeting a different
-audience.
-
-The Uncomplicated Firewall (ufw) is a frontend for iptables and is
-particularly well-suited for host-based firewalls. ufw provides a
-framework for managing netfilter, as well as a command-line interface
-for manipulating the firewall. ufw aims to provide an easy to use
-interface for people unfamiliar with firewall concepts, while at the
-same time simplifies complicated iptables commands to help an
-administrator who knows what he or she is doing. ufw is an upstream
-for other distributions and graphical frontends.</xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_ufw_enabled" severity="medium">
-              <xccdf-1.2:title>Verify ufw Enabled</xccdf-1.2:title>
-              <xccdf-1.2:description>
-The <html:code>ufw</html:code> service can be enabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-ufw-enable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: ufw.service
-        enabled: true
-</html:pre>
-<html:p>
-This will enable the <html:code>ufw</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002314</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000297-GPOS-00115</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The ufw service must be enabled and running in order for ufw to protect the system</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_ufw_enabled:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_ufw_enabled_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_network-uncommon">
-            <xccdf-1.2:title>Uncommon Network Protocols</xccdf-1.2:title>
-            <xccdf-1.2:description>The system includes support for several network protocols which are not commonly used.
-Although security vulnerabilities in kernel networking code are not frequently discovered,
-the consequences can be dramatic. Ensuring uncommon network protocols are disabled
-reduces the system's risk to attacks targeted at its implementation of those protocols.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">Although these protocols are not commonly used, avoid disruption
-in your network environment by ensuring they are not needed
-prior to disabling them.</xccdf-1.2:warning>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_atm_disabled" severity="medium">
-              <xccdf-1.2:title>Disable ATM Support</xccdf-1.2:title>
-              <xccdf-1.2:description>The Asynchronous Transfer Mode (ATM) is a protocol operating on
-network, data link, and physical layers, based on virtual circuits
-and virtual paths.
-
-To configure the system to prevent the <html:code>atm</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/atm.conf</html:code>:
-<html:pre>install atm /bin/true</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000381</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Disabling ATM protects the system against exploitation of any
-flaws in its implementation.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82518-2</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_atm_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20atm%20/bin/true%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_atm_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_atm_disabled:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_module_atm_disabled_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_can_disabled" severity="medium">
-              <xccdf-1.2:title>Disable CAN Support</xccdf-1.2:title>
-              <xccdf-1.2:description>The Controller Area Network (CAN) is a serial communications
-protocol which was initially developed for automotive and
-is now also used in marine, industrial, and medical applications.
-
-To configure the system to prevent the <html:code>can</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/can.conf</html:code>:
-<html:pre>install can /bin/true</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000381</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Disabling CAN protects the system against exploitation of any
-flaws in its implementation.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82519-0</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_can_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20can%20/bin/true%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_can_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_can_disabled:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_module_can_disabled_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled" severity="low">
-              <xccdf-1.2:title>Disable IEEE 1394 (FireWire) Support</xccdf-1.2:title>
-              <xccdf-1.2:description>The IEEE 1394 (FireWire) is a serial bus standard for
-high-speed real-time communication.
-
-To configure the system to prevent the <html:code>firewire-core</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/firewire-core.conf</html:code>:
-<html:pre>install firewire-core /bin/true</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000381</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Disabling FireWire protects the system against exploitation of any
-flaws in its implementation.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82517-4</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_firewire-core_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20firewire-core%20/bin/true%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_firewire-core_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_firewire-core_disabled:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_module_firewire-core_disabled_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_rds_disabled" severity="low">
-              <xccdf-1.2:title>Disable RDS Support</xccdf-1.2:title>
-              <xccdf-1.2:description>The Reliable Datagram Sockets (RDS) protocol is a transport
-layer protocol designed to provide reliable high-bandwidth,
-low-latency communications between nodes in a cluster.
-
-To configure the system to prevent the <html:code>rds</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/rds.conf</html:code>:
-<html:pre>install rds /bin/true</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Disabling RDS protects
-the system against exploitation of any flaws in its implementation.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_rds_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20rds%20/bin/true%0Ablacklist%20rds%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_rds_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_rds_disabled:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_module_rds_disabled_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_sctp_disabled" severity="medium">
-              <xccdf-1.2:title>Disable SCTP Support</xccdf-1.2:title>
-              <xccdf-1.2:description>The Stream Control Transmission Protocol (SCTP) is a
-transport layer protocol, designed to support the idea of
-message-oriented communication, with several streams of messages
-within one connection.
-
-To configure the system to prevent the <html:code>sctp</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/sctp.conf</html:code>:
-<html:pre>install sctp /bin/true</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.10.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000381</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Disabling SCTP protects
-the system against exploitation of any flaws in its implementation.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82516-6</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_sctp_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20sctp%20/bin/true%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_sctp_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_sctp_disabled:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_module_sctp_disabled_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_tipc_disabled" severity="low">
-              <xccdf-1.2:title>Disable TIPC Support</xccdf-1.2:title>
-              <xccdf-1.2:description>The Transparent Inter-Process Communication (TIPC) protocol
-is designed to provide communications between nodes in a
-cluster.
-
-To configure the system to prevent the <html:code>tipc</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/tipc.conf</html:code>:
-<html:pre>install tipc /bin/true</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">This configuration baseline was created to deploy the base operating system for general purpose
-workloads. When the operating system is configured for certain purposes, such as
-a node in High Performance Computing cluster, it is expected that
-the <html:code>tipc</html:code> kernel module will be loaded.</xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000381</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Disabling TIPC protects
-the system against exploitation of any flaws in its implementation.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82520-8</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_tipc_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20tipc%20/bin/true%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_tipc_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_tipc_disabled:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_module_tipc_disabled_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_network-wireless">
-            <xccdf-1.2:title>Wireless Networking</xccdf-1.2:title>
-            <xccdf-1.2:description>Wireless networking, such as 802.11
-(WiFi) and Bluetooth, can present a security risk to sensitive or
-classified systems and networks. Wireless networking hardware is
-much more likely to be included in laptop or portable systems than
-in desktops or servers. 
-<html:br/><html:br/>
-Removal of hardware provides the greatest assurance that the wireless
-capability remains disabled. Acquisition policies often include provisions to
-prevent the purchase of equipment that will be used in sensitive spaces and
-includes wireless capabilities. If it is impractical to remove the wireless
-hardware, and policy permits the device to enter sensitive spaces as long
-as wireless is disabled, efforts should instead focus on disabling wireless capability
-via software.</xccdf-1.2:description>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_wireless_software">
-              <xccdf-1.2:title>Disable Wireless Through Software Configuration</xccdf-1.2:title>
-              <xccdf-1.2:description>If it is impossible to remove the wireless hardware
-from the device in question, disable as much of it as possible
-through software. The following methods can disable software
-support for wireless networking, but note that these methods do not
-prevent malicious software or careless users from re-activating the
-devices.</xccdf-1.2:description>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_bluetooth_disabled" severity="medium">
-                <xccdf-1.2:title>Disable Bluetooth Service</xccdf-1.2:title>
-                <xccdf-1.2:description>
-The <html:code>bluetooth</html:code> service can be disabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-bluetooth-disable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: bluetooth.service
-</html:pre>
-<html:p>
-This will disable the <html:code>bluetooth</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p>
-
-<html:pre>$ sudo service bluetooth stop</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000085</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001551</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Disabling the <html:code>bluetooth</html:code> service prevents the system from attempting
-connections to Bluetooth devices, which entails some security risk.
-Nevertheless, variation in this risk decision may be expected due to the
-utility of Bluetooth connectivity and its limited range.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:ignition" id="service_bluetooth_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: bluetooth.service
-        enabled: false
-        mask: true
-      - name: bluetooth.socket
-        enabled: false
-        mask: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="service_bluetooth_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: bluetooth.service
-        enabled: false
-        mask: true
-      - name: bluetooth.socket
-        enabled: false
-        mask: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_bluetooth_disabled:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_bluetooth_disabled_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled" severity="medium">
-                <xccdf-1.2:title>Disable Bluetooth Kernel Module</xccdf-1.2:title>
-                <xccdf-1.2:description>The kernel's module loading system can be configured to prevent
-loading of the Bluetooth module. Add the following to
-the appropriate <html:code>/etc/modprobe.d</html:code> configuration file
-to prevent the loading of the Bluetooth module:
-<html:pre>install bluetooth /bin/true</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000085</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001443</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001444</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001551</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002418</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000300-GPOS-00118</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>If Bluetooth functionality must be disabled, preventing the kernel
-from loading the kernel module provides an additional safeguard against its
-activation.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82515-8</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_bluetooth_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20bluetooth%20/bin/true%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_bluetooth_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_bluetooth_disabled:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_module_bluetooth_disabled_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled" severity="medium">
-                <xccdf-1.2:title>Disable Kernel cfg80211 Module</xccdf-1.2:title>
-                <xccdf-1.2:description>
-To configure the system to prevent the <html:code>cfg80211</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/cfg80211.conf</html:code>:
-<html:pre>install cfg80211 /bin/true</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(4)</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>If Wireless functionality must be disabled, preventing the kernel
-from loading the kernel module provides an additional safeguard against its
-activation.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85932-2</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_cfg80211_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20cfg80211%20/bin/true%0Ablacklist%20cfg80211%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_cfg80211_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_cfg80211_disabled:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_module_cfg80211_disabled_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled" severity="medium">
-                <xccdf-1.2:title>Disable Kernel iwlmvm Module</xccdf-1.2:title>
-                <xccdf-1.2:description>
-To configure the system to prevent the <html:code>iwlmvm</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/iwlmvm.conf</html:code>:
-<html:pre>install iwlmvm /bin/true</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(4)</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>If Wireless functionality must be disabled, preventing the kernel
-from loading the kernel module provides an additional safeguard against its
-activation.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85933-0</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_iwlmvm_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20iwlmvm%20/bin/true%0Ablacklist%20iwlmvm%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_iwlmvm_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_iwlmvm_disabled:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_module_iwlmvm_disabled_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled" severity="medium">
-                <xccdf-1.2:title>Disable Kernel iwlwifi Module</xccdf-1.2:title>
-                <xccdf-1.2:description>
-To configure the system to prevent the <html:code>iwlwifi</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/iwlwifi.conf</html:code>:
-<html:pre>install iwlwifi /bin/true</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(4)</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>If Wireless functionality must be disabled, preventing the kernel
-from loading the kernel module provides an additional safeguard against its
-activation.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85934-8</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_iwlwifi_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20iwlwifi%20/bin/true%0Ablacklist%20iwlwifi%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_iwlwifi_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_iwlwifi_disabled:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_module_iwlwifi_disabled_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled" severity="medium">
-                <xccdf-1.2:title>Disable Kernel mac80211 Module</xccdf-1.2:title>
-                <xccdf-1.2:description>
-To configure the system to prevent the <html:code>mac80211</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/mac80211.conf</html:code>:
-<html:pre>install mac80211 /bin/true</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(4)</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>If Wireless functionality must be disabled, preventing the kernel
-from loading the kernel module provides an additional safeguard against its
-activation.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-85935-5</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_mac80211_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20mac80211%20/bin/true%0Ablacklist%20mac80211%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_mac80211_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_mac80211_disabled:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_module_mac80211_disabled_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_wireless_disable_in_bios" severity="unknown">
-                <xccdf-1.2:title>Disable WiFi or Bluetooth in BIOS</xccdf-1.2:title>
-                <xccdf-1.2:description>Some machines that include built-in wireless support offer the
-ability to disable the device through the BIOS. This is hardware-specific;
-consult your hardware manual or explore the BIOS setup during
-boot.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000085</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Disabling wireless support in the BIOS prevents easy
-activation of the wireless interface, generally requiring administrators
-to reboot the system first.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82659-4</xccdf-1.2:ident>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_wireless_disable_interfaces" severity="medium">
-                <xccdf-1.2:title>Deactivate Wireless Network Interfaces</xccdf-1.2:title>
-                <xccdf-1.2:description>Deactivating wireless network interfaces should prevent normal usage of the wireless
-capability.
-<html:br/><html:br/>
-
-Configure the system to disable all wireless network interfaces with the following command:
-<html:pre>$ sudo nmcli radio all off</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000085</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002418</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002421</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001443</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001444</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1315</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="">1319</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-18(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000299-GPOS-00117</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000300-GPOS-00118</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000424-GPOS-00188</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000481-GPOS-000481</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The use of wireless networking can introduce many different attack vectors into
-the organization's network. Common attack vectors such as malicious association
-and ad hoc networks will allow an attacker to spoof a wireless access point
-(AP), allowing validated systems to connect to the malicious AP and enabling the
-attacker to monitor and record network traffic. These malicious APs can also
-serve to create a man-in-the-middle attack or be used to create a denial of
-service to valid network resources.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#wifi-iface"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82660-2</xccdf-1.2:ident>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-wireless_disable_interfaces:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-wireless_disable_interfaces_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_network_disable_unused_interfaces">
-            <xccdf-1.2:title>Disable Unused Interfaces</xccdf-1.2:title>
-            <xccdf-1.2:description>Network interfaces expand the attack surface of the
-system.  Unused interfaces are not monitored or controlled, and
-should be disabled.
-<html:br/><html:br/>
-If the system does not require network communications but still
-needs to use the loopback interface, remove all files of the form
-<html:code>ifcfg-<html:i>interface</html:i></html:code> except for <html:code>ifcfg-lo</html:code> from
-<html:code>/etc/sysconfig/network-scripts</html:code>:
-<html:pre>$ sudo rm /etc/sysconfig/network-scripts/ifcfg-<html:i>interface</html:i></html:pre>
-If the system is a standalone machine with no need for network access or even
-communication over the loopback device, then disable this service.
-
-The <html:code>network</html:code> service can be disabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-network-disable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: network.service
-</html:pre>
-<html:p>
-This will disable the <html:code>network</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_network_ssl">
-            <xccdf-1.2:title>Transport Layer Security Support</xccdf-1.2:title>
-            <xccdf-1.2:description>Support for Transport Layer Security (TLS), and its predecessor, the Secure
-Sockets Layer (SSL), is included in Red Hat Enterprise Linux in the OpenSSL software (RPM package
-<html:code>openssl</html:code>).  TLS provides encrypted and authenticated network
-communications, and many network services include support for it.  TLS or SSL
-can be leveraged to avoid any plaintext transmission of sensitive data.
-<html:br/>
-For information on how to use OpenSSL, see
-<html:b><html:a href="http://www.openssl.org/docs/">http://www.openssl.org/docs/</html:a></html:b>.  Information on FIPS validation
-of OpenSSL is available at <html:b><html:a href="http://www.openssl.org/docs/fips.html">http://www.openssl.org/docs/fips.html</html:a></html:b>
-and <html:b><html:a href="http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm">http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm</html:a></html:b>.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_permissions">
-          <xccdf-1.2:title>File Permissions and Masks</xccdf-1.2:title>
-          <xccdf-1.2:description>Traditional Unix security relies heavily on file and
-directory permissions to prevent unauthorized users from reading or
-modifying files to which they should not have access.
-<html:br/><html:br/>
-Several of the commands in this section search filesystems
-for files or directories with certain characteristics, and are
-intended to be run on every local partition on a given system.
-When the variable <html:i>PART</html:i> appears in one of the commands below,
-it means that the command is intended to be run repeatedly, with the
-name of each local partition substituted for <html:i>PART</html:i> in turn.
-<html:br/><html:br/>
-The following command prints a list of all xfs partitions on the local
-system, which is the default filesystem for Red Hat Enterprise Linux CoreOS 4
-installations:
-<html:pre>$ mount -t xfs | awk '{print $3}'</html:pre>
-For any systems that use a different
-local filesystem type, modify this command as appropriate.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_files">
-            <xccdf-1.2:title>Verify Permissions on Important Files and
-Directories</xccdf-1.2:title>
-            <xccdf-1.2:description>Permissions for many files on a system must be set
-restrictively to ensure sensitive information is properly protected.
-This section discusses important
-permission restrictions which can be verified
-to ensure that no harmful discrepancies have
-arisen.</xccdf-1.2:description>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits" severity="medium">
-              <xccdf-1.2:title>Verify that All World-Writable Directories Have Sticky Bits Set</xccdf-1.2:title>
-              <xccdf-1.2:description>When the so-called 'sticky bit' is set on a directory,
-only the owner of a given file may remove that file from the
-directory. Without the sticky bit, any user with write access to a
-directory may remove any file in the directory. Setting the sticky
-bit prevents users from removing each other's files. In cases where
-there is no reason for a directory to be world-writable, a better
-solution is to remove that permission rather than to set the sticky
-bit. However, if a directory is used by a particular application,
-consult that application's documentation instead of blindly
-changing modes.
-<html:br/>
-To set the sticky bit on a world-writable directory <html:i>DIR</html:i>, run the
-following command:
-<html:pre>$ sudo chmod +t <html:i>DIR</html:i></html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R40)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001090</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000138-GPOS-00069</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Failing to set the sticky bit on public directories allows unauthorized
-users to delete files in the directory structure.
-<html:br/><html:br/>
-The only authorized public directories are those temporary directories
-supplied with the system, or those designed to be temporary file
-repositories. The setting is normally reserved for directories used by the
-system, by users for temporary file storage (such as <html:code>/tmp</html:code>), and
-for directories requiring global read/write access.</xccdf-1.2:rationale>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82753-5</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-dir_perms_world_writable_sticky_bits:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_systemmap" severity="unknown">
-              <xccdf-1.2:title>Verify that local System.map file (if exists) is readable only by root</xccdf-1.2:title>
-              <xccdf-1.2:description>Files containing sensitive informations should be protected by restrictive
-  permissions. Most of the time, there is no need that these files need to be read by any non-root user
-
-To properly set the permissions of <html:code>/boot/System.map-*</html:code>, run the command:
-<html:pre>$ sudo chmod 0600 /boot/System.map-*</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R13)</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The <html:code>System.map</html:code> file contains information about kernel symbols and
-  can give some hints to generate local exploitation.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_systemmap:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_systemmap_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable" severity="medium">
-              <xccdf-1.2:title>Ensure No World-Writable Files Exist</xccdf-1.2:title>
-              <xccdf-1.2:description>It is generally a good idea to remove global (other) write
-access to a file when it is discovered. However, check with
-documentation for specific applications before making changes.
-Also, monitor for recurring world-writable files, as these may be
-symptoms of a misconfigured application or user account. Finally,
-this applies to real files and not virtual files that are a part of
-pseudo file systems such as <html:code>sysfs</html:code> or <html:code>procfs</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R40)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Data in world-writable files can be modified by any
-user on the system. In almost all circumstances, files can be
-configured using a combination of user and group permissions to
-support whatever legitimate access is needed without the risk
-caused by world-writable files.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_unauthorized_world_writable:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_unauthorized_world_writable_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_hardlinks" severity="medium">
-              <xccdf-1.2:title>Enable Kernel Parameter to Enforce DAC on Hardlinks</xccdf-1.2:title>
-              <xccdf-1.2:description>To set the runtime status of the <html:code>fs.protected_hardlinks</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w fs.protected_hardlinks=1</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>fs.protected_hardlinks = 1</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002165</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000312-GPOS-00122</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000312-GPOS-00123</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>By enabling this kernel parameter, users can no longer create soft or hard links to
-files which they do not own. Disallowing such hardlinks mitigate vulnerabilities
-based on insecure file system accessed by privileged programs, avoiding an
-exploitation vector exploiting unsafe use of <html:code>open()</html:code> or <html:code>creat()</html:code>.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82506-7</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_fs_protected_hardlinks">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,fs.protected_hardlinks%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_fs_protected_hardlinks.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_fs_protected_hardlinks:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_fs_protected_hardlinks_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_fs_protected_symlinks" severity="medium">
-              <xccdf-1.2:title>Enable Kernel Parameter to Enforce DAC on Symlinks</xccdf-1.2:title>
-              <xccdf-1.2:description>To set the runtime status of the <html:code>fs.protected_symlinks</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w fs.protected_symlinks=1</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>fs.protected_symlinks = 1</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002165</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000312-GPOS-00122</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000312-GPOS-00123</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000324-GPOS-00125</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>By enabling this kernel parameter, symbolic links are permitted to be followed
-only when outside a sticky world-writable directory, or when the UID of the
-link and follower match, or when the directory owner matches the symlink's owner.
-Disallowing such symlinks helps mitigate vulnerabilities based on insecure file system
-accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of
-<html:code>open()</html:code> or <html:code>creat()</html:code>.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82507-5</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_fs_protected_symlinks">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,fs.protected_symlinks%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_fs_protected_symlinks.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_fs_protected_symlinks:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_fs_protected_symlinks_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_permissions_important_account_files">
-              <xccdf-1.2:title>Verify Permissions on Files with Local Account Information and Credentials</xccdf-1.2:title>
-              <xccdf-1.2:description>The default restrictive permissions for files which act as
-important security databases such as <html:code>passwd</html:code>, <html:code>shadow</html:code>,
-<html:code>group</html:code>, and <html:code>gshadow</html:code> files must be maintained.  Many utilities
-need read access to the <html:code>passwd</html:code> file in order to function properly, but
-read access to the <html:code>shadow</html:code> file allows malicious attacks against system
-passwords, and should never be enabled.</xccdf-1.2:description>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group" severity="medium">
-                <xccdf-1.2:title>Verify Group Who Owns Backup group File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/group-</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/group-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6 (1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/group-</html:code> file is a backup file of <html:code>/etc/group</html:code>, and as such,
-it contains information regarding groups that are configured on the system.
-Protection of this file is important for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_groupowner_backup_etc_group:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow" severity="medium">
-                <xccdf-1.2:title>Verify Group Who Owns Backup gshadow File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/gshadow-</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/gshadow-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6 (1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/gshadow-</html:code> file is a backup of <html:code>/etc/gshadow</html:code>, and as such,
-it contains group password hashes. Protection of this file is critical for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_groupowner_backup_etc_gshadow:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd" severity="medium">
-                <xccdf-1.2:title>Verify Group Who Owns Backup passwd File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/passwd-</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/passwd-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6 (1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/passwd-</html:code> file is a backup file of <html:code>/etc/passwd</html:code>, and as such,
-it contains information about the users that are configured on the system.
-Protection of this file is critical for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_groupowner_backup_etc_passwd:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_groupowner_backup_etc_passwd_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow" severity="medium">
-                <xccdf-1.2:title>Verify User Who Owns Backup shadow File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/shadow-</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/shadow-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:rationale>The <html:code>/etc/shadow-</html:code> file is a backup file of <html:code>/etc/shadow</html:code>, and as such,
-it contains the list of local system accounts and password hashes.
-Protection of this file is critical for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_groupowner_backup_etc_shadow:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_groupowner_backup_etc_shadow_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_etc_group" severity="medium">
-                <xccdf-1.2:title>Verify Group Who Owns group File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/group</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/group</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.7.c</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/group</html:code> file contains information regarding groups that are configured
-on the system. Protection of this file is important for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_groupowner_etc_group:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_groupowner_etc_group_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow" severity="medium">
-                <xccdf-1.2:title>Verify Group Who Owns gshadow File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/gshadow</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/gshadow</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/gshadow</html:code> file contains group password hashes. Protection of this file
-is critical for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_groupowner_etc_gshadow:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_groupowner_etc_gshadow_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd" severity="medium">
-                <xccdf-1.2:title>Verify Group Who Owns passwd File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/passwd</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/passwd</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.7.c</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/passwd</html:code> file contains information about the users that are configured on
-the system. Protection of this file is critical for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_groupowner_etc_passwd:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_groupowner_etc_passwd_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow" severity="medium">
-                <xccdf-1.2:title>Verify Group Who Owns shadow File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the group owner of <html:code>/etc/shadow</html:code>, run the command: <html:pre>$ sudo chgrp root /etc/shadow</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.7.c</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/shadow</html:code> file stores password hashes. Protection of this file is
-critical for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_groupowner_etc_shadow:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group" severity="medium">
-                <xccdf-1.2:title>Verify User Who Owns Backup group File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the owner of <html:code>/etc/group-</html:code>, run the command: <html:pre>$ sudo chown root /etc/group- </html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6 (1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/group-</html:code> file is a backup file of <html:code>/etc/group</html:code>, and as such,
-it contains information regarding groups that are configured on the system.
-Protection of this file is important for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_owner_backup_etc_group:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_owner_backup_etc_group_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow" severity="medium">
-                <xccdf-1.2:title>Verify User Who Owns Backup gshadow File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the owner of <html:code>/etc/gshadow-</html:code>, run the command: <html:pre>$ sudo chown root /etc/gshadow- </html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6 (1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/gshadow-</html:code> file is a backup of <html:code>/etc/gshadow</html:code>, and as such,
-it contains group password hashes. Protection of this file is critical for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_owner_backup_etc_gshadow:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd" severity="medium">
-                <xccdf-1.2:title>Verify User Who Owns Backup passwd File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the owner of <html:code>/etc/passwd-</html:code>, run the command: <html:pre>$ sudo chown root /etc/passwd- </html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6 (1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/passwd-</html:code> file is a backup file of <html:code>/etc/passwd</html:code>, and as such,
-it contains information about the users that are configured on the system.
-Protection of this file is critical for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_owner_backup_etc_passwd:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_owner_backup_etc_passwd_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow" severity="medium">
-                <xccdf-1.2:title>Verify Group Who Owns Backup shadow File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the owner of <html:code>/etc/shadow-</html:code>, run the command: <html:pre>$ sudo chown root /etc/shadow- </html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6 (1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/shadow-</html:code> file is a backup file of <html:code>/etc/shadow</html:code>, and as such,
-it contains the list of local system accounts and password hashes.
-Protection of this file is critical for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_owner_backup_etc_shadow:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_owner_backup_etc_shadow_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_etc_group" severity="medium">
-                <xccdf-1.2:title>Verify User Who Owns group File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the owner of <html:code>/etc/group</html:code>, run the command: <html:pre>$ sudo chown root /etc/group </html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.7.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/group</html:code> file contains information regarding groups that are configured
-on the system. Protection of this file is important for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_owner_etc_group:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_owner_etc_group_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow" severity="medium">
-                <xccdf-1.2:title>Verify User Who Owns gshadow File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the owner of <html:code>/etc/gshadow</html:code>, run the command: <html:pre>$ sudo chown root /etc/gshadow </html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/gshadow</html:code> file contains group password hashes. Protection of this file
-is critical for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_owner_etc_gshadow:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_owner_etc_gshadow_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_etc_passwd" severity="medium">
-                <xccdf-1.2:title>Verify User Who Owns passwd File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the owner of <html:code>/etc/passwd</html:code>, run the command: <html:pre>$ sudo chown root /etc/passwd </html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.7.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/passwd</html:code> file contains information about the users that are configured on
-the system. Protection of this file is critical for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_owner_etc_passwd:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_owner_etc_passwd_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_etc_shadow" severity="medium">
-                <xccdf-1.2:title>Verify User Who Owns shadow File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the owner of <html:code>/etc/shadow</html:code>, run the command: <html:pre>$ sudo chown root /etc/shadow </html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.7.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/shadow</html:code> file contains the list of local
-system accounts and stores password hashes. Protection of this file is
-critical for system security. Failure to give ownership of this file
-to root provides the designated owner with access to sensitive information
-which could weaken the system security posture.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_owner_etc_shadow:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group" severity="medium">
-                <xccdf-1.2:title>Verify Permissions on Backup group File</xccdf-1.2:title>
-                <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/group-</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/group-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6 (1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/group-</html:code> file is a backup file of <html:code>/etc/group</html:code>, and as such,
-it contains information regarding groups that are configured on the system.
-Protection of this file is important for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_backup_etc_group:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_backup_etc_group_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow" severity="medium">
-                <xccdf-1.2:title>Verify Permissions on Backup gshadow File</xccdf-1.2:title>
-                <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/gshadow-</html:code>, run the command:
-<html:pre>$ sudo chmod 0000 /etc/gshadow-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6 (1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/gshadow-</html:code> file is a backup of <html:code>/etc/gshadow</html:code>, and as such,
-it contains group password hashes. Protection of this file is critical for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_backup_etc_gshadow:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_backup_etc_gshadow_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd" severity="medium">
-                <xccdf-1.2:title>Verify Permissions on Backup passwd File</xccdf-1.2:title>
-                <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/passwd-</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/passwd-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6 (1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/passwd-</html:code> file is a backup file of <html:code>/etc/passwd</html:code>, and as such,
-it contains information about the users that are configured on the system.
-Protection of this file is critical for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_backup_etc_passwd:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_backup_etc_passwd_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow" severity="medium">
-                <xccdf-1.2:title>Verify Permissions on Backup shadow File</xccdf-1.2:title>
-                <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/shadow-</html:code>, run the command:
-<html:pre>$ sudo chmod 0000 /etc/shadow-</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6 (1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/shadow-</html:code> file is a backup file of <html:code>/etc/shadow</html:code>, and as such,
-it contains the list of local system accounts and password hashes.
-Protection of this file is critical for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_backup_etc_shadow:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_backup_etc_shadow_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_etc_group" severity="medium">
-                <xccdf-1.2:title>Verify Permissions on group File</xccdf-1.2:title>
-                <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/passwd</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/passwd</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.7.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/group</html:code> file contains information regarding groups that are configured
-on the system. Protection of this file is important for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_etc_group:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_etc_group_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow" severity="medium">
-                <xccdf-1.2:title>Verify Permissions on gshadow File</xccdf-1.2:title>
-                <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/gshadow</html:code>, run the command:
-<html:pre>$ sudo chmod 0000 /etc/gshadow</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/gshadow</html:code> file contains group password hashes. Protection of this file
-is critical for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_etc_gshadow:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_etc_gshadow_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd" severity="medium">
-                <xccdf-1.2:title>Verify Permissions on passwd File</xccdf-1.2:title>
-                <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/passwd</html:code>, run the command:
-<html:pre>$ sudo chmod 0644 /etc/passwd</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.7.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>If the <html:code>/etc/passwd</html:code> file is writable by a group-owner or the
-world the risk of its compromise is increased. The file contains the list of
-accounts on the system and associated information, and protection of this file
-is critical for system security.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_etc_passwd:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_etc_passwd_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow" severity="medium">
-                <xccdf-1.2:title>Verify Permissions on shadow File</xccdf-1.2:title>
-                <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/shadow</html:code>, run the command:
-<html:pre>$ sudo chmod 0000 /etc/shadow</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002223</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.7.c</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/etc/shadow</html:code> file contains the list of local
-system accounts and stores password hashes. Protection of this file is
-critical for system security. Failure to give ownership of this file
-to root provides the designated owner with access to sensitive information
-which could weaken the system security posture.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_etc_shadow:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_etc_shadow_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_permissions_var_log_dir">
-              <xccdf-1.2:title>Verify Permissions on Files within /var/log Directory</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>/var/log</html:code> directory contains files with logs of error
-messages in the system and should only be accessed by authorized
-personnel.</xccdf-1.2:description>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_var_log" severity="medium">
-                <xccdf-1.2:title>Verify Group Who Owns /var/log Directory</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the group owner of <html:code>/var/log</html:code>, run the command: <html:pre>$ sudo chgrp root /var/log</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000206-GPOS-00084</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/var/log</html:code> directory contains files with logs of error
-messages in the system and should only be accessed by authorized
-personnel.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_groupowner_var_log:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_groupowner_var_log_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_var_log_messages" severity="medium">
-                <xccdf-1.2:title>Verify Group Who Owns /var/log/messages File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the group owner of <html:code>/var/log/messages</html:code>, run the command: <html:pre>$ sudo chgrp root /var/log/messages</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000206-GPOS-00084</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/var/log/messages</html:code> file contains logs of error messages in
-the system and should only be accessed by authorized personnel.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_groupowner_var_log_messages:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_groupowner_var_log_messages_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_var_log_syslog" severity="medium">
-                <xccdf-1.2:title>Verify Group Who Owns /var/log/syslog File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the group owner of <html:code>/var/log/syslog</html:code>, run the command: <html:pre>$ sudo chgrp adm /var/log/syslog</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000206-GPOS-00084</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/var/log/syslog</html:code> file contains logs of error messages in
-the system and should only be accessed by authorized personnel.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_groupowner_var_log_syslog:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_groupowner_var_log_syslog_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_var_log" severity="medium">
-                <xccdf-1.2:title>Verify User Who Owns /var/log Directory</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the owner of <html:code>/var/log</html:code>, run the command: <html:pre>$ sudo chown root /var/log </html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000206-GPOS-00084</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/var/log</html:code> directory contains files with logs of error
-messages in the system and should only be accessed by authorized
-personnel.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_owner_var_log:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_owner_var_log_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_var_log_messages" severity="medium">
-                <xccdf-1.2:title>Verify User Who Owns /var/log/messages File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the owner of <html:code>/var/log/messages</html:code>, run the command: <html:pre>$ sudo chown root /var/log/messages </html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000206-GPOS-00084</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/var/log/messages</html:code> file contains logs of error messages in
-the system and should only be accessed by authorized personnel.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_owner_var_log_messages:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_var_log_syslog" severity="medium">
-                <xccdf-1.2:title>Verify User Who Owns /var/log/syslog File</xccdf-1.2:title>
-                <xccdf-1.2:description> To properly set the owner of <html:code>/var/log/syslog</html:code>, run the command: <html:pre>$ sudo chown syslog /var/log/syslog </html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000206-GPOS-00084</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/var/log/syslog</html:code> file contains logs of error messages in
-the system and should only be accessed by authorized personnel.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_owner_var_log_syslog:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_owner_var_log_syslog_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_var_log" severity="medium">
-                <xccdf-1.2:title>Verify Permissions on /var/log Directory</xccdf-1.2:title>
-                <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/log</html:code>, run the command:
-<html:pre>$ sudo chmod 0755 /var/log</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000206-GPOS-00084</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/var/log</html:code> directory contains files with logs of error
-messages in the system and should only be accessed by authorized
-personnel.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_var_log:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_var_log_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_var_log_messages" severity="medium">
-                <xccdf-1.2:title>Verify Permissions on /var/log/messages File</xccdf-1.2:title>
-                <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/log/messages</html:code>, run the command:
-<html:pre>$ sudo chmod 0640 /var/log/messages</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000206-GPOS-00084</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/var/log/messages</html:code> file contains logs of error messages in
-the system and should only be accessed by authorized personnel.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_var_log_messages:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_var_log_messages_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_var_log_syslog" severity="medium">
-                <xccdf-1.2:title>Verify Permissions on /var/log/syslog File</xccdf-1.2:title>
-                <xccdf-1.2:description>
-To properly set the permissions of <html:code>/var/log/syslog</html:code>, run the command:
-<html:pre>$ sudo chmod 0640 /var/log/syslog</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000206-GPOS-00084</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The <html:code>/var/log/syslog</html:code> file contains logs of error messages in
-the system and should only be accessed by authorized personnel.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_var_log_syslog:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_var_log_syslog_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_permissions_within_important_dirs">
-              <xccdf-1.2:title>Verify File Permissions Within Some Important Directories</xccdf-1.2:title>
-              <xccdf-1.2:description>Some directories contain files whose confidentiality or integrity
-is notably important and may also be susceptible to misconfiguration over time, particularly if
-unpackaged software is installed. As such,
-an argument exists to verify that files' permissions within these directories remain
-configured correctly and restrictively.</xccdf-1.2:description>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_dir_ownership_binary_dirs" severity="medium">
-                <xccdf-1.2:title>Verify that System Executable Have Root Ownership</xccdf-1.2:title>
-                <xccdf-1.2:description><html:pre>/bin
-/sbin
-/usr/bin
-/usr/sbin
-/usr/local/bin
-/usr/local/sbin</html:pre>
-All these directories should be owned by the <html:code>root</html:code> user.
-If any directory <html:i>DIR</html:i> in these directories is found
-to be owned by a user other than root, correct its ownership with the
-following command:
-<html:pre>$ sudo chown root <html:i>DIR</html:i></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001495</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000258-GPOS-00099</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>System binaries are executed by privileged users as well as system services,
-and restrictive permissions are necessary to ensure that their
-execution of these programs cannot be co-opted.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-dir_ownership_binary_dirs:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-dir_ownership_binary_dirs_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_dir_ownership_library_dirs" severity="medium">
-                <xccdf-1.2:title>Verify that Shared Library Directories Have Root Ownership</xccdf-1.2:title>
-                <xccdf-1.2:description>System-wide shared library files, which are linked to executables
-during process load time or run time, are stored in the following directories
-by default:
-<html:pre>/lib
-/lib64
-/usr/lib
-/usr/lib64
-</html:pre>
-Kernel modules, which can be added to the kernel during runtime, are also
-stored in <html:code>/lib/modules</html:code>. All files in these directories should be
-owned by the <html:code>root</html:code> user. If the  directories, is found to be owned
-by a user other than root correct its
-ownership with the following command:
-<html:pre>$ sudo chown root <html:i>DIR</html:i></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001499</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6).1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000259-GPOS-00100</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Files from shared library directories are loaded into the address
-space of processes (including privileged ones) or of the kernel itself at
-runtime. Proper ownership of library directories is necessary to protect
-the integrity of the system.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-dir_ownership_library_dirs:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_dir_permissions_binary_dirs" severity="medium">
-                <xccdf-1.2:title>Verify that System Executable Directories Have Restrictive Permissions</xccdf-1.2:title>
-                <xccdf-1.2:description>System executables are stored in the following directories by default:
-<html:pre>/bin
-/sbin
-/usr/bin
-/usr/sbin
-/usr/local/bin
-/usr/local/sbin</html:pre>
-These directories should not be group-writable or world-writable.
-If any directory <html:i>DIR</html:i> in these directories is found to be
-group-writable or world-writable, correct its permission with the
-following command:
-<html:pre>$ sudo chmod go-w <html:i>DIR</html:i></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001495</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000258-GPOS-00099</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>System binaries are executed by privileged users, as well as system services,
-and restrictive permissions are necessary to ensure execution of these programs
-cannot be co-opted.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-dir_permissions_binary_dirs:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-dir_permissions_binary_dirs_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_dir_permissions_library_dirs" severity="medium">
-                <xccdf-1.2:title>Verify that Shared Library Directories Have Restrictive Permissions</xccdf-1.2:title>
-                <xccdf-1.2:description>System-wide shared library directories, which contain are linked to executables
-during process load time or run time, are stored in the following directories
-by default:
-<html:pre>/lib
-/lib64
-/usr/lib
-/usr/lib64
-</html:pre>
-Kernel modules, which can be added to the kernel during runtime, are
-stored in <html:code>/lib/modules</html:code>. All sub-directories in these directories
-should not be group-writable or world-writable. If any file in these
-directories is found to be group-writable or world-writable, correct
-its permission with the following command:
-<html:pre>$ sudo chmod go-w <html:i>DIR</html:i></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001499</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6).1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000259-GPOS-00100</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>If the operating system were to allow any user to make changes to software libraries,
-then those changes might be implemented without undergoing the appropriate testing
-and approvals that are part of a robust change management process.
-
-This requirement applies to operating systems with software libraries that are accessible
-and configurable, as in the case of interpreted languages. Software libraries also include
-privileged programs which execute with escalated privileges. Only qualified and authorized
-individuals must be allowed to obtain access to information system components for purposes
-of initiating changes, including upgrades and modifications.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-dir_permissions_library_dirs:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_ownership_binary_dirs" severity="medium">
-                <xccdf-1.2:title>Verify that System Executables Have Root Ownership</xccdf-1.2:title>
-                <xccdf-1.2:description>System executables are stored in the following directories by default:
-<html:pre>/bin
-/sbin
-/usr/bin
-/usr/libexec
-/usr/local/bin
-/usr/local/sbin
-/usr/sbin</html:pre>
-All files in these directories should be owned by the <html:code>root</html:code> user.
-If any file <html:i>FILE</html:i> in these directories is found
-to be owned by a user other than root, correct its ownership with the
-following command:
-<html:pre>$ sudo chown root <html:i>FILE</html:i></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001499</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6).1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000259-GPOS-00100</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>System binaries are executed by privileged users as well as system services,
-and restrictive permissions are necessary to ensure that their
-execution of these programs cannot be co-opted.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_ownership_binary_dirs:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_ownership_binary_dirs_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_ownership_library_dirs" severity="medium">
-                <xccdf-1.2:title>Verify that Shared Library Files Have Root Ownership</xccdf-1.2:title>
-                <xccdf-1.2:description>System-wide shared library files, which are linked to executables
-during process load time or run time, are stored in the following directories
-by default:
-<html:pre>/lib
-/lib64
-/usr/lib
-/usr/lib64
-</html:pre>
-Kernel modules, which can be added to the kernel during runtime, are also
-stored in <html:code>/lib/modules</html:code>. All files in these directories should be
-owned by the <html:code>root</html:code> user. If the directory, or any file in these
-directories, is found to be owned by a user other than root correct its
-ownership with the following command:
-<html:pre>$ sudo chown root <html:i>FILE</html:i></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001499</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6).1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000259-GPOS-00100</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Files from shared library directories are loaded into the address
-space of processes (including privileged ones) or of the kernel itself at
-runtime. Proper ownership is necessary to protect the integrity of the system.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_ownership_library_dirs:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_ownership_library_dirs_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_binary_dirs" severity="medium">
-                <xccdf-1.2:title>Verify that System Executables Have Restrictive Permissions</xccdf-1.2:title>
-                <xccdf-1.2:description>System executables are stored in the following directories by default:
-<html:pre>/bin
-/sbin
-/usr/bin
-/usr/libexec
-/usr/local/bin
-/usr/local/sbin
-/usr/sbin</html:pre>
-All files in these directories should not be group-writable or world-writable.
-If any file <html:i>FILE</html:i> in these directories is found
-to be group-writable or world-writable, correct its permission with the
-following command:
-<html:pre>$ sudo chmod go-w <html:i>FILE</html:i></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001499</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6).1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000259-GPOS-00100</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>System binaries are executed by privileged users, as well as system services,
-and restrictive permissions are necessary to ensure execution of these programs
-cannot be co-opted.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_binary_dirs:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_library_dirs" severity="medium">
-                <xccdf-1.2:title>Verify that Shared Library Files Have Restrictive Permissions</xccdf-1.2:title>
-                <xccdf-1.2:description>System-wide shared library files, which are linked to executables
-during process load time or run time, are stored in the following directories
-by default:
-<html:pre>/lib
-/lib64
-/usr/lib
-/usr/lib64
-</html:pre>
-Kernel modules, which can be added to the kernel during runtime, are
-stored in <html:code>/lib/modules</html:code>. All files in these directories
-should not be group-writable or world-writable. If any file in these
-directories is found to be group-writable or world-writable, correct
-its permission with the following command:
-<html:pre>$ sudo chmod go-w <html:i>FILE</html:i></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001499</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-5(6).1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000259-GPOS-00100</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Files from shared library directories are loaded into the address
-space of processes (including privileged ones) or of the kernel itself at
-runtime. Restrictive permissions are necessary to protect the integrity of the system.</xccdf-1.2:rationale>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_library_dirs:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_library_dirs_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_mounting">
-            <xccdf-1.2:title>Restrict Dynamic Mounting and Unmounting of
-Filesystems</xccdf-1.2:title>
-            <xccdf-1.2:description>Linux includes a number of facilities for the automated addition
-and removal of filesystems on a running system.  These facilities may be
-necessary in many environments, but this capability also carries some risk -- whether direct
-risk from allowing users to introduce arbitrary filesystems,
-or risk that software flaws in the automated mount facility itself could
-allow an attacker to compromise the system.
-<html:br/><html:br/>
-This command can be used to list the types of filesystems that are
-available to the currently executing kernel:
-<html:pre>$ find /lib/modules/`uname -r`/kernel/fs -type f -name '*.ko'</html:pre>
-If these filesystems are not required then they can be explicitly disabled
-in a configuratio file in  <html:code>/etc/modprobe.d</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_autofs_disabled" severity="medium">
-              <xccdf-1.2:title>Disable the Automounter</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>autofs</html:code> daemon mounts and unmounts filesystems, such as user
-home directories shared via NFS, on demand. In addition, autofs can be used to handle
-removable media, and the default configuration provides the cdrom device as <html:code>/misc/cd</html:code>.
-However, this method of providing access to removable media is not common, so autofs
-can almost always be disabled if NFS is not in use. Even if NFS is required, it may be
-possible to configure filesystem mounts statically by editing <html:code>/etc/fstab</html:code>
-rather than relying on the automounter.
-<html:br/><html:br/>
-
-The <html:code>autofs</html:code> service can be disabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-autofs-disable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: autofs.service
-</html:pre>
-<html:p>
-This will disable the <html:code>autofs</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000778</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001958</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(iv)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000114-GPOS-00059</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000378-GPOS-00163</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Disabling the automounter permits the administrator to
-statically control filesystem mounting through <html:code>/etc/fstab</html:code>.
-<html:br/><html:br/>
-Additionally, automatically mounting filesystems permits easy introduction of
-unknown devices, thereby facilitating malicious activity.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82663-6</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:ignition" id="service_autofs_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: autofs.service
-        enabled: false
-        mask: true
-      - name: autofs.socket
-        enabled: false
-        mask: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="service_autofs_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: autofs.service
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_autofs_disabled:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_autofs_disabled_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_bios_disable_usb_boot" severity="unknown">
-              <xccdf-1.2:title>Disable Booting from USB Devices in Boot Firmware</xccdf-1.2:title>
-              <xccdf-1.2:description>Configure the system boot firmware (historically called BIOS on PC
-systems) to disallow booting from USB drives.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001250</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Booting a system from a USB device would allow an attacker to
-circumvent any security measures provided by the operating system. Attackers
-could mount partitions and modify the configuration of the OS.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82662-8</xccdf-1.2:ident>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument" severity="medium">
-              <xccdf-1.2:title>Disable Kernel Support for USB via Bootloader Configuration</xccdf-1.2:title>
-              <xccdf-1.2:description>All USB support can be disabled by adding the <html:code>nousb</html:code>
-argument to the kernel's boot loader configuration. To do so,
-Add the <html:code>nousb</html:code> kernel argument via a <html:code>MachineConfig</html:code>
-object.</xccdf-1.2:description>
-              <xccdf-1.2:warning category="functionality">Disabling all kernel support for USB will cause problems for systems
-with USB-based keyboards, mice, or printers. This configuration is
-infeasible for systems which require USB devices, which is common.</xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001250</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(iv)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Disabling the USB subsystem within the Linux kernel at system boot will
-protect against potentially malicious USB devices, although it is only practical
-in specialized systems.</xccdf-1.2:rationale>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83443-2</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="coreos_nousb_kernel_argument" complexity="low" disruption="medium" reboot="true" strategy="restrict">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-  kernelArguments:
-    - nousb
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-coreos_nousb_kernel_argument:def:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_grub2_nousb_argument" severity="unknown">
-              <xccdf-1.2:title>Disable Kernel Support for USB via Bootloader Configuration</xccdf-1.2:title>
-              <xccdf-1.2:description>All USB support can be disabled by adding the <html:code>nousb</html:code>
-argument to the kernel's boot loader configuration. To do so,
-append "nousb" to the kernel line in <html:code>/etc/default/grub</html:code> as shown:
-<html:pre>kernel /vmlinuz-<html:i>VERSION</html:i> ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet nousb</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="functionality">Disabling all kernel support for USB will cause problems for systems
-with USB-based keyboards, mice, or printers. This configuration is
-infeasible for systems which require USB devices, which is common.</xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001250</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(iv)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Disabling the USB subsystem within the Linux kernel at system boot will
-protect against potentially malicious USB devices, although it is only practical
-in specialized systems.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#grub2"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82661-0</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-grub2_nousb_argument:def:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_cramfs_disabled" severity="low">
-              <xccdf-1.2:title>Disable Mounting of cramfs</xccdf-1.2:title>
-              <xccdf-1.2:description>
-To configure the system to prevent the <html:code>cramfs</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/cramfs.conf</html:code>:
-<html:pre>install cramfs /bin/true</html:pre>
-
-This effectively prevents usage of this uncommon filesystem.
-
-The <html:code>cramfs</html:code> filesystem type is a compressed read-only
-Linux filesystem embedded in small footprint systems. A
-<html:code>cramfs</html:code> image can be used without having to first
-decompress the image.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000381</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Removing support for unneeded filesystem types reduces the local attack surface
-of the server.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82514-1</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_cramfs_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20cramfs%20/bin/true%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_cramfs_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_cramfs_disabled:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_module_cramfs_disabled_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_freevxfs_disabled" severity="low">
-              <xccdf-1.2:title>Disable Mounting of freevxfs</xccdf-1.2:title>
-              <xccdf-1.2:description>
-To configure the system to prevent the <html:code>freevxfs</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/freevxfs.conf</html:code>:
-<html:pre>install freevxfs /bin/true</html:pre>
-
-This effectively prevents usage of this uncommon filesystem.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Linux kernel modules which implement filesystems that are not needed by the
-local system should be disabled.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82713-9</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_freevxfs_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20freevxfs%20/bin/true%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_freevxfs_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_freevxfs_disabled:def:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_hfs_disabled" severity="low">
-              <xccdf-1.2:title>Disable Mounting of hfs</xccdf-1.2:title>
-              <xccdf-1.2:description>
-To configure the system to prevent the <html:code>hfs</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/hfs.conf</html:code>:
-<html:pre>install hfs /bin/true</html:pre>
-
-This effectively prevents usage of this uncommon filesystem.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Linux kernel modules which implement filesystems that are not needed by the
-local system should be disabled.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82714-7</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_hfs_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20hfs%20/bin/true%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_hfs_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_hfs_disabled:def:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_hfsplus_disabled" severity="low">
-              <xccdf-1.2:title>Disable Mounting of hfsplus</xccdf-1.2:title>
-              <xccdf-1.2:description>
-To configure the system to prevent the <html:code>hfsplus</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/hfsplus.conf</html:code>:
-<html:pre>install hfsplus /bin/true</html:pre>
-
-This effectively prevents usage of this uncommon filesystem.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Linux kernel modules which implement filesystems that are not needed by the
-local system should be disabled.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82715-4</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_hfsplus_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20hfsplus%20/bin/true%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_hfsplus_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_hfsplus_disabled:def:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_jffs2_disabled" severity="low">
-              <xccdf-1.2:title>Disable Mounting of jffs2</xccdf-1.2:title>
-              <xccdf-1.2:description>
-To configure the system to prevent the <html:code>jffs2</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/jffs2.conf</html:code>:
-<html:pre>install jffs2 /bin/true</html:pre>
-
-This effectively prevents usage of this uncommon filesystem.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Linux kernel modules which implement filesystems that are not needed by the
-local system should be disabled.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82716-2</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_jffs2_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20jffs2%20/bin/true%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_jffs2_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_jffs2_disabled:def:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_squashfs_disabled" severity="low">
-              <xccdf-1.2:title>Disable Mounting of squashfs</xccdf-1.2:title>
-              <xccdf-1.2:description>
-To configure the system to prevent the <html:code>squashfs</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/squashfs.conf</html:code>:
-<html:pre>install squashfs /bin/true</html:pre>
-
-This effectively prevents usage of this uncommon filesystem.
-
-The <html:code>squashfs</html:code> filesystem type is a compressed read-only Linux
-filesystem embedded in small footprint systems (similar to
-<html:code>cramfs</html:code>). A <html:code>squashfs</html:code> image can be used without having
-to first decompress the image.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Removing support for unneeded filesystem types reduces the local attack
-surface of the system.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82717-0</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_squashfs_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20squashfs%20/bin/true%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_squashfs_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_squashfs_disabled:def:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_udf_disabled" severity="low">
-              <xccdf-1.2:title>Disable Mounting of udf</xccdf-1.2:title>
-              <xccdf-1.2:description>
-To configure the system to prevent the <html:code>udf</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/udf.conf</html:code>:
-<html:pre>install udf /bin/true</html:pre>
-
-This effectively prevents usage of this uncommon filesystem.
-
-The <html:code>udf</html:code> filesystem type is the universal disk format
-used to implement the ISO/IEC 13346 and ECMA-167 specifications.
-This is an open vendor filesystem type for data storage on a broad
-range of media. This filesystem type is neccessary to support
-writing DVDs and newer optical disc formats.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Removing support for unneeded filesystem types reduces the local
-attack surface of the system.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82718-8</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_udf_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20udf%20/bin/true%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_udf_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_udf_disabled:def:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled" severity="medium">
-              <xccdf-1.2:title>Disable Modprobe Loading of USB Storage Driver</xccdf-1.2:title>
-              <xccdf-1.2:description>To prevent USB storage devices from being used, configure the kernel module loading system
-to prevent automatic loading of the USB storage driver.
-
-To configure the system to prevent the <html:code>usb-storage</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/usb-storage.conf</html:code>:
-<html:pre>install usb-storage /bin/true</html:pre>
-
-This will prevent the <html:code>modprobe</html:code> program from loading the <html:code>usb-storage</html:code>
-module, but will not prevent an administrator (or another program) from using the
-<html:code>insmod</html:code> program to load the module manually.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.21</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000778</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001958</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)(ii)(A)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(d)(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)(2)(iv)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000114-GPOS-00059</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000378-GPOS-00163</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>USB storage devices such as thumb drives can be used to introduce
-malicious software.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82719-6</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_usb-storage_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20usb-storage%20/bin/true%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_usb-storage_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_usb-storage_disabled:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_module_usb-storage_disabled_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_vfat_disabled" severity="low">
-              <xccdf-1.2:title>Disable Mounting of vFAT filesystems</xccdf-1.2:title>
-              <xccdf-1.2:description>
-To configure the system to prevent the <html:code>vfat</html:code>
-kernel module from being loaded, add the following line to the file <html:code>/etc/modprobe.d/vfat.conf</html:code>:
-<html:pre>install vfat /bin/true</html:pre>
-
-This effectively prevents usage of this uncommon filesystem.
-
-The <html:code>vFAT</html:code> filesystem format is primarily used on older
-windows systems and portable USB drives or flash modules. It comes
-in three types <html:code>FAT12</html:code>, <html:code>FAT16</html:code>, and <html:code>FAT32</html:code>
-all of which are supported by the <html:code>vfat</html:code> kernel module.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.4.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Removing support for unneeded filesystems reduces the local attack
-surface of the system.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82720-4</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_vfat_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20vfat%20/bin/true%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_vfat_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_vfat_disabled:def:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_partitions">
-            <xccdf-1.2:title>Restrict Partition Mount Options</xccdf-1.2:title>
-            <xccdf-1.2:description>System partitions can be mounted with certain options
-that limit what files on those partitions can do. These options
-are set in the <html:code>/etc/fstab</html:code> configuration file, and can be
-used to make certain types of malicious behavior more difficult.</xccdf-1.2:description>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mount_option_proc_hidepid" type="string">
-              <xccdf-1.2:title>Value for hidepid option</xccdf-1.2:title>
-              <xccdf-1.2:description>The hidepid mount option is applicable to /proc and is used to control who can access
-the information in /proc/[pid] directories. The option can have one of the following
-values:
-0: Everybody may access all /proc/[pid] directories.
-1: Users may not access files and subdirectories inside any /proc/[pid] directories
-   but their own. The /proc/[pid] directories themselves remain visible.
-2: Same as for mode 1, but in addition the /proc/[pid] directories belonging to other
-   users become invisible.</xccdf-1.2:description>
-              <xccdf-1.2:value selector="0">0</xccdf-1.2:value>
-              <xccdf-1.2:value selector="1">1</xccdf-1.2:value>
-              <xccdf-1.2:value selector="2">2</xccdf-1.2:value>
-              <xccdf-1.2:value>2</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_removable_partition" type="string">
-              <xccdf-1.2:title>Removable Partition</xccdf-1.2:title>
-              <xccdf-1.2:description>This value is used by the checks mount_option_nodev_removable_partitions, mount_option_nodev_removable_partitions,
-and mount_option_nodev_removable_partitions to ensure that the correct mount options are set on partitions mounted from
-removable media such as CD-ROMs, USB keys, and floppy drives. This value should be modified to reflect any removable
-partitions that are required on the local system.</xccdf-1.2:description>
-              <xccdf-1.2:value selector="dev_cdrom">/dev/cdrom</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_boot_nodev" severity="medium">
-              <xccdf-1.2:title>Add nodev Option to /boot</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nodev</html:code> mount option can be used to prevent device files from
-being created in <html:code>/boot</html:code>.
-Legitimate character and block devices should exist only in
-the <html:code>/dev</html:code> directory on the root partition or within chroot
-jails built for system services.
-Add the <html:code>nodev</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/boot</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The only legitimate location for device files is the <html:code>/dev</html:code> directory
-located on the root partition. The only exception to this is chroot jails.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_boot_nodev:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_boot_nodev_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_boot_nosuid" severity="medium">
-              <xccdf-1.2:title>Add nosuid Option to /boot</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nosuid</html:code> mount option can be used to prevent
-execution of setuid programs in <html:code>/boot</html:code>. The SUID and SGID permissions
-should not be required on the boot partition.
-Add the <html:code>nosuid</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/boot</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The presence of SUID and SGID executables should be tightly controlled. Users
-should not be able to execute SUID or SGID binaries from boot partitions.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_boot_nosuid:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_boot_nosuid_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nodev" severity="medium">
-              <xccdf-1.2:title>Add nodev Option to /dev/shm</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nodev</html:code> mount option can be used to prevent creation of device
-files in <html:code>/dev/shm</html:code>. Legitimate character and block devices should
-not exist within temporary directories like <html:code>/dev/shm</html:code>.
-Add the <html:code>nodev</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/dev/shm</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001764</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The only legitimate location for device files is the <html:code>/dev</html:code> directory
-located on the root partition. The only exception to this is chroot jails.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82867-3</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_dev_shm_nodev:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_dev_shm_nodev_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_noexec" severity="medium">
-              <xccdf-1.2:title>Add noexec Option to /dev/shm</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>noexec</html:code> mount option can be used to prevent binaries
-from being executed out of <html:code>/dev/shm</html:code>.
-It can be dangerous to allow the execution of binaries
-from world-writable temporary storage directories such as <html:code>/dev/shm</html:code>.
-Add the <html:code>noexec</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/dev/shm</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001764</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Allowing users to execute binaries from world-writable directories
-such as <html:code>/dev/shm</html:code> can expose the system to potential compromise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82868-1</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_dev_shm_noexec:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_dev_shm_noexec_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_dev_shm_nosuid" severity="medium">
-              <xccdf-1.2:title>Add nosuid Option to /dev/shm</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nosuid</html:code> mount option can be used to prevent execution
-of setuid programs in <html:code>/dev/shm</html:code>.  The SUID and SGID permissions should not
-be required in these world-writable directories.
-Add the <html:code>nosuid</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/dev/shm</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001764</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The presence of SUID and SGID executables should be tightly controlled. Users
-should not be able to execute SUID or SGID binaries from temporary storage partitions.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82741-0</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_dev_shm_nosuid:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_dev_shm_nosuid_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_home_nodev" severity="unknown">
-              <xccdf-1.2:title>Add nodev Option to /home</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nodev</html:code> mount option can be used to prevent device files from
-being created in <html:code>/home</html:code>.
-Legitimate character and block devices should exist only in
-the <html:code>/dev</html:code> directory on the root partition or within chroot
-jails built for system services.
-Add the <html:code>nodev</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/home</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The only legitimate location for device files is the <html:code>/dev</html:code> directory
-located on the root partition. The only exception to this is chroot jails.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82740-2</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_home_nodev:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_home_nodev_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_home_nosuid" severity="medium">
-              <xccdf-1.2:title>Add nosuid Option to /home</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nosuid</html:code> mount option can be used to prevent
-execution of setuid programs in <html:code>/home</html:code>. The SUID and SGID permissions
-should not be required in these user data directories.
-Add the <html:code>nosuid</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/home</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The presence of SUID and SGID executables should be tightly controlled. Users
-should not be able to execute SUID or SGID binaries from user home directory partitions.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_home_nosuid:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_nodev_nonroot_local_partitions" severity="medium">
-              <xccdf-1.2:title>Add nodev Option to Non-Root Local Partitions</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nodev</html:code> mount option prevents files from being interpreted as
-character or block devices. Legitimate character and block devices should
-exist only in the <html:code>/dev</html:code> directory on the root partition or within
-chroot jails built for system services.
-Add the <html:code>nodev</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-
-    any non-root local partitions.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The <html:code>nodev</html:code> mount option prevents files from being
-interpreted as character or block devices. The only legitimate location
-for device files is the <html:code>/dev</html:code> directory located on the root partition.
-The only exception to this is chroot jails, for which it is not advised
-to set <html:code>nodev</html:code> on these filesystems.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_nodev_nonroot_local_partitions:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_nodev_nonroot_local_partitions_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_nodev_removable_partitions" severity="medium">
-              <xccdf-1.2:title>Add nodev Option to Removable Media Partitions</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nodev</html:code> mount option prevents files from being
-interpreted as character or block devices.
-Legitimate character and block devices should exist only in
-the <html:code>/dev</html:code> directory on the root partition or within chroot
-jails built for system services.
-Add the <html:code>nodev</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-
-    any removable media partitions.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The only legitimate location for device files is the <html:code>/dev</html:code> directory
-located on the root partition. An exception to this is chroot jails, and it is
-not advised to set <html:code>nodev</html:code> on partitions which contain their root
-filesystems.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82865-7</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_removable_partition:var:1" value-id="xccdf_org.ssgproject.content_value_var_removable_partition"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_nodev_removable_partitions:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_nodev_removable_partitions_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_noexec_removable_partitions" severity="medium">
-              <xccdf-1.2:title>Add noexec Option to Removable Media Partitions</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>noexec</html:code> mount option prevents the direct execution of binaries
-on the mounted filesystem. Preventing the direct execution of binaries from
-removable media (such as a USB key) provides a defense against malicious
-software that may be present on such untrusted media.
-Add the <html:code>noexec</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-
-    any removable media partitions.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000087</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Allowing users to execute binaries from removable media such as USB keys exposes
-the system to potential compromise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82747-7</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_removable_partition:var:1" value-id="xccdf_org.ssgproject.content_value_var_removable_partition"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_noexec_removable_partitions:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_noexec_removable_partitions_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_nosuid_removable_partitions" severity="medium">
-              <xccdf-1.2:title>Add nosuid Option to Removable Media Partitions</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nosuid</html:code> mount option prevents set-user-identifier (SUID)
-and set-group-identifier (SGID) permissions from taking effect. These permissions
-allow users to execute binaries with the same permissions as the owner and group
-of the file respectively. Users should not be allowed to introduce SUID and SGID
-files into the system via partitions mounted from removeable media.
-Add the <html:code>nosuid</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-
-    any removable media partitions.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The presence of SUID and SGID executables should be tightly controlled. Allowing
-users to introduce SUID or SGID binaries from partitions mounted off of
-removable media would allow them to introduce their own highly-privileged programs.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82745-1</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_removable_partition:var:1" value-id="xccdf_org.ssgproject.content_value_var_removable_partition"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_nosuid_removable_partitions:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_nosuid_removable_partitions_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_tmp_nodev" severity="medium">
-              <xccdf-1.2:title>Add nodev Option to /tmp</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nodev</html:code> mount option can be used to prevent device files from
-being created in <html:code>/tmp</html:code>. Legitimate character and block devices
-should not exist within temporary directories like <html:code>/tmp</html:code>.
-Add the <html:code>nodev</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/tmp</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001764</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The only legitimate location for device files is the <html:code>/dev</html:code> directory
-located on the root partition. The only exception to this is chroot jails.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_tmp_nodev:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_tmp_nodev_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_tmp_noexec" severity="medium">
-              <xccdf-1.2:title>Add noexec Option to /tmp</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>noexec</html:code> mount option can be used to prevent binaries
-from being executed out of <html:code>/tmp</html:code>.
-Add the <html:code>noexec</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/tmp</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001764</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Allowing users to execute binaries from world-writable directories
-such as <html:code>/tmp</html:code> should never be necessary in normal operation and
-can expose the system to potential compromise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_tmp_noexec:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_tmp_noexec_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_tmp_nosuid" severity="medium">
-              <xccdf-1.2:title>Add nosuid Option to /tmp</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nosuid</html:code> mount option can be used to prevent
-execution of setuid programs in <html:code>/tmp</html:code>. The SUID and SGID permissions
-should not be required in these world-writable directories.
-Add the <html:code>nosuid</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/tmp</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001764</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The presence of SUID and SGID executables should be tightly controlled. Users
-should not be able to execute SUID or SGID binaries from temporary storage partitions.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_tmp_nosuid:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_tmp_nosuid_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nodev" severity="medium">
-              <xccdf-1.2:title>Add nodev Option to /var/log/audit</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nodev</html:code> mount option can be used to prevent device files from
-being created in <html:code>/var/log/audit</html:code>.
-Legitimate character and block devices should exist only in
-the <html:code>/dev</html:code> directory on the root partition or within chroot
-jails built for system services.
-Add the <html:code>nodev</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/var/log/audit</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001764</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The only legitimate location for device files is the <html:code>/dev</html:code> directory
-located on the root partition. The only exception to this is chroot jails.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_var_log_audit_nodev:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_var_log_audit_nodev_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_noexec" severity="medium">
-              <xccdf-1.2:title>Add noexec Option to /var/log/audit</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>noexec</html:code> mount option can be used to prevent binaries
-from being executed out of <html:code>/var/log/audit</html:code>.
-Add the <html:code>noexec</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/var/log/audit</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001764</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Allowing users to execute binaries from directories containing audit log files
-such as <html:code>/var/log/audit</html:code> should never be necessary in normal operation and
-can expose the system to potential compromise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_var_log_audit_noexec:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_var_log_audit_noexec_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_var_log_audit_nosuid" severity="medium">
-              <xccdf-1.2:title>Add nosuid Option to /var/log/audit</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nosuid</html:code> mount option can be used to prevent
-execution of setuid programs in <html:code>/var/log/audit</html:code>. The SUID and SGID permissions
-should not be required in directories containing audit log files.
-Add the <html:code>nosuid</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/var/log/audit</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001764</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The presence of SUID and SGID executables should be tightly controlled. Users
-should not be able to execute SUID or SGID binaries from partitions
-designated for audit log files.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_var_log_audit_nosuid:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_var_log_audit_nosuid_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_var_log_nodev" severity="medium">
-              <xccdf-1.2:title>Add nodev Option to /var/log</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nodev</html:code> mount option can be used to prevent device files from
-being created in <html:code>/var/log</html:code>.
-Legitimate character and block devices should exist only in
-the <html:code>/dev</html:code> directory on the root partition or within chroot
-jails built for system services.
-Add the <html:code>nodev</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/var/log</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001764</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The only legitimate location for device files is the <html:code>/dev</html:code> directory
-located on the root partition. The only exception to this is chroot jails.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_var_log_nodev:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_var_log_nodev_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_var_log_noexec" severity="medium">
-              <xccdf-1.2:title>Add noexec Option to /var/log</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>noexec</html:code> mount option can be used to prevent binaries
-from being executed out of <html:code>/var/log</html:code>.
-Add the <html:code>noexec</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/var/log</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001764</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Allowing users to execute binaries from directories containing log files
-such as <html:code>/var/log</html:code> should never be necessary in normal operation and
-can expose the system to potential compromise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_var_log_noexec:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_var_log_noexec_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_var_log_nosuid" severity="medium">
-              <xccdf-1.2:title>Add nosuid Option to /var/log</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nosuid</html:code> mount option can be used to prevent
-execution of setuid programs in <html:code>/var/log</html:code>. The SUID and SGID permissions
-should not be required in directories containing log files.
-Add the <html:code>nosuid</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/var/log</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001764</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The presence of SUID and SGID executables should be tightly controlled. Users
-should not be able to execute SUID or SGID binaries from partitions
-designated for log files.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_var_log_nosuid:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_var_log_nosuid_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_var_nodev" severity="medium">
-              <xccdf-1.2:title>Add nodev Option to /var</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nodev</html:code> mount option can be used to prevent device files from
-being created in <html:code>/var</html:code>.
-Legitimate character and block devices should exist only in
-the <html:code>/dev</html:code> directory on the root partition or within chroot
-jails built for system services.
-Add the <html:code>nodev</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/var</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MP-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The only legitimate location for device files is the <html:code>/dev</html:code> directory
-located on the root partition. The only exception to this is chroot jails.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_var_nodev:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_var_nodev_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_var_nosuid" severity="unknown">
-              <xccdf-1.2:title>Add nosuid Option to /var</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nosuid</html:code> mount option can be used to prevent
-execution of setuid programs in <html:code>/var</html:code>. The SUID and SGID permissions
-should not be required for this directory.
-Add the <html:code>nosuid</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/var</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The presence of SUID and SGID executables should be tightly controlled.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_var_nosuid:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_var_nosuid_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nodev" severity="medium">
-              <xccdf-1.2:title>Add nodev Option to /var/tmp</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nodev</html:code> mount option can be used to prevent device files from
-being created in <html:code>/var/tmp</html:code>. Legitimate character and block devices
-should not exist within temporary directories like <html:code>/var/tmp</html:code>.
-Add the <html:code>nodev</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/var/tmp</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001764</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The only legitimate location for device files is the <html:code>/dev</html:code> directory
-located on the root partition. The only exception to this is chroot jails.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82735-2</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_var_tmp_nodev:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_var_tmp_nodev_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_noexec" severity="medium">
-              <xccdf-1.2:title>Add noexec Option to /var/tmp</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>noexec</html:code> mount option can be used to prevent binaries
-from being executed out of <html:code>/var/tmp</html:code>.
-Add the <html:code>noexec</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/var/tmp</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001764</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Allowing users to execute binaries from world-writable directories
-such as <html:code>/var/tmp</html:code> should never be necessary in normal operation and
-can expose the system to potential compromise.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82866-5</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_var_tmp_noexec:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_var_tmp_noexec_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_mount_option_var_tmp_nosuid" severity="medium">
-              <xccdf-1.2:title>Add nosuid Option to /var/tmp</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>nosuid</html:code> mount option can be used to prevent
-execution of setuid programs in <html:code>/var/tmp</html:code>. The SUID and SGID permissions
-should not be required in these world-writable directories.
-Add the <html:code>nosuid</html:code> option to the list of
-<html:code>Options</html:code> in the <html:code>systemd.mount</html:code> unit that
-controls mounting of
-<html:code>/var/tmp</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R12)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001764</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The presence of SUID and SGID executables should be tightly controlled. Users
-should not be able to execute SUID or SGID binaries from temporary storage partitions.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82736-0</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-mount_option_var_tmp_nosuid:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-mount_option_var_tmp_nosuid_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_permissions_local">
-            <xccdf-1.2:title>Verify Permissions on Important Files and
-Directories Are Configured in /etc/permissions.local</xccdf-1.2:title>
-            <xccdf-1.2:description>Permissions for many files on a system must be set
-restrictively to ensure sensitive information is properly protected.
-This section discusses the <html:code>/etc/permissions.local</html:code> file, where
-expected permissions can be configured to be checked and fixed through
-usage of the <html:code>chkstat</html:code> command.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_restrictions">
-            <xccdf-1.2:title>Restrict Programs from Dangerous Execution Patterns</xccdf-1.2:title>
-            <xccdf-1.2:description>The recommendations in this section are designed to
-ensure that the system's features to protect against potentially
-dangerous program execution are activated.
-These protections are applied at the system initialization or
-kernel level, and defend against certain types of badly-configured
-or compromised programs.</xccdf-1.2:description>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_kernel_unprivileged_bpf_disabled_value" type="number">
-              <xccdf-1.2:title>kernel.unprivileged_bpf_disabled</xccdf-1.2:title>
-              <xccdf-1.2:description>Prevent unprivileged processes from using the bpf() syscall.</xccdf-1.2:description>
-              <xccdf-1.2:value>2</xccdf-1.2:value>
-              <xccdf-1.2:value selector="1">1</xccdf-1.2:value>
-              <xccdf-1.2:value selector="2">2</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kernel_module_uvcvideo_disabled" severity="medium">
-              <xccdf-1.2:title>Disable the uvcvideo module</xccdf-1.2:title>
-              <xccdf-1.2:description>If the device contains a camera it should be covered or disabled when not in use.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000381</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7 (a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7 (5) (b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000370-GPOS-00155</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Failing to disconnect from collaborative computing devices (i.e., cameras) can result in subsequent compromises of organizational information.
-Providing easy methods to physically disconnect from such devices after a collaborative computing session helps to ensure participants actually carry out the disconnect activity without having to go through complex and tedious procedures.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="kernel_module_uvcvideo_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,install%20uvcvideo%20/bin/true%0Ablacklist%20uvcvideo%0A
-        mode: 0644
-        path: /etc/modprobe.d/75-kernel_module_uvcvideo_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kernel_module_uvcvideo_disabled:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kernel_module_uvcvideo_disabled_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern" severity="medium">
-              <xccdf-1.2:title>Disable storing core dumps</xccdf-1.2:title>
-              <xccdf-1.2:description>To set the runtime status of the <html:code>kernel.core_pattern</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w kernel.core_pattern=|/bin/false</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>kernel.core_pattern = |/bin/false</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(10)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>A core dump includes a memory image taken at the time the operating system
-terminates an application. The memory image could contain sensitive data and is generally useful
-only for developers trying to debug problems.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:conflicts idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern_empty_string"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82527-3</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_kernel_core_pattern">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,kernel.core_pattern%20%3D%20%7C/bin/false%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_kernel_core_pattern.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_kernel_core_pattern:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_kernel_core_pattern_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern_empty_string" severity="medium">
-              <xccdf-1.2:title>Disable storing core dumps</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>kernel.core_pattern</html:code> option specifies the core dumpfile pattern
-name. It can be set to an empty string <html:code>''</html:code>. In this case, the kernel
-behaves differently based on another related option. If
-<html:code>kernel.core_uses_pid</html:code> is set to <html:code>1</html:code>, then a file named as
-<html:code>.PID</html:code> (where <html:code>PID</html:code> is process ID of the crashed process) is
-created in the working directory. If <html:code>kernel.core_uses_pid</html:code> is set to
-<html:code>0</html:code>, no coredump is saved.
-To set the runtime status of the <html:code>kernel.core_pattern</html:code> kernel parameter,
-run the following command:
-<html:pre>$ sudo sysctl -w kernel.core_pattern=''</html:pre>
-
-To make sure that the setting is persistent,
-add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>:
-<html:pre>kernel.core_pattern = ''</html:pre>'</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>A core dump includes a memory image taken at the time the operating system
-terminates an application. The memory image could contain sensitive data and is generally useful
-only for developers trying to debug problems.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:requires idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_core_uses_pid"/>
-              <xccdf-1.2:conflicts idref="xccdf_org.ssgproject.content_rule_sysctl_kernel_core_pattern"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_kernel_core_pattern_empty_string:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_kernel_core_pattern_empty_string_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_kernel_core_uses_pid" severity="medium">
-              <xccdf-1.2:title>Configure file name of core dumps</xccdf-1.2:title>
-              <xccdf-1.2:description>To set the runtime status of the <html:code>kernel.core_uses_pid</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w kernel.core_uses_pid=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>kernel.core_uses_pid = 0</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The default coredump filename is <html:code>core</html:code>. By setting
-<html:code>core_uses_pid</html:code> to <html:code>1</html:code>, the coredump filename becomes
-<html:code>core.PID</html:code>. If <html:code>core_pattern</html:code> does not include
-<html:code>%p</html:code> (default does not) and <html:code>core_uses_pid</html:code> is set, then
-<html:code>.PID</html:code> will be appended to the filename.
-When combined with <html:code>kernel.core_pattern = ""</html:code> configuration, it
-is ensured that no core dumps are generated and also no confusing error
-messages are printed by a shell.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_kernel_core_uses_pid:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_kernel_core_uses_pid_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict" severity="low">
-              <xccdf-1.2:title>Restrict Access to Kernel Message Buffer</xccdf-1.2:title>
-              <xccdf-1.2:description>To set the runtime status of the <html:code>kernel.dmesg_restrict</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w kernel.dmesg_restrict=1</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>kernel.dmesg_restrict = 1</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001090</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001314</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000138-GPOS-00069</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Unprivileged access to the kernel syslog can expose sensitive kernel
-address information.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82499-5</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_kernel_dmesg_restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,kernel.dmesg_restrict%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_kernel_dmesg_restrict.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_kernel_dmesg_restrict:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_kernel_dmesg_restrict_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_kernel_kexec_load_disabled" severity="medium">
-              <xccdf-1.2:title>Disable Kernel Image Loading</xccdf-1.2:title>
-              <xccdf-1.2:description>To set the runtime status of the <html:code>kernel.kexec_load_disabled</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w kernel.kexec_load_disabled=1</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>kernel.kexec_load_disabled = 1</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001749</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000366-GPOS-00153</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Disabling kexec_load allows greater control of the kernel memory.
-It makes it impossible to load another kernel image after it has been disabled.
-</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82500-0</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_kernel_kexec_load_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,kernel.kexec_load_disabled%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_kernel_kexec_load_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_kernel_kexec_load_disabled:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_kernel_kexec_load_disabled_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_kernel_panic_on_oops" severity="medium">
-              <xccdf-1.2:title>Kernel panic on oops</xccdf-1.2:title>
-              <xccdf-1.2:description>To set the runtime status of the <html:code>kernel.panic_on_oops</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w kernel.panic_on_oops=1</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>kernel.panic_on_oops = 1</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="functionality">The system may start to panic when it normally wouldn't. A non-catastrophic error that
-would have allowed the system to continue operating will now result in a panic.</xccdf-1.2:warning>
-              <xccdf-1.2:rationale>An attacker trying to exploit the kernel may trigger kernel OOPSes,
-panicking the system will impede them from continuing.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_kernel_panic_on_oops:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_kernel_panic_on_oops_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_kernel_perf_event_paranoid" severity="low">
-              <xccdf-1.2:title>Disallow kernel profiling by unprivileged users</xccdf-1.2:title>
-              <xccdf-1.2:description>To set the runtime status of the <html:code>kernel.perf_event_paranoid</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w kernel.perf_event_paranoid=2</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>kernel.perf_event_paranoid = 2</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001090</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000138-GPOS-00069</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Kernel profiling can reveal sensitive information about kernel behaviour.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82502-6</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_kernel_perf_event_paranoid">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,kernel.perf_event_paranoid%3D2%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_kernel_perf_event_paranoid.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_kernel_perf_event_paranoid:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_kernel_perf_event_paranoid_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled" severity="medium">
-              <xccdf-1.2:title>Disable Access to Network bpf() Syscall From Unprivileged Processes</xccdf-1.2:title>
-              <xccdf-1.2:description>To set the runtime status of the <html:code>kernel.unprivileged_bpf_disabled</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>kernel.unprivileged_bpf_disabled = 1</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(10)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Loading and accessing the packet filters programs and maps using the bpf()
-syscall has the potential of revealing sensitive information about the kernel state.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82504-2</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_kernel_unprivileged_bpf_disabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,kernel.unprivileged_bpf_disabled%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_kernel_unprivileged_bpf_disabled.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_kernel_unprivileged_bpf_disabled:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_kernel_unprivileged_bpf_disabled_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_kernel_yama_ptrace_scope" severity="medium">
-              <xccdf-1.2:title>Restrict usage of ptrace to descendant processes</xccdf-1.2:title>
-              <xccdf-1.2:description>To set the runtime status of the <html:code>kernel.yama.ptrace_scope</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w kernel.yama.ptrace_scope=1</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>kernel.yama.ptrace_scope = 1</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R25)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(10)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Unrestricted usage of ptrace allows compromised binaries to run ptrace
-on another processes of the user. Like this, the attacker can steal
-sensitive information from the target processes (e.g. SSH sessions, web browser, ...)
-without any additional assistance from the user (i.e. without resorting to phishing).
-</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82501-8</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_kernel_yama_ptrace_scope">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,kernel.yama.ptrace_scope%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_kernel_yama_ptrace_scope.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_kernel_yama_ptrace_scope:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_kernel_yama_ptrace_scope_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_net_core_bpf_jit_harden" severity="medium">
-              <xccdf-1.2:title>Harden the operation of the BPF just-in-time compiler</xccdf-1.2:title>
-              <xccdf-1.2:description>To set the runtime status of the <html:code>net.core.bpf_jit_harden</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w net.core.bpf_jit_harden=2</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>net.core.bpf_jit_harden = 2</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(10)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>When hardened, the extended Berkeley Packet Filter just-in-time compiler
-will randomize any kernel addresses in the BPF programs and maps,
-and will not expose the JIT addresses in <html:code>/proc/kallsyms</html:code>.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82505-9</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_net_core_bpf_jit_harden">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,net.core.bpf_jit_harden%3D2%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_net_core_bpf_jit_harden.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_net_core_bpf_jit_harden:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_net_core_bpf_jit_harden_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_user_max_user_namespaces" severity="medium">
-              <xccdf-1.2:title>Disable the use of user namespaces</xccdf-1.2:title>
-              <xccdf-1.2:description>To set the runtime status of the <html:code>user.max_user_namespaces</html:code> kernel parameter,
-run the following command:
-<html:pre>$ sudo sysctl -w user.max_user_namespaces=0</html:pre>
-
-To make sure that the setting is persistent,
-add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>:
-<html:pre>user.max_user_namespaces = 0</html:pre>
-When containers are deployed on the machine, the value should be set
-to large non-zero value.</xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">This configuration baseline was created to deploy the base operating system for general purpose
-workloads. When the operating system is configured for certain purposes, such as to host Linux Containers,
-it is expected that <html:code>user.max_user_namespaces</html:code> will be enabled.</xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-39</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or system objectives.
-These unnecessary capabilities or services are often overlooked and therefore may remain unsecured.
-They increase the risk to the platform by providing additional attack vectors.
-User namespaces are used primarily for Linux containers. The value 0
-disallows the use of user namespaces.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82503-4</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_user_max_user_namespaces">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,user.max_user_namespaces%20%3D%200%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_user_max_user_namespaces.conf
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_user_max_user_namespaces:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_user_max_user_namespaces_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_coredumps">
-              <xccdf-1.2:title>Disable Core Dumps</xccdf-1.2:title>
-              <xccdf-1.2:description>A core dump file is the memory image of an executable
-program when it was terminated by the operating system due to
-errant behavior. In most cases, only software developers
-legitimately need to access these files. The core dump files may
-also contain sensitive information, or unnecessarily occupy large
-amounts of disk space.
-<html:br/><html:br/>
-Once a hard limit is set in <html:code>/etc/security/limits.conf</html:code>, or
-to a file within the <html:code>/etc/security/limits.d/</html:code> directory, a
-user cannot increase that limit within his or her own session. If access
-to core dumps is required, consider restricting them to only
-certain users or groups. See the <html:code>limits.conf</html:code> man page for more
-information.
-<html:br/><html:br/>
-The core dumps of setuid programs are further protected. The
-<html:code>sysctl</html:code> variable <html:code>fs.suid_dumpable</html:code> controls whether
-the kernel allows core dumps from these programs at all. The default
-value of 0 is recommended.</xccdf-1.2:description>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled" severity="medium">
-                <xccdf-1.2:title>Disable acquiring, saving, and processing core dumps</xccdf-1.2:title>
-                <xccdf-1.2:description>The <html:code>systemd-coredump.socket</html:code> unit is a socket activation of
-the <html:code>systemd-coredump@.service</html:code> which processes core dumps.
-By masking the unit, core dump processing is disabled.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(10)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>A core dump includes a memory image taken at the time the operating system
-terminates an application. The memory image could contain sensitive data
-and is generally useful only for developers trying to debug problems.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82530-7</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:ignition" id="service_systemd-coredump_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: systemd-coredump.service
-        enabled: false
-        mask: true
-      - name: systemd-coredump.socket
-        enabled: false
-        mask: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="service_systemd-coredump_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: systemd-coredump.service
-        enabled: false
-        mask: true
-      - name: systemd-coredump.socket
-        enabled: false
-        mask: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_systemd-coredump_disabled:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_systemd-coredump_disabled_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_coredump_disable_backtraces" severity="medium">
-                <xccdf-1.2:title>Disable core dump backtraces</xccdf-1.2:title>
-                <xccdf-1.2:description>The <html:code>ProcessSizeMax</html:code> option in <html:code>[Coredump]</html:code> section
-of <html:code>/etc/systemd/coredump.conf</html:code>
-specifies the maximum size in bytes of a core which will be processed.
-Core dumps exceeding this size may be stored, but the backtrace will not
-be generated.</xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">If the <html:code>/etc/systemd/coredump.conf</html:code> file
-does not already contain the <html:code>[Coredump]</html:code> section,
-the value will not be configured correctly.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>A core dump includes a memory image taken at the time the operating system
-terminates an application. The memory image could contain sensitive data
-and is generally useful only for developers or system operators trying to
-debug problems.
-
-Enabling core dumps on production systems is not recommended,
-however there may be overriding operational requirements to enable advanced
-debuging. Permitting temporary enablement of core dumps during such situations
-should be reviewed through local needs and policy.</xccdf-1.2:rationale>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82529-9</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="coredump_disable_backtraces">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A
-        mode: 0644
-        path: /etc/systemd/coredump.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-coredump_disable_backtraces:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-coredump_disable_backtraces_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_coredump_disable_storage" severity="medium">
-                <xccdf-1.2:title>Disable storing core dump</xccdf-1.2:title>
-                <xccdf-1.2:description>The <html:code>Storage</html:code> option in <html:code>[Coredump]</html:code> section
-of <html:code>/etc/systemd/coredump.conf</html:code>
-can be set to <html:code>none</html:code> to disable storing core dumps permanently.</xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">If the <html:code>/etc/systemd/coredump.conf</html:code> file
-does not already contain the <html:code>[Coredump]</html:code> section,
-the value will not be configured correctly.</xccdf-1.2:warning>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>A core dump includes a memory image taken at the time the operating system
-terminates an application. The memory image could contain sensitive data
-and is generally useful only for developers or system operators trying to
-debug problems. Enabling core dumps on production systems is not recommended,
-however there may be overriding operational requirements to enable advanced
-debuging. Permitting temporary enablement of core dumps during such situations
-should be reviewed through local needs and policy.</xccdf-1.2:rationale>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82528-1</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="coredump_disable_storage">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%20%20This%20file%20is%20part%20of%20systemd.%0A%23%0A%23%20%20systemd%20is%20free%20software%3B%20you%20can%20redistribute%20it%20and/or%20modify%20it%0A%23%20%20under%20the%20terms%20of%20the%20GNU%20Lesser%20General%20Public%20License%20as%20published%20by%0A%23%20%20the%20Free%20Software%20Foundation%3B%20either%20version%202.1%20of%20the%20License%2C%20or%0A%23%20%20%28at%20your%20option%29%20any%20later%20version.%0A%23%0A%23%20Entries%20in%20this%20file%20show%20the%20compile%20time%20defaults.%0A%23%20You%20can%20change%20settings%20by%20editing%20this%20file.%0A%23%20Defaults%20can%20be%20restored%20by%20simply%20deleting%20this%20file.%0A%23%0A%23%20See%20coredump.conf%285%29%20for%20details.%0A%0A%5BCoredump%5D%0A%23Storage%3Dexternal%0A%23Compress%3Dyes%0A%23ProcessSizeMax%3D2G%0A%23ExternalSizeMax%3D2G%0A%23JournalSizeMax%3D767M%0A%23MaxUse%3D%0A%23KeepFree%3D%0AStorage%3Dnone%0AProcessSizeMax%3D0%0A
-        mode: 0644
-        path: /etc/systemd/coredump.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-coredump_disable_storage:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-coredump_disable_storage_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_disable_users_coredumps" severity="medium">
-                <xccdf-1.2:title>Disable Core Dumps for All Users</xccdf-1.2:title>
-                <xccdf-1.2:description>To disable core dumps for all users, add the following line to
-<html:code>/etc/security/limits.conf</html:code>, or to a file within the
-<html:code>/etc/security/limits.d/</html:code> directory:
-<html:pre>*     hard   core    0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI04.04</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.17.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(10)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>A core dump includes a memory image taken at the time the operating system
-terminates an application. The memory image could contain sensitive data and is generally useful
-only for developers trying to debug problems.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#pam"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82526-5</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="disable_users_coredumps">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%2A%20%20%20%20%20hard%20%20%20core%20%20%20%200
-        mode: 0644
-        path: /etc/security/limits.d/75-disable_users_coredumps.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-disable_users_coredumps:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-disable_users_coredumps_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_fs_suid_dumpable" severity="medium">
-                <xccdf-1.2:title>Disable Core Dumps for SUID programs</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>fs.suid_dumpable</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w fs.suid_dumpable=0</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>fs.suid_dumpable = 0</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-11(b)</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>The core dump of a setuid program is more likely to contain
-sensitive data, as the program itself runs with greater privileges than the
-user who initiated execution of the program.  Disabling the ability for any
-setuid program to write a core file decreases the risk of unauthorized access
-of such data.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_fs_suid_dumpable:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_fs_suid_dumpable_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_daemon_umask">
-              <xccdf-1.2:title>Daemon Umask</xccdf-1.2:title>
-              <xccdf-1.2:description>The umask is a per-process setting which limits
-the default permissions for creation of new files and directories.
-The system includes initialization scripts which set the default umask
-for system daemons.</xccdf-1.2:description>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_umask_for_daemons" type="string">
-                <xccdf-1.2:title>daemon umask</xccdf-1.2:title>
-                <xccdf-1.2:description>Enter umask for daemons</xccdf-1.2:description>
-                <xccdf-1.2:value selector="022">022</xccdf-1.2:value>
-                <xccdf-1.2:value selector="027">027</xccdf-1.2:value>
-                <xccdf-1.2:value>022</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_enable_execshield_settings">
-              <xccdf-1.2:title>Enable ExecShield</xccdf-1.2:title>
-              <xccdf-1.2:description>ExecShield describes kernel features that provide
-protection against exploitation of memory corruption errors such as buffer
-overflows. These features include random placement of the stack and other
-memory regions, prevention of execution in memory that should only hold data,
-and special handling of text buffers. These protections are enabled by default
-on 32-bit systems and controlled through <html:code>sysctl</html:code> variables 
-<html:code>kernel.exec-shield</html:code> and <html:code>kernel.randomize_va_space</html:code>. On the latest
-64-bit systems, <html:code>kernel.exec-shield</html:code> cannot be enabled or disabled with 
-<html:code>sysctl</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value" type="number">
-                <xccdf-1.2:title>kernel.kptr_restrict</xccdf-1.2:title>
-                <xccdf-1.2:description>Configure exposition of kernel pointer addresses </xccdf-1.2:description>
-                <xccdf-1.2:value>1</xccdf-1.2:value>
-                <xccdf-1.2:value selector="1">1</xccdf-1.2:value>
-                <xccdf-1.2:value selector="2">2</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict" severity="medium">
-                <xccdf-1.2:title>Restrict Exposed Kernel Pointer Addresses Access</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>kernel.kptr_restrict</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w kernel.kptr_restrict=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value" use="legacy"/></html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>kernel.kptr_restrict = <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value" use="legacy"/></html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002824</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-002-5 R1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-002-5 R1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R8.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-009-6 R.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-009-6 R4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(5)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000132-GPOS-00067</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000433-GPOS-00192</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Exposing kernel pointers (through procfs or <html:code>seq_printf()</html:code>) exposes kernel
-writeable structures which may contain functions pointers. If a write vulnerability
-occurs in the kernel, allowing write access to any of this structure, the kernel can
-be compromised. This option disallow any program without the CAP_SYSLOG capability
-to get the addresses of kernel pointers by replacing them with 0.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82498-7</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_kernel_kptr_restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,kernel.kptr_restrict%3D1%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_kernel_kptr_restrict.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-export export-name="oval:ssg-sysctl_kernel_kptr_restrict_value:var:1" value-id="xccdf_org.ssgproject.content_value_sysctl_kernel_kptr_restrict_value"/>
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_kernel_kptr_restrict:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_kernel_kptr_restrict_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space" severity="medium">
-                <xccdf-1.2:title>Enable Randomized Layout of Virtual Address Space</xccdf-1.2:title>
-                <xccdf-1.2:description>To set the runtime status of the <html:code>kernel.randomize_va_space</html:code> kernel parameter, run the following command: <html:pre>$ sudo sysctl -w kernel.randomize_va_space=2</html:pre>
-To make sure that the setting is persistent, add the following line to a file in the directory <html:code>/etc/sysctl.d</html:code>: <html:pre>kernel.randomize_va_space = 2</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R23)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.7</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002824</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-002-5 R1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-002-5 R1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 4.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 4.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-005-6 R1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R3.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2.3</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R8.4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-009-6 R.1.1</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-009-6 R4</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-30(2)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000433-GPOS-00193</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Address space layout randomization (ASLR) makes it more difficult for an
-attacker to predict the location of attack code they have introduced into a
-process's address space during an attempt at exploitation. Additionally,
-ASLR makes it more difficult for an attacker to know the location of
-existing code in order to re-purpose it using return oriented programming
-(ROP) techniques.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sysctl_kernel_randomize_va_space">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,kernel.randomize_va_space%3D2%0A
-        mode: 0644
-        path: /etc/sysctl.d/75-sysctl_kernel_randomize_va_space.conf
-        overwrite: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sysctl_kernel_randomize_va_space:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sysctl_kernel_randomize_va_space_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_enable_nx">
-              <xccdf-1.2:title>Enable Execute Disable (XD) or No Execute (NX) Support on
-x86 Systems</xccdf-1.2:title>
-              <xccdf-1.2:description>Recent processors in the x86 family support the
-ability to prevent code execution on a per memory page basis.
-Generically and on AMD processors, this ability is called No
-Execute (NX), while on Intel processors it is called Execute
-Disable (XD). This ability can help prevent exploitation of buffer
-overflow vulnerabilities and should be activated whenever possible.
-Extra steps must be taken to ensure that this protection is
-enabled, particularly on 32-bit x86 systems. Other processors, such
-as Itanium and POWER, have included such support since inception
-and the standard kernel for those platforms supports the
-feature. This is enabled by default on the latest Red Hat and 
-Fedora systems if supported by the hardware.</xccdf-1.2:description>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_poisoning">
-              <xccdf-1.2:title>Memory Poisoning</xccdf-1.2:title>
-              <xccdf-1.2:description>Memory Poisoning consists of writing a special value to uninitialized or freed memory.
-Poisoning can be used as a mechanism to prevent leak of information and detection of
-corrupted memory.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_slub_debug_options" type="string" interactive="true">
-                <xccdf-1.2:title>slub_debug - debug options</xccdf-1.2:title>
-                <xccdf-1.2:description>Defines the debug options to use in <html:code>slub_debug</html:code> kernel command line argument.</xccdf-1.2:description>
-                <xccdf-1.2:value>P</xccdf-1.2:value>
-                <xccdf-1.2:value selector="F">F</xccdf-1.2:value>
-                <xccdf-1.2:value selector="Z">Z</xccdf-1.2:value>
-                <xccdf-1.2:value selector="P">P</xccdf-1.2:value>
-                <xccdf-1.2:value selector="FZ">FZ</xccdf-1.2:value>
-                <xccdf-1.2:value selector="FZP">FZP</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument" severity="medium">
-                <xccdf-1.2:title>Enable page allocator poisoning</xccdf-1.2:title>
-                <xccdf-1.2:description>To enable poisoning of free pages, add the argument <html:code>page_poison=1</html:code> to all
-BLS (Boot Loader Specification) entries ('options' line) for the Linux
-operating system in <html:code>/boot/loader/entries/*.conf</html:code>.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Poisoning writes an arbitrary value to freed pages, so any modification or
-reference to that page after being freed or before being initialized will be
-detected and prevented.
-This prevents many types of use-after-free vulnerabilities at little performance cost.
-Also prevents leak of data and detection of corrupted memory.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82673-5</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="coreos_page_poison_kernel_argument" complexity="low" disruption="medium" reboot="true" strategy="restrict">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-  kernelArguments:
-    - page_poison=1
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-coreos_page_poison_kernel_argument:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-coreos_page_poison_kernel_argument_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_coreos_slub_debug_kernel_argument" severity="medium">
-                <xccdf-1.2:title>Enable SLUB/SLAB allocator poisoning</xccdf-1.2:title>
-                <xccdf-1.2:description>To enable poisoning of SLUB/SLAB objects, add the argument <html:code>slub_debug=P</html:code> to all
-BLS (Boot Loader Specification) entries ('options' line) for the Linux
-operating system in <html:code>/boot/loader/entries/*.conf</html:code>.</xccdf-1.2:description>
-                <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-                <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000433-GPOS-00192</xccdf-1.2:reference>
-                <xccdf-1.2:rationale>Poisoning writes an arbitrary value to freed objects, so any modification or
-reference to that object after being freed or before being initialized will be
-detected and prevented.
-This prevents many types of use-after-free vulnerabilities at little performance cost.
-Also prevents leak of data and detection of corrupted memory.</xccdf-1.2:rationale>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82672-7</xccdf-1.2:ident>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="coreos_slub_debug_kernel_argument" complexity="low" disruption="medium" reboot="true" strategy="restrict">
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-  kernelArguments:
-    - slub_debug=P
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-coreos_slub_debug_kernel_argument:def:1"/>
-                </xccdf-1.2:check>
-                <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-coreos_slub_debug_kernel_argument_ocil:questionnaire:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_selinux">
-          <xccdf-1.2:title>SELinux</xccdf-1.2:title>
-          <xccdf-1.2:description>SELinux is a feature of the Linux kernel which can be
-used to guard against misconfigured or compromised programs.
-SELinux enforces the idea that programs should be limited in what
-files they can access and what actions they can take.
-<html:br/><html:br/>
-The default SELinux policy, as configured on Red Hat Enterprise Linux CoreOS 4, has been
-sufficiently developed and debugged that it should be usable on
-almost any system with minimal configuration and a small
-amount of system administrator training. This policy prevents
-system services - including most of the common network-visible
-services such as mail servers, FTP servers, and DNS servers - from
-accessing files which those services have no valid reason to
-access. This action alone prevents a huge amount of possible damage
-from network attacks against services, from trojaned software, and
-so forth.
-<html:br/><html:br/>
-This guide recommends that SELinux be enabled using the
-default (targeted) policy on every Red Hat Enterprise Linux CoreOS 4 system, unless that
-system has unusual requirements which make a stronger policy
-appropriate.</xccdf-1.2:description>
-          <xccdf-1.2:platform idref="#machine"/>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_selinux_policy_name" type="string">
-            <xccdf-1.2:title>SELinux policy</xccdf-1.2:title>
-            <xccdf-1.2:description>Type of policy in use. Possible values are:
-<html:br/>targeted - Only targeted network daemons are protected.
-<html:br/>strict - Full SELinux protection.
-<html:br/>mls - Multiple levels of security</xccdf-1.2:description>
-            <xccdf-1.2:value>targeted</xccdf-1.2:value>
-            <xccdf-1.2:value selector="mls">mls</xccdf-1.2:value>
-            <xccdf-1.2:value selector="targeted">targeted</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_selinux_state" type="string">
-            <xccdf-1.2:title>SELinux state</xccdf-1.2:title>
-            <xccdf-1.2:description>enforcing - SELinux security policy is enforced.
-<html:br/>permissive - SELinux prints warnings instead of enforcing.
-<html:br/>disabled - SELinux is fully disabled.</xccdf-1.2:description>
-            <xccdf-1.2:value>enforcing</xccdf-1.2:value>
-            <xccdf-1.2:value selector="disabled">disabled</xccdf-1.2:value>
-            <xccdf-1.2:value selector="enforcing">enforcing</xccdf-1.2:value>
-            <xccdf-1.2:value selector="permissive">permissive</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_libselinux_installed" severity="high">
-            <xccdf-1.2:title>Install libselinux Package</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code>libselinux</html:code> package can be installed with the following command:
-<html:pre/></xccdf-1.2:description>
-            <xccdf-1.2:rationale>Security-enhanced Linux is a feature of the Linux kernel and a number of utilities
-with enhanced security functionality designed to add mandatory access controls to Linux.
-
-The <html:code>libselinux</html:code> package contains the core library of the Security-enhanced Linux system.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_libselinux_installed:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_libselinux_installed_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_setroubleshoot-plugins_removed" severity="low">
-            <xccdf-1.2:title>Uninstall setroubleshoot-plugins Package</xccdf-1.2:title>
-            <xccdf-1.2:description>The SETroubleshoot plugins are used to analyze SELinux AVC data. The service provides information around configuration errors,
-unauthorized intrusions, and other potential errors.
-The <html:code>setroubleshoot-plugins</html:code> package can be removed with the following command:
-<html:pre/></xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R68)</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The SETroubleshoot service is an unnecessary daemon to
-have running on a server.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84091-8</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_setroubleshoot-plugins_removed:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_setroubleshoot-plugins_removed_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_setroubleshoot-server_removed" severity="low">
-            <xccdf-1.2:title>Uninstall setroubleshoot-server Package</xccdf-1.2:title>
-            <xccdf-1.2:description>The SETroubleshoot service notifies desktop users of SELinux
-denials. The service provides information around configuration errors,
-unauthorized intrusions, and other potential errors.
-The <html:code>setroubleshoot-server</html:code> package can be removed with the following command:
-<html:pre/></xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R68)</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The SETroubleshoot service is an unnecessary daemon to have
-running on a server.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-84093-4</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_setroubleshoot-server_removed:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_setroubleshoot-server_removed_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_coreos_enable_selinux_kernel_argument" severity="medium">
-            <xccdf-1.2:title>Ensure SELinux Not Disabled in the kernel arguments</xccdf-1.2:title>
-            <xccdf-1.2:description>SELinux can be disabled at boot time by disabling it via a kernel argument.
-Remove any instances of <html:code>selinux=0</html:code> from the kernel arguments in that
-file to prevent SELinux from being disabled at boot.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000022</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000032</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">SRG-OS-000445-VMM-001780</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Disabling a major host protection feature, such as SELinux, at boot time prevents
-it from confining system services at boot time.  Further, it increases
-the chances that it will remain off during system operation.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83899-5</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-coreos_enable_selinux_kernel_argument:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-coreos_enable_selinux_kernel_argument_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_grub2_enable_selinux" severity="medium">
-            <xccdf-1.2:title>Ensure SELinux Not Disabled in /etc/default/grub</xccdf-1.2:title>
-            <xccdf-1.2:description>SELinux can be disabled at boot time by an argument in
-<html:code>/etc/default/grub</html:code>.
-Remove any instances of <html:code>selinux=0</html:code> from the kernel arguments in that
-file to prevent SELinux from being disabled at boot.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000022</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000032</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">SRG-OS-000445-VMM-001780</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Disabling a major host protection feature, such as SELinux, at boot time prevents
-it from confining system services at boot time.  Further, it increases
-the chances that it will remain off during system operation.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82666-9</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-grub2_enable_selinux:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-grub2_enable_selinux_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons" severity="medium">
-            <xccdf-1.2:title>Ensure No Daemons are Unconfined by SELinux</xccdf-1.2:title>
-            <xccdf-1.2:description>Daemons for which the SELinux policy does not contain rules will inherit the
-context of the parent process. Because daemons are launched during
-startup and descend from the <html:code>init</html:code> process, they inherit the <html:code>unconfined_service_t</html:code> context.
-<html:br/>
-<html:br/>
-To check for unconfined daemons, run the following command:
-<html:pre>$ sudo ps -eZ | grep "unconfined_service_t"</html:pre>
-It should produce no output in a well-configured system.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">Automatic remediation of this control is not available. Remediation
-can be achieved by amending SELinux policy or stopping the unconfined
-daemons as outlined above.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Daemons which run with the <html:code>unconfined_service_t</html:code> context may cause AVC denials,
-or allow privileges that the daemon does not require.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82688-3</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-selinux_confinement_of_daemons:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_selinux_policytype" severity="medium">
-            <xccdf-1.2:title>Configure SELinux Policy</xccdf-1.2:title>
-            <xccdf-1.2:description>The SELinux <html:code>targeted</html:code> policy is appropriate for
-general-purpose desktops and servers, as well as systems in many other roles.
-To configure the system to use this policy, add or correct the following line
-in <html:code>/etc/selinux/config</html:code>:
-<html:pre>SELINUXTYPE=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" use="legacy"/></html:pre>
-Other policies, such as <html:code>mls</html:code>, provide additional security labeling
-and greater confinement but are not compatible with many general-purpose
-use cases.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R66)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002165</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002696</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">SRG-OS-000445-VMM-001780</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Setting the SELinux policy to <html:code>targeted</html:code> or a more specialized policy
-ensures the system will confine processes that are likely to be
-targeted for exploitation, such as network or system services.
-<html:br/><html:br/>
-Note: During the development or debugging of SELinux modules, it is common to
-temporarily place non-production systems in <html:code>permissive</html:code> mode. In such
-temporary cases, SELinux policies should be developed, and once work
-is completed, the system should be reconfigured to
-<html:code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_policy_name" use="legacy"/></html:code>.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82532-3</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-var_selinux_policy_name:var:1" value-id="xccdf_org.ssgproject.content_value_var_selinux_policy_name"/>
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-selinux_policytype:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-selinux_policytype_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_selinux_state" severity="medium">
-            <xccdf-1.2:title>Ensure SELinux State is Enforcing</xccdf-1.2:title>
-            <xccdf-1.2:description>The SELinux state should be set to <html:code><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"/></html:code> at
-system boot time.  In the file <html:code>/etc/selinux/config</html:code>, add or correct the
-following line to configure the system to boot into enforcing mode:
-<html:pre>SELINUX=<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_selinux_state" use="legacy"/></html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R4)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R66)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.7.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001084</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002165</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002696</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(1)(ii)(D)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(3)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(c)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.2.3.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3(3)(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-7(21)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">ID.AM-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000445-GPOS-00199</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000134-GPOS-00068</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">SRG-OS-000445-VMM-001780</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Setting the SELinux state to enforcing ensures SELinux is able to confine
-potentially compromised processes to the security policy, which is designed to
-prevent them from causing damage to the system or further elevating their
-privileges.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82531-5</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-var_selinux_state:var:1" value-id="xccdf_org.ssgproject.content_value_var_selinux_state"/>
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-selinux_state:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-selinux_state_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_selinux-booleans">
-            <xccdf-1.2:title>SELinux - Booleans</xccdf-1.2:title>
-            <xccdf-1.2:description>Enable or Disable runtime customization of SELinux system policies
-without having to reload or recompile the SELinux policy.</xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_abrt_anon_write" type="boolean">
-              <xccdf-1.2:title>abrt_anon_write SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_abrt_handle_event" type="boolean">
-              <xccdf-1.2:title>abrt_handle_event SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_abrt_upload_watch_anon_write" type="boolean">
-              <xccdf-1.2:title>abrt_upload_watch_anon_write SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_antivirus_can_scan_system" type="boolean">
-              <xccdf-1.2:title>antivirus_can_scan_system SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_antivirus_use_jit" type="boolean">
-              <xccdf-1.2:title>antivirus_use_jit SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_auditadm_exec_content" type="boolean">
-              <xccdf-1.2:title>auditadm_exec_content SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_authlogin_nsswitch_use_ldap" type="boolean">
-              <xccdf-1.2:title>authlogin_nsswitch_use_ldap SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_authlogin_radius" type="boolean">
-              <xccdf-1.2:title>authlogin_radius SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_authlogin_yubikey" type="boolean">
-              <xccdf-1.2:title>authlogin_yubikey SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_awstats_purge_apache_log_files" type="boolean">
-              <xccdf-1.2:title>awstats_purge_apache_log_files SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_boinc_execmem" type="boolean">
-              <xccdf-1.2:title>boinc_execmem SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_cdrecord_read_content" type="boolean">
-              <xccdf-1.2:title>cdrecord_read_content SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_cluster_can_network_connect" type="boolean">
-              <xccdf-1.2:title>cluster_can_network_connect SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_cluster_manage_all_files" type="boolean">
-              <xccdf-1.2:title>cluster_manage_all_files SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_cluster_use_execmem" type="boolean">
-              <xccdf-1.2:title>cluster_use_execmem SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_cobbler_anon_write" type="boolean">
-              <xccdf-1.2:title>cobbler_anon_write SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_cobbler_can_network_connect" type="boolean">
-              <xccdf-1.2:title>cobbler_can_network_connect SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_cobbler_use_cifs" type="boolean">
-              <xccdf-1.2:title>cobbler_use_cifs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_cobbler_use_nfs" type="boolean">
-              <xccdf-1.2:title>cobbler_use_nfs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_collectd_tcp_network_connect" type="boolean">
-              <xccdf-1.2:title>collectd_tcp_network_connect SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_condor_tcp_network_connect" type="boolean">
-              <xccdf-1.2:title>condor_tcp_network_connect SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_conman_can_network" type="boolean">
-              <xccdf-1.2:title>conman_can_network SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_container_connect_any" type="boolean">
-              <xccdf-1.2:title>container_connect_any SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_cron_can_relabel" type="boolean">
-              <xccdf-1.2:title>cron_can_relabel SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_cron_system_cronjob_use_shares" type="boolean">
-              <xccdf-1.2:title>cron_system_cronjob_use_shares SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_cron_userdomain_transition" type="boolean">
-              <xccdf-1.2:title>cron_userdomain_transition SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_cups_execmem" type="boolean">
-              <xccdf-1.2:title>cups_execmem SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_cvs_read_shadow" type="boolean">
-              <xccdf-1.2:title>cvs_read_shadow SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_daemons_dump_core" type="boolean">
-              <xccdf-1.2:title>daemons_dump_core SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_daemons_enable_cluster_mode" type="boolean">
-              <xccdf-1.2:title>daemons_enable_cluster_mode SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_daemons_use_tcp_wrapper" type="boolean">
-              <xccdf-1.2:title>daemons_use_tcp_wrapper SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_daemons_use_tty" type="boolean">
-              <xccdf-1.2:title>daemons_use_tty SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_dbadm_exec_content" type="boolean">
-              <xccdf-1.2:title>dbadm_exec_content SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_dbadm_manage_user_files" type="boolean">
-              <xccdf-1.2:title>dbadm_manage_user_files SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_dbadm_read_user_files" type="boolean">
-              <xccdf-1.2:title>dbadm_read_user_files SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_deny_execmem" type="boolean">
-              <xccdf-1.2:title>deny_execmem SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_deny_ptrace" type="boolean">
-              <xccdf-1.2:title>deny_ptrace SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_dhcpc_exec_iptables" type="boolean">
-              <xccdf-1.2:title>dhcpc_exec_iptables SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_dhcpd_use_ldap" type="boolean">
-              <xccdf-1.2:title>dhcpd_use_ldap SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_domain_fd_use" type="boolean">
-              <xccdf-1.2:title>domain_fd_use SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_domain_kernel_load_modules" type="boolean">
-              <xccdf-1.2:title>domain_kernel_load_modules SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_entropyd_use_audio" type="boolean">
-              <xccdf-1.2:title>entropyd_use_audio SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_exim_can_connect_db" type="boolean">
-              <xccdf-1.2:title>exim_can_connect_db SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_exim_manage_user_files" type="boolean">
-              <xccdf-1.2:title>exim_manage_user_files SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_exim_read_user_files" type="boolean">
-              <xccdf-1.2:title>exim_read_user_files SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_fcron_crond" type="boolean">
-              <xccdf-1.2:title>fcron_crond SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_fenced_can_network_connect" type="boolean">
-              <xccdf-1.2:title>fenced_can_network_connect SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_fenced_can_ssh" type="boolean">
-              <xccdf-1.2:title>fenced_can_ssh SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_fips_mode" type="boolean">
-              <xccdf-1.2:title>fips_mode SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_ftpd_anon_write" type="boolean">
-              <xccdf-1.2:title>ftpd_anon_write SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_ftpd_connect_all_unreserved" type="boolean">
-              <xccdf-1.2:title>ftpd_connect_all_unreserved SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_ftpd_connect_db" type="boolean">
-              <xccdf-1.2:title>ftpd_connect_db SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_ftpd_full_access" type="boolean">
-              <xccdf-1.2:title>ftpd_full_access SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_ftpd_use_cifs" type="boolean">
-              <xccdf-1.2:title>ftpd_use_cifs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_ftpd_use_fusefs" type="boolean">
-              <xccdf-1.2:title>ftpd_use_fusefs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_ftpd_use_nfs" type="boolean">
-              <xccdf-1.2:title>ftpd_use_nfs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_ftpd_use_passive_mode" type="boolean">
-              <xccdf-1.2:title>ftpd_use_passive_mode SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_git_cgi_enable_homedirs" type="boolean">
-              <xccdf-1.2:title>git_cgi_enable_homedirs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_git_cgi_use_cifs" type="boolean">
-              <xccdf-1.2:title>git_cgi_use_cifs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_git_cgi_use_nfs" type="boolean">
-              <xccdf-1.2:title>git_cgi_use_nfs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_git_session_bind_all_unreserved_ports" type="boolean">
-              <xccdf-1.2:title>git_session_bind_all_unreserved_ports SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_git_session_users" type="boolean">
-              <xccdf-1.2:title>git_session_users SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_git_system_enable_homedirs" type="boolean">
-              <xccdf-1.2:title>git_system_enable_homedirs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_git_system_use_cifs" type="boolean">
-              <xccdf-1.2:title>git_system_use_cifs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_git_system_use_nfs" type="boolean">
-              <xccdf-1.2:title>git_system_use_nfs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_gitosis_can_sendmail" type="boolean">
-              <xccdf-1.2:title>gitosis_can_sendmail SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_glance_api_can_network" type="boolean">
-              <xccdf-1.2:title>glance_api_can_network SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_glance_use_execmem" type="boolean">
-              <xccdf-1.2:title>glance_use_execmem SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_glance_use_fusefs" type="boolean">
-              <xccdf-1.2:title>glance_use_fusefs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_global_ssp" type="boolean">
-              <xccdf-1.2:title>global_ssp SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_gluster_anon_write" type="boolean">
-              <xccdf-1.2:title>gluster_anon_write SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_gluster_export_all_ro" type="boolean">
-              <xccdf-1.2:title>gluster_export_all_ro SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_gluster_export_all_rw" type="boolean">
-              <xccdf-1.2:title>gluster_export_all_rw SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_gpg_web_anon_write" type="boolean">
-              <xccdf-1.2:title>gpg_web_anon_write SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_gssd_read_tmp" type="boolean">
-              <xccdf-1.2:title>gssd_read_tmp SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_guest_exec_content" type="boolean">
-              <xccdf-1.2:title>guest_exec_content SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_haproxy_connect_any" type="boolean">
-              <xccdf-1.2:title>haproxy_connect_any SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_anon_write" type="boolean">
-              <xccdf-1.2:title>httpd_anon_write SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_builtin_scripting" type="boolean">
-              <xccdf-1.2:title>httpd_builtin_scripting SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_can_check_spam" type="boolean">
-              <xccdf-1.2:title>httpd_can_check_spam SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_can_connect_ftp" type="boolean">
-              <xccdf-1.2:title>httpd_can_connect_ftp SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_can_connect_ldap" type="boolean">
-              <xccdf-1.2:title>httpd_can_connect_ldap SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_can_connect_mythtv" type="boolean">
-              <xccdf-1.2:title>httpd_can_connect_mythtv SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_can_connect_zabbix" type="boolean">
-              <xccdf-1.2:title>httpd_can_connect_zabbix SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_can_network_connect" type="boolean">
-              <xccdf-1.2:title>httpd_can_network_connect SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_can_network_connect_cobbler" type="boolean">
-              <xccdf-1.2:title>httpd_can_network_connect_cobbler SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_can_network_connect_db" type="boolean">
-              <xccdf-1.2:title>httpd_can_network_connect_db SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_can_network_memcache" type="boolean">
-              <xccdf-1.2:title>httpd_can_network_memcache SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_can_network_relay" type="boolean">
-              <xccdf-1.2:title>httpd_can_network_relay SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_can_sendmail" type="boolean">
-              <xccdf-1.2:title>httpd_can_sendmail SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_dbus_avahi" type="boolean">
-              <xccdf-1.2:title>httpd_dbus_avahi SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_dbus_sssd" type="boolean">
-              <xccdf-1.2:title>httpd_dbus_sssd SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_dontaudit_search_dirs" type="boolean">
-              <xccdf-1.2:title>httpd_dontaudit_search_dirs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_enable_cgi" type="boolean">
-              <xccdf-1.2:title>httpd_enable_cgi SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_enable_ftp_server" type="boolean">
-              <xccdf-1.2:title>httpd_enable_ftp_server SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_enable_homedirs" type="boolean">
-              <xccdf-1.2:title>httpd_enable_homedirs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_execmem" type="boolean">
-              <xccdf-1.2:title>httpd_execmem SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_graceful_shutdown" type="boolean">
-              <xccdf-1.2:title>httpd_graceful_shutdown SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_manage_ipa" type="boolean">
-              <xccdf-1.2:title>httpd_manage_ipa SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_mod_auth_ntlm_winbind" type="boolean">
-              <xccdf-1.2:title>httpd_mod_auth_ntlm_winbind SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_mod_auth_pam" type="boolean">
-              <xccdf-1.2:title>httpd_mod_auth_pam SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_read_user_content" type="boolean">
-              <xccdf-1.2:title>httpd_read_user_content SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_run_ipa" type="boolean">
-              <xccdf-1.2:title>httpd_run_ipa SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_run_preupgrade" type="boolean">
-              <xccdf-1.2:title>httpd_run_preupgrade SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_run_stickshift" type="boolean">
-              <xccdf-1.2:title>httpd_run_stickshift SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_serve_cobbler_files" type="boolean">
-              <xccdf-1.2:title>httpd_serve_cobbler_files SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_setrlimit" type="boolean">
-              <xccdf-1.2:title>httpd_setrlimit SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_ssi_exec" type="boolean">
-              <xccdf-1.2:title>httpd_ssi_exec SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_sys_script_anon_write" type="boolean">
-              <xccdf-1.2:title>httpd_sys_script_anon_write SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_tmp_exec" type="boolean">
-              <xccdf-1.2:title>httpd_tmp_exec SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_tty_comm" type="boolean">
-              <xccdf-1.2:title>httpd_tty_comm SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_unified" type="boolean">
-              <xccdf-1.2:title>httpd_unified SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_use_cifs" type="boolean">
-              <xccdf-1.2:title>httpd_use_cifs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_use_fusefs" type="boolean">
-              <xccdf-1.2:title>httpd_use_fusefs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_use_gpg" type="boolean">
-              <xccdf-1.2:title>httpd_use_gpg SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_use_nfs" type="boolean">
-              <xccdf-1.2:title>httpd_use_nfs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_use_openstack" type="boolean">
-              <xccdf-1.2:title>httpd_use_openstack SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_use_sasl" type="boolean">
-              <xccdf-1.2:title>httpd_use_sasl SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_verify_dns" type="boolean">
-              <xccdf-1.2:title>httpd_verify_dns SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_icecast_use_any_tcp_ports" type="boolean">
-              <xccdf-1.2:title>icecast_use_any_tcp_ports SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_irc_use_any_tcp_ports" type="boolean">
-              <xccdf-1.2:title>irc_use_any_tcp_ports SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_irssi_use_full_network" type="boolean">
-              <xccdf-1.2:title>irssi_use_full_network SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kdumpgui_run_bootloader" type="boolean">
-              <xccdf-1.2:title>kdumpgui_run_bootloader SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_kerberos_enabled" type="boolean">
-              <xccdf-1.2:title>kerberos_enabled SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_ksmtuned_use_cifs" type="boolean">
-              <xccdf-1.2:title>ksmtuned_use_cifs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_ksmtuned_use_nfs" type="boolean">
-              <xccdf-1.2:title>ksmtuned_use_nfs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_logadm_exec_content" type="boolean">
-              <xccdf-1.2:title>logadm_exec_content SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_logging_syslogd_can_sendmail" type="boolean">
-              <xccdf-1.2:title>logging_syslogd_can_sendmail SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_logging_syslogd_run_nagios_plugins" type="boolean">
-              <xccdf-1.2:title>logging_syslogd_run_nagios_plugins SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_logging_syslogd_use_tty" type="boolean">
-              <xccdf-1.2:title>logging_syslogd_use_tty SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_login_console_enabled" type="boolean">
-              <xccdf-1.2:title>login_console_enabled SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_logrotate_use_nfs" type="boolean">
-              <xccdf-1.2:title>logrotate_use_nfs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_logwatch_can_network_connect_mail" type="boolean">
-              <xccdf-1.2:title>logwatch_can_network_connect_mail SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_lsmd_plugin_connect_any" type="boolean">
-              <xccdf-1.2:title>lsmd_plugin_connect_any SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mailman_use_fusefs" type="boolean">
-              <xccdf-1.2:title>mailman_use_fusefs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mcelog_client" type="boolean">
-              <xccdf-1.2:title>mcelog_client SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mcelog_exec_scripts" type="boolean">
-              <xccdf-1.2:title>mcelog_exec_scripts SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mcelog_foreground" type="boolean">
-              <xccdf-1.2:title>mcelog_foreground SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mcelog_server" type="boolean">
-              <xccdf-1.2:title>mcelog_server SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_minidlna_read_generic_user_content" type="boolean">
-              <xccdf-1.2:title>minidlna_read_generic_user_content SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mmap_low_allowed" type="boolean">
-              <xccdf-1.2:title>mmap_low_allowed SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mock_enable_homedirs" type="boolean">
-              <xccdf-1.2:title>mock_enable_homedirs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mount_anyfile" type="boolean">
-              <xccdf-1.2:title>mount_anyfile SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mozilla_plugin_bind_unreserved_ports" type="boolean">
-              <xccdf-1.2:title>mozilla_plugin_bind_unreserved_ports SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mozilla_plugin_can_network_connect" type="boolean">
-              <xccdf-1.2:title>mozilla_plugin_can_network_connect SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mozilla_plugin_use_bluejeans" type="boolean">
-              <xccdf-1.2:title>mozilla_plugin_use_bluejeans SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mozilla_plugin_use_gps" type="boolean">
-              <xccdf-1.2:title>mozilla_plugin_use_gps SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mozilla_plugin_use_spice" type="boolean">
-              <xccdf-1.2:title>mozilla_plugin_use_spice SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mozilla_read_content" type="boolean">
-              <xccdf-1.2:title>mozilla_read_content SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mpd_enable_homedirs" type="boolean">
-              <xccdf-1.2:title>mpd_enable_homedirs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mpd_use_cifs" type="boolean">
-              <xccdf-1.2:title>mpd_use_cifs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mpd_use_nfs" type="boolean">
-              <xccdf-1.2:title>mpd_use_nfs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mplayer_execstack" type="boolean">
-              <xccdf-1.2:title>mplayer_execstack SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_mysql_connect_any" type="boolean">
-              <xccdf-1.2:title>mysql_connect_any SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_nagios_run_pnp4nagios" type="boolean">
-              <xccdf-1.2:title>nagios_run_pnp4nagios SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_nagios_run_sudo" type="boolean">
-              <xccdf-1.2:title>nagios_run_sudo SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_named_tcp_bind_http_port" type="boolean">
-              <xccdf-1.2:title>named_tcp_bind_http_port SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_named_write_master_zones" type="boolean">
-              <xccdf-1.2:title>named_write_master_zones SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_neutron_can_network" type="boolean">
-              <xccdf-1.2:title>neutron_can_network SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_nfs_export_all_ro" type="boolean">
-              <xccdf-1.2:title>nfs_export_all_ro SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_nfs_export_all_rw" type="boolean">
-              <xccdf-1.2:title>nfs_export_all_rw SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_nfsd_anon_write" type="boolean">
-              <xccdf-1.2:title>nfsd_anon_write SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_nis_enabled" type="boolean">
-              <xccdf-1.2:title>nis_enabled SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_nscd_use_shm" type="boolean">
-              <xccdf-1.2:title>nscd_use_shm SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_openshift_use_nfs" type="boolean">
-              <xccdf-1.2:title>openshift_use_nfs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_openvpn_can_network_connect" type="boolean">
-              <xccdf-1.2:title>openvpn_can_network_connect SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_openvpn_enable_homedirs" type="boolean">
-              <xccdf-1.2:title>openvpn_enable_homedirs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_openvpn_run_unconfined" type="boolean">
-              <xccdf-1.2:title>openvpn_run_unconfined SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_pcp_bind_all_unreserved_ports" type="boolean">
-              <xccdf-1.2:title>pcp_bind_all_unreserved_ports SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_pcp_read_generic_logs" type="boolean">
-              <xccdf-1.2:title>pcp_read_generic_logs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_piranha_lvs_can_network_connect" type="boolean">
-              <xccdf-1.2:title>piranha_lvs_can_network_connect SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_polipo_connect_all_unreserved" type="boolean">
-              <xccdf-1.2:title>polipo_connect_all_unreserved SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_polipo_session_bind_all_unreserved_ports" type="boolean">
-              <xccdf-1.2:title>polipo_session_bind_all_unreserved_ports SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_polipo_session_users" type="boolean">
-              <xccdf-1.2:title>polipo_session_users SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_polipo_use_cifs" type="boolean">
-              <xccdf-1.2:title>polipo_use_cifs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_polipo_use_nfs" type="boolean">
-              <xccdf-1.2:title>polipo_use_nfs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_polyinstantiation_enabled" type="boolean">
-              <xccdf-1.2:title>polyinstantiation_enabled SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_postfix_local_write_mail_spool" type="boolean">
-              <xccdf-1.2:title>postfix_local_write_mail_spool SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_postgresql_can_rsync" type="boolean">
-              <xccdf-1.2:title>postgresql_can_rsync SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_postgresql_selinux_transmit_client_label" type="boolean">
-              <xccdf-1.2:title>postgresql_selinux_transmit_client_label SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_postgresql_selinux_unconfined_dbadm" type="boolean">
-              <xccdf-1.2:title>postgresql_selinux_unconfined_dbadm SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_postgresql_selinux_users_ddl" type="boolean">
-              <xccdf-1.2:title>postgresql_selinux_users_ddl SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_pppd_can_insmod" type="boolean">
-              <xccdf-1.2:title>pppd_can_insmod SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_pppd_for_user" type="boolean">
-              <xccdf-1.2:title>pppd_for_user SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_privoxy_connect_any" type="boolean">
-              <xccdf-1.2:title>privoxy_connect_any SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_prosody_bind_http_port" type="boolean">
-              <xccdf-1.2:title>prosody_bind_http_port SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_puppetagent_manage_all_files" type="boolean">
-              <xccdf-1.2:title>puppetagent_manage_all_files SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_puppetmaster_use_db" type="boolean">
-              <xccdf-1.2:title>puppetmaster_use_db SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_racoon_read_shadow" type="boolean">
-              <xccdf-1.2:title>racoon_read_shadow SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_rsync_anon_write" type="boolean">
-              <xccdf-1.2:title>rsync_anon_write SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_rsync_client" type="boolean">
-              <xccdf-1.2:title>rsync_client SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_rsync_export_all_ro" type="boolean">
-              <xccdf-1.2:title>rsync_export_all_ro SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_rsync_full_access" type="boolean">
-              <xccdf-1.2:title>rsync_full_access SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_samba_create_home_dirs" type="boolean">
-              <xccdf-1.2:title>samba_create_home_dirs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_samba_domain_controller" type="boolean">
-              <xccdf-1.2:title>samba_domain_controller SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_samba_enable_home_dirs" type="boolean">
-              <xccdf-1.2:title>samba_enable_home_dirs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_samba_export_all_ro" type="boolean">
-              <xccdf-1.2:title>samba_export_all_ro SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_samba_export_all_rw" type="boolean">
-              <xccdf-1.2:title>samba_export_all_rw SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_samba_load_libgfapi" type="boolean">
-              <xccdf-1.2:title>samba_load_libgfapi SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_samba_portmapper" type="boolean">
-              <xccdf-1.2:title>samba_portmapper SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_samba_run_unconfined" type="boolean">
-              <xccdf-1.2:title>samba_run_unconfined SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_samba_share_fusefs" type="boolean">
-              <xccdf-1.2:title>samba_share_fusefs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_samba_share_nfs" type="boolean">
-              <xccdf-1.2:title>samba_share_nfs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sanlock_use_fusefs" type="boolean">
-              <xccdf-1.2:title>sanlock_use_fusefs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sanlock_use_nfs" type="boolean">
-              <xccdf-1.2:title>sanlock_use_nfs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sanlock_use_samba" type="boolean">
-              <xccdf-1.2:title>sanlock_use_samba SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_saslauthd_read_shadow" type="boolean">
-              <xccdf-1.2:title>saslauthd_read_shadow SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_secadm_exec_content" type="boolean">
-              <xccdf-1.2:title>secadm_exec_content SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_secure_mode" type="boolean">
-              <xccdf-1.2:title>secure_mode SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_secure_mode_insmod" type="boolean">
-              <xccdf-1.2:title>secure_mode_insmod SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_secure_mode_policyload" type="boolean">
-              <xccdf-1.2:title>secure_mode_policyload SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_direct_dri_enabled" type="boolean">
-              <xccdf-1.2:title>selinuxuser_direct_dri_enabled SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_execheap" type="boolean">
-              <xccdf-1.2:title>selinuxuser_execheap SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_execmod" type="boolean">
-              <xccdf-1.2:title>selinuxuser_execmod SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_execstack" type="boolean">
-              <xccdf-1.2:title>selinuxuser_execstack SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_mysql_connect_enabled" type="boolean">
-              <xccdf-1.2:title>selinuxuser_mysql_connect_enabled SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_ping" type="boolean">
-              <xccdf-1.2:title>selinuxuser_ping SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_postgresql_connect_enabled" type="boolean">
-              <xccdf-1.2:title>selinuxuser_postgresql_connect_enabled SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_rw_noexattrfile" type="boolean">
-              <xccdf-1.2:title>selinuxuser_rw_noexattrfile SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_share_music" type="boolean">
-              <xccdf-1.2:title>selinuxuser_share_music SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_tcp_server" type="boolean">
-              <xccdf-1.2:title>selinuxuser_tcp_server SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_udp_server" type="boolean">
-              <xccdf-1.2:title>selinuxuser_udp_server SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_selinuxuser_use_ssh_chroot" type="boolean">
-              <xccdf-1.2:title>selinuxuser_use_ssh_chroot SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sge_domain_can_network_connect" type="boolean">
-              <xccdf-1.2:title>sge_domain_can_network_connect SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sge_use_nfs" type="boolean">
-              <xccdf-1.2:title>sge_use_nfs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_smartmon_3ware" type="boolean">
-              <xccdf-1.2:title>smartmon_3ware SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_smbd_anon_write" type="boolean">
-              <xccdf-1.2:title>smbd_anon_write SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_spamassassin_can_network" type="boolean">
-              <xccdf-1.2:title>spamassassin_can_network SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_spamd_enable_home_dirs" type="boolean">
-              <xccdf-1.2:title>spamd_enable_home_dirs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_squid_connect_any" type="boolean">
-              <xccdf-1.2:title>squid_connect_any SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_squid_use_tproxy" type="boolean">
-              <xccdf-1.2:title>squid_use_tproxy SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_ssh_chroot_rw_homedirs" type="boolean">
-              <xccdf-1.2:title>ssh_chroot_rw_homedirs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_ssh_keysign" type="boolean">
-              <xccdf-1.2:title>ssh_keysign SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_ssh_sysadm_login" type="boolean">
-              <xccdf-1.2:title>ssh_sysadm_login SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_staff_exec_content" type="boolean">
-              <xccdf-1.2:title>staff_exec_content SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_staff_use_svirt" type="boolean">
-              <xccdf-1.2:title>staff_use_svirt SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_swift_can_network" type="boolean">
-              <xccdf-1.2:title>swift_can_network SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sysadm_exec_content" type="boolean">
-              <xccdf-1.2:title>sysadm_exec_content SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_telepathy_connect_all_ports" type="boolean">
-              <xccdf-1.2:title>telepathy_connect_all_ports SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_telepathy_tcp_connect_generic_network_ports" type="boolean">
-              <xccdf-1.2:title>telepathy_tcp_connect_generic_network_ports SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_tftp_anon_write" type="boolean">
-              <xccdf-1.2:title>tftp_anon_write SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_tftp_home_dir" type="boolean">
-              <xccdf-1.2:title>tftp_home_dir SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_tmpreaper_use_nfs" type="boolean">
-              <xccdf-1.2:title>tmpreaper_use_nfs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_tmpreaper_use_samba" type="boolean">
-              <xccdf-1.2:title>tmpreaper_use_samba SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_tor_bind_all_unreserved_ports" type="boolean">
-              <xccdf-1.2:title>tor_bind_all_unreserved_ports SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_tor_can_network_relay" type="boolean">
-              <xccdf-1.2:title>tor_can_network_relay SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_unconfined_chrome_sandbox_transition" type="boolean">
-              <xccdf-1.2:title>unconfined_chrome_sandbox_transition SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_unconfined_login" type="boolean">
-              <xccdf-1.2:title>unconfined_login SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_unconfined_mozilla_plugin_transition" type="boolean">
-              <xccdf-1.2:title>unconfined_mozilla_plugin_transition SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_unprivuser_use_svirt" type="boolean">
-              <xccdf-1.2:title>unprivuser_use_svirt SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_use_ecryptfs_home_dirs" type="boolean">
-              <xccdf-1.2:title>use_ecryptfs_home_dirs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_use_fusefs_home_dirs" type="boolean">
-              <xccdf-1.2:title>use_fusefs_home_dirs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_use_lpd_server" type="boolean">
-              <xccdf-1.2:title>use_lpd_server SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_use_nfs_home_dirs" type="boolean">
-              <xccdf-1.2:title>use_nfs_home_dirs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_use_samba_home_dirs" type="boolean">
-              <xccdf-1.2:title>use_samba_home_dirs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_user_exec_content" type="boolean">
-              <xccdf-1.2:title>user_exec_content SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_varnishd_connect_any" type="boolean">
-              <xccdf-1.2:title>varnishd_connect_any SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_virt_read_qemu_ga_data" type="boolean">
-              <xccdf-1.2:title>virt_read_qemu_ga_data SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_virt_rw_qemu_ga_data" type="boolean">
-              <xccdf-1.2:title>virt_rw_qemu_ga_data SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_all_caps" type="boolean">
-              <xccdf-1.2:title>virt_sandbox_use_all_caps SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_audit" type="boolean">
-              <xccdf-1.2:title>virt_sandbox_use_audit SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_mknod" type="boolean">
-              <xccdf-1.2:title>virt_sandbox_use_mknod SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_netlink" type="boolean">
-              <xccdf-1.2:title>virt_sandbox_use_netlink SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_virt_sandbox_use_sys_admin" type="boolean">
-              <xccdf-1.2:title>virt_sandbox_use_sys_admin SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_virt_transition_userdomain" type="boolean">
-              <xccdf-1.2:title>virt_transition_userdomain SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_virt_use_comm" type="boolean">
-              <xccdf-1.2:title>virt_use_comm SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_virt_use_execmem" type="boolean">
-              <xccdf-1.2:title>virt_use_execmem SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_virt_use_fusefs" type="boolean">
-              <xccdf-1.2:title>virt_use_fusefs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_virt_use_nfs" type="boolean">
-              <xccdf-1.2:title>virt_use_nfs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_virt_use_rawip" type="boolean">
-              <xccdf-1.2:title>virt_use_rawip SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_virt_use_samba" type="boolean">
-              <xccdf-1.2:title>virt_use_samba SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_virt_use_sanlock" type="boolean">
-              <xccdf-1.2:title>virt_use_sanlock SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_virt_use_usb" type="boolean">
-              <xccdf-1.2:title>virt_use_usb SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_virt_use_xserver" type="boolean">
-              <xccdf-1.2:title>virt_use_xserver SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_webadm_manage_user_files" type="boolean">
-              <xccdf-1.2:title>webadm_manage_user_files SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_webadm_read_user_files" type="boolean">
-              <xccdf-1.2:title>webadm_read_user_files SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_wine_mmap_zero_ignore" type="boolean">
-              <xccdf-1.2:title>wine_mmap_zero_ignore SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_xdm_bind_vnc_tcp_port" type="boolean">
-              <xccdf-1.2:title>xdm_bind_vnc_tcp_port SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_xdm_exec_bootloader" type="boolean">
-              <xccdf-1.2:title>xdm_exec_bootloader SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_xdm_sysadm_login" type="boolean">
-              <xccdf-1.2:title>xdm_sysadm_login SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_xdm_write_home" type="boolean">
-              <xccdf-1.2:title>xdm_write_home SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_xen_use_nfs" type="boolean">
-              <xccdf-1.2:title>xen_use_nfs SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_xend_run_blktap" type="boolean">
-              <xccdf-1.2:title>xend_run_blktap SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_xend_run_qemu" type="boolean">
-              <xccdf-1.2:title>xend_run_qemu SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_xguest_connect_network" type="boolean">
-              <xccdf-1.2:title>xguest_connect_network SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_xguest_exec_content" type="boolean">
-              <xccdf-1.2:title>xguest_exec_content SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_xguest_mount_media" type="boolean">
-              <xccdf-1.2:title>xguest_mount_media SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_xguest_use_bluetooth" type="boolean">
-              <xccdf-1.2:title>xguest_use_bluetooth SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>true</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_xserver_clients_write_xshm" type="boolean">
-              <xccdf-1.2:title>xserver_clients_write_xshm SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_xserver_execmem" type="boolean">
-              <xccdf-1.2:title>xserver_execmem SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_xserver_object_manager" type="boolean">
-              <xccdf-1.2:title>xserver_object_manager SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_zabbix_can_network" type="boolean">
-              <xccdf-1.2:title>zabbix_can_network SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_zarafa_setrlimit" type="boolean">
-              <xccdf-1.2:title>zarafa_setrlimit SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_zebra_write_config" type="boolean">
-              <xccdf-1.2:title>zebra_write_config SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_zoneminder_anon_write" type="boolean">
-              <xccdf-1.2:title>zoneminder_anon_write SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_zoneminder_run_sudo" type="boolean">
-              <xccdf-1.2:title>zoneminder_run_sudo SELinux Boolean</xccdf-1.2:title>
-              <xccdf-1.2:description>default - Default SELinux boolean setting.
-<html:br/>on - SELinux boolean is enabled.
-<html:br/>off - SELinux boolean is disabled.</xccdf-1.2:description>
-              <xccdf-1.2:value>false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="off">false</xccdf-1.2:value>
-              <xccdf-1.2:value selector="on">true</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-      </xccdf-1.2:Group>
-      <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_services">
-        <xccdf-1.2:title>Services</xccdf-1.2:title>
-        <xccdf-1.2:description>The best protection against vulnerable software is running less software. This section describes how to review
-the software which Red Hat Enterprise Linux CoreOS 4 installs on a system and disable software which is not needed. It
-then enumerates the software packages installed on a default Red Hat Enterprise Linux CoreOS 4 system and provides guidance about which
-ones can be safely disabled.
-<html:br/><html:br/>
-Red Hat Enterprise Linux CoreOS 4 provides a convenient minimal install option that essentially installs the bare necessities for a functional
-system. When building Red Hat Enterprise Linux CoreOS 4 systems, it is highly recommended to select the minimal packages and then build up
-the system from there.</xccdf-1.2:description>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_apport">
-          <xccdf-1.2:title>Apport Service</xccdf-1.2:title>
-          <xccdf-1.2:description>The Apport service provides debugging and crash reporting
-features on Ubuntu distributions.</xccdf-1.2:description>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_apt">
-          <xccdf-1.2:title>APT service configuration</xccdf-1.2:title>
-          <xccdf-1.2:description>The apt service manage the package management and update of the whole system. Its configuration need to be properly defined to ensure efficient security updates, packages and repository authentication and proper lifecycle management.</xccdf-1.2:description>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_avahi">
-          <xccdf-1.2:title>Avahi Server</xccdf-1.2:title>
-          <xccdf-1.2:description>The Avahi daemon implements the DNS Service Discovery
-and Multicast DNS protocols, which provide service and host
-discovery on a network. It allows a system to automatically
-identify resources on the network, such as printers or web servers.
-This capability is also known as mDNSresponder and is a major part
-of Zeroconf networking.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_avahi_configuration">
-            <xccdf-1.2:title>Configure Avahi if Necessary</xccdf-1.2:title>
-            <xccdf-1.2:description>If your system requires the Avahi daemon, its configuration can be restricted
-to improve security. The Avahi daemon configuration file is
-<html:code>/etc/avahi/avahi-daemon.conf</html:code>. The following security recommendations
-should be applied to this file:
-See the <html:code>avahi-daemon.conf(5)</html:code> man page, or documentation at
-
-    <html:a href="http://www.avahi.org">http://www.avahi.org</html:a>, for more detailed information
-about the configuration options.</xccdf-1.2:description>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_avahi_disable_publishing" severity="low">
-              <xccdf-1.2:title>Disable Avahi Publishing</xccdf-1.2:title>
-              <xccdf-1.2:description>To prevent Avahi from publishing its records, edit <html:code>/etc/avahi/avahi-daemon.conf</html:code>
-and ensure the following line appears in the <html:code>[publish]</html:code> section:
-<html:pre>disable-publishing=yes</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>This helps ensure that no record will be published by Avahi.</xccdf-1.2:rationale>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_disable_avahi_group">
-            <xccdf-1.2:title>Disable Avahi Server if Possible</xccdf-1.2:title>
-            <xccdf-1.2:description>Because the Avahi daemon service keeps an open network
-port, it is subject to network attacks.
-Disabling it can reduce the system's vulnerability to such attacks.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_base">
-          <xccdf-1.2:title>Base Services</xccdf-1.2:title>
-          <xccdf-1.2:description>This section addresses the base services that are installed on a
-Red Hat Enterprise Linux CoreOS 4 default installation which are not covered in other
-sections. Some of these services listen on the network and
-should be treated with particular discretion. Other services are local
-system utilities that may or may not be extraneous. In general, system services
-should be disabled if not required.</xccdf-1.2:description>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_cron_and_at">
-          <xccdf-1.2:title>Cron and At Daemons</xccdf-1.2:title>
-          <xccdf-1.2:description>The cron and at services are used to allow commands to
-be executed at a later time. The cron service is required by almost
-all systems to perform necessary maintenance tasks, while at may or
-may not be required on a given system. Both daemons should be
-configured defensively.</xccdf-1.2:description>
-          <xccdf-1.2:platform idref="#machine"/>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_cron_installed" severity="medium">
-            <xccdf-1.2:title>Install the cron service</xccdf-1.2:title>
-            <xccdf-1.2:description>The Cron service should be installed.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R50)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_cron_installed:def:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_cron_enabled" severity="medium">
-            <xccdf-1.2:title>Enable cron Service</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code>crond</html:code> service is used to execute commands at
-preconfigured times. It is required by almost all systems to perform necessary
-maintenance tasks, such as notifying root of system activity.
-
-The <html:code>cron</html:code> service can be enabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-cron-enable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: cron.service
-        enabled: true
-</html:pre>
-<html:p>
-This will enable the <html:code>cron</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Due to its usage for maintenance and security-supporting tasks,
-enabling the cron daemon is essential.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_cron_enabled:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_cron_enabled_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_restrict_at_cron_users">
-            <xccdf-1.2:title>Restrict at and cron to Authorized Users if Necessary</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code>/etc/cron.allow</html:code> and <html:code>/etc/at.allow</html:code> files contain lists of
-users who are allowed to use <html:code>cron</html:code> and at to delay execution of
-processes. If these files exist and if the corresponding files
-<html:code>/etc/cron.deny</html:code> and <html:code>/etc/at.deny</html:code> do not exist, then only users
-listed in the relevant allow files can run the crontab and <html:code>at</html:code> commands
-to submit jobs to be run at scheduled intervals. On many systems, only the
-system administrator needs the ability to schedule jobs. Note that even if a
-given user is not listed in <html:code>cron.allow</html:code>, cron jobs can still be run as
-that user. The <html:code>cron.allow</html:code> file controls only administrative access
-to the crontab command for scheduling and modifying cron jobs.
-<html:br/>
-<html:br/>
-To restrict <html:code>at</html:code> and <html:code>cron</html:code> to only authorized users:
-<html:ul><html:li>Remove the <html:code>cron.deny</html:code> file:<html:pre>$ sudo rm /etc/cron.deny</html:pre></html:li><html:li>Edit <html:code>/etc/cron.allow</html:code>, adding one line for each user allowed to use
-the crontab command to create cron jobs.</html:li><html:li>Remove the <html:code>at.deny</html:code> file:<html:pre>$ sudo rm /etc/at.deny</html:pre></html:li><html:li>Edit <html:code>/etc/at.allow</html:code>, adding one line for each user allowed to use
-the at command to create at jobs.</html:li></html:ul></xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#machine"/>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_deprecated">
-          <xccdf-1.2:title>Deprecated services</xccdf-1.2:title>
-          <xccdf-1.2:description>Some deprecated software services impact the overall system security due to their behavior (leak of
-confidentiality in network exchange, usage as uncontrolled communication channel, risk associated with the service due to its old age, etc.</xccdf-1.2:description>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_inetutils-telnetd_removed" severity="high">
-            <xccdf-1.2:title>Uninstall the inet-based telnet server</xccdf-1.2:title>
-            <xccdf-1.2:description>The inet-based telnet daemon should be uninstalled.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-            <xccdf-1.2:rationale><html:code>telnet</html:code> allows clear text communications, and does not protect any
-data transmission between client and server. Any confidential data can be
-listened and no integrity checking is made.</xccdf-1.2:rationale>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_inetutils-telnetd_removed:def:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_nis_removed" severity="low">
-            <xccdf-1.2:title>Uninstall the nis package</xccdf-1.2:title>
-            <xccdf-1.2:description>The support for Yellowpages should not be installed unless it is required.</xccdf-1.2:description>
-            <xccdf-1.2:rationale>NIS is the historical SUN service for central account management, more and more replaced by LDAP.
-NIS does not support efficiently security constraints, ACL, etc. and should not be used.</xccdf-1.2:rationale>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_nis_removed:def:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_ntpdate_removed" severity="low">
-            <xccdf-1.2:title>Uninstall the ntpdate package</xccdf-1.2:title>
-            <xccdf-1.2:description>ntpdate is a historical ntp synchronization client for unixes. It sould be uninstalled.</xccdf-1.2:description>
-            <xccdf-1.2:rationale>ntpdate is an old not security-compliant ntp client. It should be replaced by modern ntp clients such as ntpd, able to use cryptographic mechanisms integrated in NTP.</xccdf-1.2:rationale>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_ntpdate_removed:def:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_telnetd-ssl_removed" severity="high">
-            <xccdf-1.2:title>Uninstall the ssl compliant telnet server</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code>telnet</html:code> daemon, even with ssl support, should be uninstalled.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R02)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-            <xccdf-1.2:rationale><html:code>telnet</html:code>, even with ssl support, should not be installed.
-When remote shell is required, up-to-date ssh daemon can be used.</xccdf-1.2:rationale>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_telnetd-ssl_removed:def:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_telnetd_removed" severity="high">
-            <xccdf-1.2:title>Uninstall the telnet server</xccdf-1.2:title>
-            <xccdf-1.2:description>The telnet daemon should be uninstalled.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R03)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-            <xccdf-1.2:rationale><html:code>telnet</html:code> allows clear text communications, and does not protect
-any data transmission between client and server. Any confidential data
-can be listened and no integrity checking is made.'</xccdf-1.2:rationale>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_telnetd_removed:def:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_dhcp">
-          <xccdf-1.2:title>DHCP</xccdf-1.2:title>
-          <xccdf-1.2:description>The Dynamic Host Configuration Protocol (DHCP) allows
-systems to request and obtain an IP address and other configuration
-parameters from a server.
-<html:br/><html:br/>
-This guide recommends configuring networking on clients by manually editing
-the appropriate files under <html:code>/etc/sysconfig</html:code>.  Use of DHCP can make client 
-systems vulnerable to compromise by rogue DHCP servers, and should be avoided 
-unless necessary.  If using DHCP is necessary, however, there are best practices 
-that should be followed to minimize security risk.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_dhcp_client_configuration">
-            <xccdf-1.2:title>Configure DHCP Client if Necessary</xccdf-1.2:title>
-            <xccdf-1.2:description>If DHCP must be used, then certain configuration changes can
-minimize the amount of information it receives and applies from the network,
-and thus the amount of incorrect information a rogue DHCP server could
-successfully distribute.  For more information on configuring dhclient, see the
-<html:code>dhclient(8)</html:code> and <html:code>dhclient.conf(5)</html:code> man pages.</xccdf-1.2:description>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_dhcp_client_restrict_options" severity="unknown">
-              <xccdf-1.2:title>Minimize the DHCP-Configured Options</xccdf-1.2:title>
-              <xccdf-1.2:description>Create the file <html:code>/etc/dhcp/dhclient.conf</html:code>, and add an
-appropriate setting for each of the ten configuration settings which can be
-obtained via DHCP. For each setting, do one of the following:
-<html:br/>
-If the setting should <html:i>not</html:i> be configured remotely by the DHCP server,
-select an appropriate static value, and add the line:
-<html:pre>supersede <html:code>setting value</html:code>;</html:pre>
-If the setting should be configured remotely by the DHCP server, add the lines:
-<html:pre>request <html:code>setting</html:code>;
-require <html:code>setting</html:code>;</html:pre>
-For example, suppose the DHCP server should provide only the IP address itself
-and the subnet mask. Then the entire file should look like:
-<html:pre>supersede domain-name "example.com";
-supersede domain-name-servers 192.168.1.2;
-supersede nis-domain "";
-supersede nis-servers "";
-supersede ntp-servers "ntp.example.com ";
-supersede routers 192.168.1.1;
-supersede time-offset -18000;
-request subnet-mask;
-require subnet-mask;</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">In this example, the options nis-servers and
-nis-domain are set to empty strings, on the assumption that the deprecated NIS
-protocol is not in use. It is necessary to supersede settings for unused
-services so that they cannot be set by a hostile DHCP server. If an option is
-set to an empty string, dhclient will typically not attempt to configure the
-service.</xccdf-1.2:warning>
-              <xccdf-1.2:rationale>By default, the DHCP client program, dhclient, requests and applies
-ten configuration options (in addition to the IP address) from the DHCP server.
-subnet-mask, broadcast-address, time-offset, routers, domain-name,
-domain-name-servers, host-name, nis-domain, nis-servers, and ntp-servers.  Many
-of the options requested and applied by dhclient may be the same for every
-system on a network. It is recommended that almost all configuration options be
-assigned statically, and only options which must vary on a host-by-host basis
-be assigned via DHCP. This limits the damage which can be done by a rogue DHCP
-server.  If appropriate for your site, it is also possible to supersede the
-host-name directive in <html:code>/etc/dhcp/dhclient.conf</html:code>, establishing a static
-hostname for the system. However, dhclient does not use the host name option
-provided by the DHCP server (instead using the value provided by a reverse DNS
-lookup).</xccdf-1.2:rationale>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_dhcp_server_configuration">
-            <xccdf-1.2:title>Configure DHCP Server</xccdf-1.2:title>
-            <xccdf-1.2:description>If the system must act as a DHCP server, the configuration
-information it serves should be minimized. Also, support for other protocols
-and DNS-updating schemes should be explicitly disabled unless needed. The
-configuration file for dhcpd is called <html:code>/etc/dhcp/dhcpd.conf</html:code>. The file
-begins with a number of global configuration options. The remainder of the file
-is divided into sections, one for each block of addresses offered by dhcpd,
-each of which contains configuration options specific to that address
-block.</xccdf-1.2:description>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_dhcp_server_minimize_served_info" severity="unknown">
-              <xccdf-1.2:title>Minimize Served Information</xccdf-1.2:title>
-              <xccdf-1.2:description>Edit /etc/dhcp/dhcpd.conf. Examine each address range section within
-the file, and ensure that the following options are not defined unless there is
-an operational need to provide this information via DHCP:
-<html:pre>option domain-name
-option domain-name-servers
-option nis-domain
-option nis-servers
-option ntp-servers
-option routers
-option time-offset</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">By default, the Red Hat Enterprise Linux client installation uses DHCP
-to request much of the above information from the DHCP server. In particular,
-domain-name, domain-name-servers, and routers are configured via DHCP.  These
-settings are typically necessary for proper network functionality, but are also
-usually static across systems at a given site.</xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Because the configuration information provided by the DHCP server
-could be maliciously provided to clients by a rogue DHCP server, the amount of
-information provided via DHCP should be minimized. Remove these definitions
-from the DHCP server configuration to ensure that legitimate clients do not
-unnecessarily rely on DHCP for this information.</xccdf-1.2:rationale>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_disabling_dhcp_client">
-            <xccdf-1.2:title>Disable DHCP Client</xccdf-1.2:title>
-            <xccdf-1.2:description>DHCP is the default network configuration method provided by the system
-installer, and common on many networks. Nevertheless, manual management
-of IP addresses for systems implies a greater degree of management and
-accountability for network activity.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_disabling_dhcp_server">
-            <xccdf-1.2:title>Disable DHCP Server</xccdf-1.2:title>
-            <xccdf-1.2:description>The DHCP server <html:code>dhcpd</html:code> is not installed or activated by
-default. If the software was installed and activated, but the
-system does not need to act as a DHCP server, it should be disabled
-and removed.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_dns">
-          <xccdf-1.2:title>DNS Server</xccdf-1.2:title>
-          <xccdf-1.2:description>Most organizations have an operational need to run at
-least one nameserver. However, there are many common attacks
-involving DNS server software, and this server software should
-be disabled on any system
-on which it is not needed.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_disabling_dns_server">
-            <xccdf-1.2:title>Disable DNS Server</xccdf-1.2:title>
-            <xccdf-1.2:description>DNS software should be disabled on any systems which does not
-need to be a nameserver. Note that the BIND DNS server software is
-not installed on Red Hat Enterprise Linux CoreOS 4 by default. The remainder of this section
-discusses secure configuration of systems which must be
-nameservers.</xccdf-1.2:description>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_bind_removed" severity="low">
-              <xccdf-1.2:title>Uninstall bind Package</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>named</html:code> service is provided by the <html:code>bind</html:code> package.
-The <html:code>bind</html:code> package can be removed with the following command:
-<html:pre/></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>If there is no need to make DNS server software available,
-removing it provides a safeguard against its activation.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_bind_removed:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_bind_removed_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_dns_server_isolation">
-            <xccdf-1.2:title>Isolate DNS from Other Services</xccdf-1.2:title>
-            <xccdf-1.2:description>This section discusses mechanisms for preventing the DNS server
-from interfering with other services. This is done both to protect the
-remainder of the network should a nameserver be compromised, and to make direct
-attacks on nameservers more difficult.</xccdf-1.2:description>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_dns_server_chroot">
-              <xccdf-1.2:title>Run DNS Software in a chroot Jail</xccdf-1.2:title>
-              <xccdf-1.2:description>Install the <html:code>bind-chroot</html:code> package:
-<html:pre>$ sudo yum install bind-chroot</html:pre>
-Place a valid named.conf file inside the chroot jail:
-<html:pre>$ sudo cp /etc/named.conf /var/named/chroot/etc/named.conf
-$ sudo chown root:root /var/named/chroot/etc/named.conf
-$ sudo chmod 644 /var/named/chroot/etc/named.conf</html:pre>
-Create and populate an appropriate zone directory within the jail, based on the
-options directive. If your <html:code>named.conf</html:code> includes:
-<html:pre>options {
-directory "/path/to/DIRNAME ";
-...
-}</html:pre>
-then copy that directory and its contents from the original zone directory:
-<html:pre>$ sudo cp -r /path/to/DIRNAME /var/named/chroot/DIRNAME</html:pre>
-Add or correct the following line within <html:code>/etc/sysconfig/named</html:code>:
-<html:pre>ROOTDIR=/var/named/chroot</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">If you are running BIND in a chroot jail, then you
-should use the jailed <html:code>named.conf</html:code> as the primary nameserver
-configuration file. That is, when this guide recommends editing
-<html:code>/etc/named.conf</html:code>, you should instead edit
-<html:code>/var/named/chroot/etc/named.conf</html:code>.</xccdf-1.2:warning>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_dns_server_dedicated">
-              <xccdf-1.2:title>Run DNS Software on Dedicated Servers</xccdf-1.2:title>
-              <xccdf-1.2:description>Since DNS is
-a high-risk service which must frequently be made available to the entire
-Internet, it is strongly recommended that no other services be offered by
-systems which act as organizational DNS servers.</xccdf-1.2:description>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_dns_server_protection">
-            <xccdf-1.2:title>Protect DNS Data from Tampering or Attack</xccdf-1.2:title>
-            <xccdf-1.2:description>This section discusses DNS configuration options which make it
-more difficult for attackers to gain access to private DNS data or to modify
-DNS data.</xccdf-1.2:description>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_dns_server_partition_with_views">
-              <xccdf-1.2:title>Use Views to Partition External and Internal Information</xccdf-1.2:title>
-              <xccdf-1.2:description>If it is not possible to run external and internal nameservers on
-separate physical systems, run BIND9 and simulate this feature using views.
-Edit <html:code>/etc/named.conf</html:code>. Add or correct the following directives (where
-SUBNET is the numerical IP representation of your organization in the form
-xxx.xxx.xxx.xxx/xx):
-<html:pre>acl internal {
-  SUBNET ;
-  localhost;
-};
-view "internal-view" {
-  match-clients { internal; };
-  zone "." IN {
-    type hint;
-    file "db.cache";
-  };
-  zone "internal.example.com " IN {
-    ...
-  };
-};
-
-view "external-view" {
-  match-clients { any; };
-  recursion no;
-  zone "example.com " IN {
-    ...
-  };
-};</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">As shown in the example, database files which are
-required for recursion, such as the root hints file, must be available to any
-clients which are allowed to make recursive queries. Under typical
-circumstances, this includes only the internal clients which are allowed to use
-this server as a general-purpose nameserver.</xccdf-1.2:warning>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_dns_server_separate_internal_external">
-              <xccdf-1.2:title>Run Separate DNS Servers for External and Internal Queries</xccdf-1.2:title>
-              <xccdf-1.2:description>Is it possible to run external and internal nameservers on
-separate systems? If so, follow the configuration guidance in this section. On
-the external nameserver, edit <html:code>/etc/named.conf</html:code> to add or correct the
-following directives:
-<html:pre>options {
-  allow-query { any; };
-  recursion no;
-  ...
-};
-zone "example.com " IN {
-  ...
-};</html:pre>
-On the internal nameserver, edit <html:code>/etc/named.conf</html:code>. Add or correct the
-following directives, where SUBNET is the numerical IP representation of your
-organization in the form xxx.xxx.xxx.xxx/xx:
-<html:pre>acl internal {
-  SUBNET ;
-  localhost;
-};
-options {
-  allow-query { internal; };
-  ...
-};
-zone "internal.example.com " IN {
-  ...
-};</html:pre></xccdf-1.2:description>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_docker">
-          <xccdf-1.2:title>Docker Service</xccdf-1.2:title>
-          <xccdf-1.2:description>The docker service is necessary to create containers, which are
-  self-sufficient and self-contained applications using the resource
-  isolation features of the kernel.</xccdf-1.2:description>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_fapolicyd">
-          <xccdf-1.2:title>Application Whitelisting Daemon</xccdf-1.2:title>
-          <xccdf-1.2:description>Fapolicyd (File Access Policy Daemon) implements application whitelisting
-to decide file access rights. Applications that are known via a reputation
-source are allowed access while unknown applications are not. The daemon
-makes use of the kernel's <html:code>fanotify</html:code> interface to determine file access rights.</xccdf-1.2:description>
-          <xccdf-1.2:platform idref="#machine"/>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_fapolicyd_installed" severity="medium">
-            <xccdf-1.2:title>Install fapolicyd Package</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code>fapolicyd</html:code> package can be installed with the following command:
-<html:pre/></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001764</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001774</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(22)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000370-GPOS-00155</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00230</xccdf-1.2:reference>
-            <xccdf-1.2:rationale><html:code>fapolicyd</html:code> (File Access Policy Daemon)
-implements application whitelisting to decide file access rights.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82533-1</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_fapolicyd_installed:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_fapolicyd_installed_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_fapolicyd_enabled" severity="medium">
-            <xccdf-1.2:title>Enable the File Access Policy Service</xccdf-1.2:title>
-            <xccdf-1.2:description>The File Access Policy service should be enabled.
-
-The <html:code>fapolicyd</html:code> service can be enabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-fapolicyd-enable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: fapolicyd.service
-        enabled: true
-</html:pre>
-<html:p>
-This will enable the <html:code>fapolicyd</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001764</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001774</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SI-4(22)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000370-GPOS-00155</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000368-GPOS-00154</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00230</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The <html:code>fapolicyd</html:code> service (File Access Policy Daemon)
-implements application whitelisting to decide file access rights.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82534-9</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_fapolicyd_enabled:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_fapolicyd_enabled_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_fapolicyd_prevent_home_folder_access" severity="medium">
-            <xccdf-1.2:title>fapolicyd Must be Configured to Limit Access to Users Home Folders</xccdf-1.2:title>
-            <xccdf-1.2:description>fapolicyd needs be configured so that users cannot give access to their home folders to other users.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6 b</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00230</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Users' home directories/folders may contain information of a sensitive nature.
-Non-privileged users should coordinate any sharing of information with a System Administrator (SA) through shared resources.
-fapolicyd can confine users to their home directory, not allowing them to make any changes outside of their own home directories.
-Confining users to their home directory will minimize the risk of sharing information.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-fapolicyd_prevent_home_folder_access_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_ftp">
-          <xccdf-1.2:title>FTP Server</xccdf-1.2:title>
-          <xccdf-1.2:description>FTP is a common method for allowing remote access to
-files. Like telnet, the FTP protocol is unencrypted, which means
-that passwords and other data transmitted during the session can be
-captured and that the session is vulnerable to hijacking.
-Therefore, running the FTP server software is not recommended.
-<html:br/><html:br/>
-However, there are some FTP server configurations which may
-be appropriate for some environments, particularly those which
-allow only read-only anonymous access as a means of downloading
-data available to the public.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_disabling_vsftpd">
-            <xccdf-1.2:title>Disable vsftpd if Possible</xccdf-1.2:title>
-            <xccdf-1.2:description>To minimize attack surface, disable vsftpd if at all
-possible.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_ftp_configure_vsftpd">
-            <xccdf-1.2:title>Configure vsftpd to Provide FTP Service if Necessary</xccdf-1.2:title>
-            <xccdf-1.2:description>The primary vsftpd configuration file is
-<html:code>/etc/vsftpd.conf</html:code>, if that file exists, or
-<html:code>/etc/vsftpd/vsftpd.conf</html:code> if it does not.</xccdf-1.2:description>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_ftp_configure_firewall" severity="unknown">
-              <xccdf-1.2:title>Configure Firewalls to Protect the FTP Server</xccdf-1.2:title>
-              <xccdf-1.2:description>
-By default, <html:code>iptables</html:code>
-blocks access to the ports used by the web server.
-
-To configure <html:code>iptables</html:code> to allow port 21 traffic, one must edit
-<html:code>/etc/sysconfig/iptables</html:code> and
-<html:code>/etc/sysconfig/ip6tables</html:code> (if IPv6 is in use).
-Add the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain:
-<html:pre>-A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT</html:pre>
-Edit the file <html:code>/etc/sysconfig/iptables-config</html:code>. Ensure that the space-separated list of modules contains
-the FTP connection tracking module:
-<html:pre>IPTABLES_MODULES="ip_conntrack_ftp"</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:rationale>These settings configure the firewall to allow connections to an FTP server.
-
-
-The first line allows initial connections to the FTP server port.
-FTP is an older protocol which is not very compatible with firewalls. During the initial FTP dialogue, the client
-and server negotiate an arbitrary port to be used for data transfer. The <html:code>ip_conntrack_ftp</html:code>  module is used by
-iptables to listen to that dialogue and allow connections to the data ports which FTP negotiates. This allows an
-FTP server to operate on a system which is running a firewall.</xccdf-1.2:rationale>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_ftp_restrict_users">
-              <xccdf-1.2:title>Restrict the Set of Users Allowed to Access FTP</xccdf-1.2:title>
-              <xccdf-1.2:description>This section describes how to disable non-anonymous (password-based) FTP logins, or, if it is not possible to
-do this entirely due to legacy applications, how to restrict insecure FTP login to only those users who have an
-identified need for this access.</xccdf-1.2:description>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_ftp_limit_users" severity="unknown">
-                <xccdf-1.2:title>Limit Users Allowed FTP Access if Necessary</xccdf-1.2:title>
-                <xccdf-1.2:description>If there is a mission-critical reason for users to access their accounts via the insecure FTP protocol, limit the set of users who are allowed this access. Edit the vsftpd configuration file. Add or correct the following configuration options:
-<html:pre>userlist_enable=YES
-userlist_file=/etc/vsftp.ftpusers
-userlist_deny=NO</html:pre>
-Edit the file <html:code>/etc/vsftp.ftpusers</html:code>. For each user USERNAME who should be allowed to access the system via FTP, add a line containing that user's name:
-<html:pre>USERNAME</html:pre>
-If anonymous access is also required, add the anonymous usernames to <html:code>/etc/vsftp.ftpusers</html:code> as well.
-<html:pre>anonymous
-ftp</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:rationale>Historically, the file <html:code>/etc/ftpusers</html:code> contained a list of users who were not allowed to access the system via FTP. It was used to prevent system users such as the root user from logging in via the insecure FTP protocol. However, when the configuration option <html:code>userlist deny=NO</html:code> is set, vsftpd interprets ftpusers as the set of users who are allowed to login via FTP. Since it should be possible for most users to access their accounts via secure protocols, it is recommended that this setting be used, so that non-anonymous FTP access can be limited to legacy users who have been explicitly identified.</xccdf-1.2:rationale>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_ftp_use_vsftpd">
-            <xccdf-1.2:title>Use vsftpd to Provide FTP Service if Necessary</xccdf-1.2:title>
-            <xccdf-1.2:description>If your use-case requires FTP service, install and
-set-up vsftpd to provide it.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_http">
-          <xccdf-1.2:title>Web Server</xccdf-1.2:title>
-          <xccdf-1.2:description>The web server is responsible for providing access to
-content via the HTTP protocol. Web servers represent a significant
-security risk because:
-<html:br/><html:br/>
-<html:ul><html:li>The HTTP port is commonly probed by malicious sources</html:li><html:li>Web server software is very complex, and includes a long
-history of vulnerabilities</html:li><html:li>The HTTP protocol is unencrypted and vulnerable to passive
-monitoring</html:li></html:ul>
-<html:br/><html:br/>
-The system's default web server software is Apache 2 and is
-provided in the RPM package <html:code>httpd</html:code>.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_disabling_httpd">
-            <xccdf-1.2:title>Disable Apache if Possible</xccdf-1.2:title>
-            <xccdf-1.2:description>If Apache was installed and activated, but the system
-does not need to act as a web server, then it should be disabled
-and removed from the system.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_installing_httpd">
-            <xccdf-1.2:title>Install Apache if Necessary</xccdf-1.2:title>
-            <xccdf-1.2:description>If <html:code>httpd</html:code> was not installed and activated, but the system
-needs to act as a web server, then it should be installed on the system. Follow these
-guidelines to install it defensively. The <html:code>httpd</html:code> package can be installed with
-the following command:
-<html:pre>$ sudo yum install httpd</html:pre>
-This method of installation is recommended over installing the "Web Server"
-package group during the system installation process. The Web Server package
-group includes many packages which are likely extraneous, while the
-command-line method installs only the required <html:code>httpd</html:code> package itself.</xccdf-1.2:description>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_httpd_minimal_modules_installed">
-              <xccdf-1.2:title>Confirm Minimal Built-in Modules Installed</xccdf-1.2:title>
-              <xccdf-1.2:description>The default <html:code>httpd</html:code> installation minimizes the number of
-modules that are compiled directly into the binary (<html:code>core prefork http_core
-mod_so</html:code>). This minimizes risk by limiting the capabilities allowed by the
-web server.
-
-Query the set of compiled-in modules using the following command:
-<html:pre>$ httpd -l</html:pre>
-If the number of compiled-in modules is significantly larger than the
-aforementioned set, this guide recommends re-installing <html:code>httpd</html:code> with a
-reduced configuration. Minimizing the number of modules that are compiled into
-the <html:code>httpd</html:code> binary, reduces risk by limiting the capabilities allowed by
-the webserver.</xccdf-1.2:description>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_securing_httpd">
-            <xccdf-1.2:title>Secure Apache Configuration</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code>httpd</html:code> configuration file is
-<html:code>/etc/httpd/conf/httpd.conf</html:code>. Apply the recommendations in the remainder
-of this section to this file.</xccdf-1.2:description>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_httpd_loglevel" type="string">
-              <xccdf-1.2:title>HTTPD Log Level</xccdf-1.2:title>
-              <xccdf-1.2:description>The setting for LogLevel in /etc/httpd/conf/httpd.conf</xccdf-1.2:description>
-              <xccdf-1.2:value selector="alert">alert</xccdf-1.2:value>
-              <xccdf-1.2:value selector="crit">crit</xccdf-1.2:value>
-              <xccdf-1.2:value>warn</xccdf-1.2:value>
-              <xccdf-1.2:value selector="emerg">emerg</xccdf-1.2:value>
-              <xccdf-1.2:value selector="error">error</xccdf-1.2:value>
-              <xccdf-1.2:value selector="warn">warn</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_max_keepalive_requests" type="number">
-              <xccdf-1.2:title>Maximum KeepAlive Requests for HTTPD</xccdf-1.2:title>
-              <xccdf-1.2:description>The setting for MaxKeepAliveRequests in httpd.conf</xccdf-1.2:description>
-              <xccdf-1.2:value selector="100">100</xccdf-1.2:value>
-              <xccdf-1.2:value selector="1000">1000</xccdf-1.2:value>
-              <xccdf-1.2:value selector="10000">10000</xccdf-1.2:value>
-              <xccdf-1.2:value selector="100000">100000</xccdf-1.2:value>
-              <xccdf-1.2:value selector="500">500</xccdf-1.2:value>
-              <xccdf-1.2:value>100</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_httpd_configure_os_protect_web_server">
-              <xccdf-1.2:title>Configure Operating System to Protect Web Server</xccdf-1.2:title>
-              <xccdf-1.2:description>The following configuration steps should be taken on the system which hosts the
-web server, in order to provide as safe an environment as possible for the web server.</xccdf-1.2:description>
-              <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_httpd_chroot">
-                <xccdf-1.2:title>Run httpd in a chroot Jail if Practical</xccdf-1.2:title>
-                <xccdf-1.2:description>Running <html:code>httpd</html:code> inside a <html:code>chroot</html:code> jail is designed to isolate the
-web server process to a small section of the filesystem, limiting the damage if
-it is compromised. Versions of Apache greater than 2.2.10 (such as the one
-included with Red Hat Enterprise Linux CoreOS 4) provide the <html:code>ChrootDir</html:code> directive. To run Apache
-inside a chroot jail in <html:code>/chroot/apache</html:code>, add the following line to
-<html:code>/etc/httpd/conf/httpd.conf</html:code>: <html:pre>ChrootDir /chroot/apache</html:pre> This
-necessitates placing all files required by <html:code>httpd</html:code> inside
-<html:code>/chroot/apache</html:code> , including <html:code>httpd</html:code>'s binaries, modules,
-configuration files, and served web pages. The details of this configuration
-are beyond the scope of this guide. This may also require additional SELinux
-configuration.</xccdf-1.2:description>
-              </xccdf-1.2:Group>
-              <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_httpd_restrict_file_dir_access">
-                <xccdf-1.2:title>Restrict File and Directory Access</xccdf-1.2:title>
-                <xccdf-1.2:description>Minimize access to critical <html:code>httpd</html:code> files and directories.</xccdf-1.2:description>
-              </xccdf-1.2:Group>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_httpd_configure_perl_securely">
-              <xccdf-1.2:title>Configure PERL Securely</xccdf-1.2:title>
-              <xccdf-1.2:description>PERL (Practical Extraction and Report Language) is an interpreted language
-optimized for scanning arbitrary text files, extracting information from those
-text files, and printing reports based on that information. The language is
-often used in shell scripting and is intended to be practical, easy to use, and
-efficient means of generating interactive web pages for the user.</xccdf-1.2:description>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_httpd_configure_php_securely">
-              <xccdf-1.2:title>Configure PHP Securely</xccdf-1.2:title>
-              <xccdf-1.2:description>PHP is a widely-used and often misconfigured server-side scripting language. It should
-be used with caution, but configured appropriately when needed.
-<html:br/><html:br/>
-Review <html:code>/etc/php.ini</html:code> and make the following changes if possible:
-<html:pre># Do not expose PHP error messages to external users
-display_errors = Off
-
-# Enable safe mode
-safe_mode = On
-
-# Only allow access to executables in isolated directory
-safe_mode_exec_dir = php-required-executables-path
-
-# Limit external access to PHP environment
-safe_mode_allowed_env_vars = PHP_
-
-# Restrict PHP information leakage
-expose_php = Off
-
-# Log all errors
-log_errors = On
-
-# Do not register globals for input data
-register_globals = Off
-
-# Minimize allowable PHP post size
-post_max_size = 1K
-
-# Ensure PHP redirects appropriately
-cgi.force_redirect = 0
-
-# Disallow uploading unless necessary
-file_uploads = Off
-
-# Disallow treatment of file requests as fopen calls
-allow_url_fopen = Off
-
-# Enable SQL safe mode
-sql.safe_mode = On
-</html:pre></xccdf-1.2:description>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_httpd_directory_restrictions">
-              <xccdf-1.2:title>Directory Restrictions</xccdf-1.2:title>
-              <xccdf-1.2:description>The Directory tags in the web server configuration file allow finer grained access
-control for a specified directory. All web directories should be configured on a
-case-by-case basis, allowing access only where needed.</xccdf-1.2:description>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_httpd_minimize_loadable_modules">
-              <xccdf-1.2:title>Minimize Web Server Loadable Modules</xccdf-1.2:title>
-              <xccdf-1.2:description>A default installation of <html:code>httpd</html:code> includes a plethora of dynamically shared objects (DSO)
-that are loaded at run-time. Unlike the aforementioned compiled-in modules, a DSO can be
-disabled in the configuration file by removing the corresponding LoadModule directive.
-<html:br/><html:br/>
-Note: A DSO only provides additional functionality if associated directives are included
-in the <html:code>httpd</html:code> configuration file. It should also be noted that removing a DSO will produce
-errors on <html:code>httpd</html:code> startup if the configuration file contains directives that apply to that
-module. Refer to <html:code><html:a href="http://httpd.apache.org/docs/">http://httpd.apache.org/docs/</html:a></html:code> for details on which directives
-are associated with each DSO.
-<html:br/><html:br/>
-Following each DSO removal, the configuration can be tested with the following command
-to check if everything still works:
-<html:pre>$ sudo service httpd configtest</html:pre>
-The purpose of each of the modules loaded by default will now be addressed one at a time.
-If none of a module's directives are being used, remove it.</xccdf-1.2:description>
-              <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_httpd_core_modules">
-                <xccdf-1.2:title>httpd Core Modules</xccdf-1.2:title>
-                <xccdf-1.2:description>These modules comprise a basic subset of modules that are likely needed for base <html:code>httpd</html:code>
-functionality; ensure they are not commented out in <html:code>/etc/httpd/conf/httpd.conf</html:code>:
-<html:pre>LoadModule auth_basic_module modules/mod_auth_basic.so
-LoadModule authn_default_module modules/mod_authn_default.so
-LoadModule authz_host_module modules/mod_authz_host.so
-LoadModule authz_user_module modules/mod_authz_user.so
-LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
-LoadModule authz_default_module modules/mod_authz_default.so
-LoadModule log_config_module modules/mod_log_config.so
-LoadModule logio_module modules/mod_logio.so
-LoadModule setenvif_module modules/mod_setenvif.so
-LoadModule mime_module modules/mod_mome.so
-LoadModule autoindex_module modules/mod_autoindex.so
-LoadModule negotiation_module modules/mod_negotiation.so
-LoadModule dir_module modules/mod_dir.so
-LoadModule alias_module modules/mod_alias.so</html:pre>
-Minimizing the number of loadable modules available to the web server reduces risk
-by limiting the capabilities allowed by the web server.</xccdf-1.2:description>
-                <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_httpd_basic_authentication">
-                  <xccdf-1.2:title>Minimize Modules for HTTP Basic Authentication</xccdf-1.2:title>
-                  <xccdf-1.2:description>The following modules are necessary if this web server will provide content that will
-be restricted by a password.
-<html:br/><html:br/>
-Authentication can be performed using local plain text password files (<html:code>authn_file</html:code>),
-local DBM password files (<html:code>authn_dbm</html:code>) or an LDAP directory. The only module required by
-the web server depends on your choice of authentication. Comment out the modules you don't
-need from the following:
-<html:pre>LoadModule authn_file_module modules/mod_authn_file.so
-LoadModule authn_dbm_module modules/mod_authn_dbm.so</html:pre>
-<html:code>authn_alias</html:code> allows for authentication based on aliases. <html:code>authn_anon</html:code>
-allows anonymous authentication similar to that of anonymous ftp sites. <html:code>authz_owner</html:code>
-allows authorization based on file ownership. <html:code>authz_dbm</html:code> allows for authorization
-based on group membership if the web server is using DBM authentication.
-<html:br/><html:br/>
-If the above functionality is unnecessary, comment out the related module:
-<html:pre>#LoadModule authn_alias_module modules/mod_authn_alias.so
-#LoadModule authn_anon_module modules/mod_authn_anon.so
-#LoadModule authz_owner_module modules/mod_authz_owner.so
-#LoadModule authz_dbm_module modules/mod_authz_dbm.so</html:pre></xccdf-1.2:description>
-                </xccdf-1.2:Group>
-                <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_httpd_minimize_config_files_included">
-                  <xccdf-1.2:title>Minimize Configuration Files Included</xccdf-1.2:title>
-                  <xccdf-1.2:description>The <html:code>Include</html:code> directive directs <html:code>httpd</html:code> to load supplementary configuration files
-from a provided path. The default configuration loads all files that end in <html:code>.conf</html:code>
-from the <html:code>/etc/httpd/conf.d</html:code> directory.
-<html:br/><html:br/>
-To restrict excess configuration, the following line should be commented out and
-replaced with <html:code>Include</html:code> directives that only reference required configuration files:
-<html:pre>#Include conf.d/*.conf</html:pre>
-If the above change was made, ensure that the SSL encryption remains loaded by
-explicitly including the corresponding configuration file:
-<html:pre>Include conf.d/ssl.conf</html:pre>
-If PHP is necessary, a similar alteration must be made:
-<html:pre>Include conf.d/php.conf</html:pre>
-
-Explicitly listing the configuration files to be loaded during web server start-up avoids
-the possibility of unwanted or malicious configuration files to be automatically included as
-part of the server's running configuration.</xccdf-1.2:description>
-                </xccdf-1.2:Group>
-                <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_httpd_optional_components">
-                  <xccdf-1.2:title>Minimize Various Optional Components</xccdf-1.2:title>
-                  <xccdf-1.2:description>The following modules perform very specific tasks, sometimes providing access to
-just a few additional directives. If such functionality is not required (or if you
-are not using these directives), comment out the associated module:
-<html:ul><html:li>External filtering (response passed through external program prior to client delivery)
-<html:pre>#LoadModule ext_filter_module modules/mod_ext_filter.so</html:pre></html:li><html:li>User-specified Cache Control and Expiration
-<html:pre>#LoadModule expires_module modules/mod_expires.so</html:pre></html:li><html:li>Compression Output Filter (provides content compression prior to client delivery)
-<html:pre>#LoadModule deflate_module modules/mod_deflate.so</html:pre></html:li><html:li>HTTP Response/Request Header Customization
-<html:pre>#LoadModule headers_module modules/mod_headers.so</html:pre></html:li><html:li>User activity monitoring via cookies
-<html:pre>#LoadModule usertrack_module modules/mod_usertrack.so</html:pre></html:li><html:li>Dynamically configured mass virtual hosting
-<html:pre>#LoadModule vhost_alias_module modules/mod_vhost_alias.so</html:pre></html:li></html:ul>
-Minimizing the number of loadable modules available to the web server reduces risk
-by limiting the capabilities allowed by the web server.</xccdf-1.2:description>
-                </xccdf-1.2:Group>
-              </xccdf-1.2:Group>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_httpd_modules_improve_security">
-              <xccdf-1.2:title>Use Appropriate Modules to Improve httpd's Security</xccdf-1.2:title>
-              <xccdf-1.2:description>Among the modules available for <html:code>httpd</html:code> are several whose use may improve the
-security of the web server installation. This section recommends and discusses
-the deployment of security-relevant modules.</xccdf-1.2:description>
-              <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_httpd_deploy_mod_security">
-                <xccdf-1.2:title>Deploy mod_security</xccdf-1.2:title>
-                <xccdf-1.2:description>The <html:code>security</html:code> module provides an application level firewall for <html:code>httpd</html:code>.
-Following its installation with the base ruleset, specific configuration advice can be found at
-
-    <html:a href="http://www.modsecurity.org/">http://www.modsecurity.org/</html:a> to design a policy that best matches the security needs of
-the web applications. Usage of <html:code>mod_security</html:code> is highly recommended for some environments,
-but it should be noted this module does not ship with Red Hat Enterprise Linux itself,
-and instead is provided via Extra Packages for Enterprise Linux (EPEL).
-For more information on EPEL please refer to 
-    <html:a href="http://fedoraproject.org/wiki/EPEL">http://fedoraproject.org/wiki/EPEL</html:a>.</xccdf-1.2:description>
-              </xccdf-1.2:Group>
-              <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_httpd_deploy_mod_ssl">
-                <xccdf-1.2:title>Deploy mod_ssl</xccdf-1.2:title>
-                <xccdf-1.2:description>Because HTTP is a plain text protocol, all traffic is susceptible to passive
-monitoring. If there is a need for confidentiality, SSL should be configured
-and enabled to encrypt content.
-<html:br/><html:br/>
-Note: <html:code>mod_nss</html:code> is a FIPS 140-2 certified alternative to <html:code>mod_ssl</html:code>.
-The modules share a considerable amount of code and should be nearly identical
-in functionality. If FIPS 140-2 validation is required, then <html:code>mod_nss</html:code> should
-be used. If it provides some feature or its greater compatibility is required,
-then <html:code>mod_ssl</html:code> should be used.</xccdf-1.2:description>
-              </xccdf-1.2:Group>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_httpd_restrict_info_leakage">
-              <xccdf-1.2:title>Restrict Web Server Information Leakage</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>ServerTokens</html:code> and <html:code>ServerSignature</html:code> directives determine how
-much information the web server discloses about the configuration of the
-system.</xccdf-1.2:description>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_httpd_secure_content">
-              <xccdf-1.2:title>Configure HTTPD-Served Web Content Securely</xccdf-1.2:title>
-              <xccdf-1.2:description>Running <html:code>httpd</html:code> inside a <html:code>chroot</html:code> jail is designed to isolate the
-web server process to a small section of the filesystem, limiting the damage if
-it is compromised. Versions of Apache greater than 2.2.10 (such as the one
-included with Red Hat Enterprise Linux 7) provide the <html:code>ChrootDir</html:code> directive. To run Apache
-inside a chroot jail in <html:code>/chroot/apache</html:code>, add the following line to
-<html:code>/etc/httpd/conf/httpd.conf</html:code>: <html:pre>ChrootDir /chroot/apache</html:pre> This
-necessitates placing all files required by <html:code>httpd</html:code> inside
-<html:code>/chroot/apache</html:code> , including <html:code>httpd</html:code>'s binaries, modules,
-configuration files, and served web pages. The details of this configuration
-are beyond the scope of this guide. This may also require additional SELinux
-configuration.</xccdf-1.2:description>
-              <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_web_login_banner_text" type="string">
-                <xccdf-1.2:title>Web Login Banner Verbiage</xccdf-1.2:title>
-                <xccdf-1.2:description>Enter an appropriate login banner for your organization. Please note that new lines must
-be expressed by the '\n' character and special characters like parentheses and quotation marks must be escaped with '\\'.</xccdf-1.2:description>
-                <xccdf-1.2:value selector="dod_banners">^(You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\)\,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including\,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to\,[\s\n]+penetration[\s\n]+testing\,[\s\n]+COMSEC[\s\n]+monitoring\,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense\,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\)\,[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\)\,[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time\,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using\,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on\,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private\,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring\,[\s\n]+interception\,[\s\n]+and[\s\n]+search\,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.\,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above\,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM\,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications\,[\s\n]+or[\s\n]+work[\s\n]+product\,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys\,[\s\n]+psychotherapists\,[\s\n]+or[\s\n]+clergy\,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.|I've[\s\n]+read[\s\n]+\&amp;[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.)$</xccdf-1.2:value>
-                <xccdf-1.2:value selector="dod_default">^You[\s\n]+are[\s\n]+accessing[\s\n]+a[\s\n]+U\.S\.[\s\n]+Government[\s\n]+\(USG\)[\s\n]+Information[\s\n]+System[\s\n]+\(IS\)[\s\n]+that[\s\n]+is[\s\n]+provided[\s\n]+for[\s\n]+USG\-authorized[\s\n]+use[\s\n]+only\.[\s\n]+By[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+\(which[\s\n]+includes[\s\n]+any[\s\n]+device[\s\n]+attached[\s\n]+to[\s\n]+this[\s\n]+IS\)\,[\s\n]+you[\s\n]+consent[\s\n]+to[\s\n]+the[\s\n]+following[\s\n]+conditions\:(?:[\n]+|(?:\\n)+)\-The[\s\n]+USG[\s\n]+routinely[\s\n]+intercepts[\s\n]+and[\s\n]+monitors[\s\n]+communications[\s\n]+on[\s\n]+this[\s\n]+IS[\s\n]+for[\s\n]+purposes[\s\n]+including\,[\s\n]+but[\s\n]+not[\s\n]+limited[\s\n]+to\,[\s\n]+penetration[\s\n]+testing\,[\s\n]+COMSEC[\s\n]+monitoring\,[\s\n]+network[\s\n]+operations[\s\n]+and[\s\n]+defense\,[\s\n]+personnel[\s\n]+misconduct[\s\n]+\(PM\)\,[\s\n]+law[\s\n]+enforcement[\s\n]+\(LE\)\,[\s\n]+and[\s\n]+counterintelligence[\s\n]+\(CI\)[\s\n]+investigations\.(?:[\n]+|(?:\\n)+)\-At[\s\n]+any[\s\n]+time\,[\s\n]+the[\s\n]+USG[\s\n]+may[\s\n]+inspect[\s\n]+and[\s\n]+seize[\s\n]+data[\s\n]+stored[\s\n]+on[\s\n]+this[\s\n]+IS\.(?:[\n]+|(?:\\n)+)\-Communications[\s\n]+using\,[\s\n]+or[\s\n]+data[\s\n]+stored[\s\n]+on\,[\s\n]+this[\s\n]+IS[\s\n]+are[\s\n]+not[\s\n]+private\,[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+routine[\s\n]+monitoring\,[\s\n]+interception\,[\s\n]+and[\s\n]+search\,[\s\n]+and[\s\n]+may[\s\n]+be[\s\n]+disclosed[\s\n]+or[\s\n]+used[\s\n]+for[\s\n]+any[\s\n]+USG\-authorized[\s\n]+purpose\.(?:[\n]+|(?:\\n)+)\-This[\s\n]+IS[\s\n]+includes[\s\n]+security[\s\n]+measures[\s\n]+\(e\.g\.\,[\s\n]+authentication[\s\n]+and[\s\n]+access[\s\n]+controls\)[\s\n]+to[\s\n]+protect[\s\n]+USG[\s\n]+interests\-\-not[\s\n]+for[\s\n]+your[\s\n]+personal[\s\n]+benefit[\s\n]+or[\s\n]+privacy\.(?:[\n]+|(?:\\n)+)\-Notwithstanding[\s\n]+the[\s\n]+above\,[\s\n]+using[\s\n]+this[\s\n]+IS[\s\n]+does[\s\n]+not[\s\n]+constitute[\s\n]+consent[\s\n]+to[\s\n]+PM\,[\s\n]+LE[\s\n]+or[\s\n]+CI[\s\n]+investigative[\s\n]+searching[\s\n]+or[\s\n]+monitoring[\s\n]+of[\s\n]+the[\s\n]+content[\s\n]+of[\s\n]+privileged[\s\n]+communications\,[\s\n]+or[\s\n]+work[\s\n]+product\,[\s\n]+related[\s\n]+to[\s\n]+personal[\s\n]+representation[\s\n]+or[\s\n]+services[\s\n]+by[\s\n]+attorneys\,[\s\n]+psychotherapists\,[\s\n]+or[\s\n]+clergy\,[\s\n]+and[\s\n]+their[\s\n]+assistants\.[\s\n]+Such[\s\n]+communications[\s\n]+and[\s\n]+work[\s\n]+product[\s\n]+are[\s\n]+private[\s\n]+and[\s\n]+confidential\.[\s\n]+See[\s\n]+User[\s\n]+Agreement[\s\n]+for[\s\n]+details\.$</xccdf-1.2:value>
-                <xccdf-1.2:value selector="dod_short">^I've[\s\n]+read[\s\n]+\&amp;[\s\n]+consent[\s\n]+to[\s\n]+terms[\s\n]+in[\s\n]+IS[\s\n]+user[\s\n]+agreem't\.$</xccdf-1.2:value>
-                <xccdf-1.2:value selector="dss_odaa_default">^Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.[\s\n]+This[\s\n]+is[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+and[\s\n]+related[\s\n]+equipment[\s\n]+are[\s\n]+intended[\s\n]+for[\s\n]+the[\s\n]+communication\,[\s\n]+transmission\,[\s\n]+processing\,[\s\n]+and[\s\n]+storage[\s\n]+of[\s\n]+official[\s\n]+U\.S\.[\s\n]+Government[\s\n]+or[\s\n]+other[\s\n]+authorized[\s\n]+information[\s\n]+only\.[\s\n]+All[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times[\s\n]+to[\s\n]+ensure[\s\n]+proper[\s\n]+functioning[\s\n]+of[\s\n]+equipment[\s\n]+and[\s\n]+systems[\s\n]+including[\s\n]+security[\s\n]+devices[\s\n]+and[\s\n]+systems\,[\s\n]+to[\s\n]+prevent[\s\n]+unauthorized[\s\n]+use[\s\n]+and[\s\n]+violations[\s\n]+of[\s\n]+statutes[\s\n]+and[\s\n]+security[\s\n]+regulations\,[\s\n]+to[\s\n]+deter[\s\n]+criminal[\s\n]+activity\,[\s\n]+and[\s\n]+for[\s\n]+other[\s\n]+similar[\s\n]+purposes\.[\s\n]+Any[\s\n]+user[\s\n]+of[\s\n]+a[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+should[\s\n]+be[\s\n]+aware[\s\n]+that[\s\n]+any[\s\n]+information[\s\n]+placed[\s\n]+in[\s\n]+the[\s\n]+system[\s\n]+is[\s\n]+subject[\s\n]+to[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+not[\s\n]+subject[\s\n]+to[\s\n]+any[\s\n]+expectation[\s\n]+of[\s\n]+privacy\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+violation[\s\n]+of[\s\n]+criminal[\s\n]+statutes\,[\s\n]+this[\s\n]+evidence[\s\n]+and[\s\n]+any[\s\n]+other[\s\n]+related[\s\n]+information\,[\s\n]+including[\s\n]+identification[\s\n]+information[\s\n]+about[\s\n]+the[\s\n]+user\,[\s\n]+may[\s\n]+be[\s\n]+provided[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.[\s\n]+If[\s\n]+monitoring[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+reveals[\s\n]+violations[\s\n]+of[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+unauthorized[\s\n]+use\,[\s\n]+employees[\s\n]+who[\s\n]+violate[\s\n]+security[\s\n]+regulations[\s\n]+or[\s\n]+make[\s\n]+unauthorized[\s\n]+use[\s\n]+of[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+systems[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+appropriate[\s\n]+disciplinary[\s\n]+action\.[\s\n]+Use[\s\n]+of[\s\n]+this[\s\n]+or[\s\n]+any[\s\n]+other[\s\n]+DoD[\s\n]+interest[\s\n]+computer[\s\n]+system[\s\n]+constitutes[\s\n]+consent[\s\n]+to[\s\n]+monitoring[\s\n]+at[\s\n]+all[\s\n]+times\.$</xccdf-1.2:value>
-                <xccdf-1.2:value selector="usgcb_default">^\-\-[\s\n]+WARNING[\s\n]+\-\-[\s\n]+This[\s\n]+system[\s\n]+is[\s\n]+for[\s\n]+the[\s\n]+use[\s\n]+of[\s\n]+authorized[\s\n]+users[\s\n]+only\.[\s\n]+Individuals[\s\n]+using[\s\n]+this[\s\n]+computer[\s\n]+system[\s\n]+without[\s\n]+authority[\s\n]+or[\s\n]+in[\s\n]+excess[\s\n]+of[\s\n]+their[\s\n]+authority[\s\n]+are[\s\n]+subject[\s\n]+to[\s\n]+having[\s\n]+all[\s\n]+their[\s\n]+activities[\s\n]+on[\s\n]+this[\s\n]+system[\s\n]+monitored[\s\n]+and[\s\n]+recorded[\s\n]+by[\s\n]+system[\s\n]+personnel\.[\s\n]+Anyone[\s\n]+using[\s\n]+this[\s\n]+system[\s\n]+expressly[\s\n]+consents[\s\n]+to[\s\n]+such[\s\n]+monitoring[\s\n]+and[\s\n]+is[\s\n]+advised[\s\n]+that[\s\n]+if[\s\n]+such[\s\n]+monitoring[\s\n]+reveals[\s\n]+possible[\s\n]+evidence[\s\n]+of[\s\n]+criminal[\s\n]+activity[\s\n]+system[\s\n]+personal[\s\n]+may[\s\n]+provide[\s\n]+the[\s\n]+evidence[\s\n]+of[\s\n]+such[\s\n]+monitoring[\s\n]+to[\s\n]+law[\s\n]+enforcement[\s\n]+officials\.$</xccdf-1.2:value>
-              </xccdf-1.2:Value>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_httpd_use_dos_protection_modules">
-              <xccdf-1.2:title>Use Denial-of-Service Protection Modules</xccdf-1.2:title>
-              <xccdf-1.2:description>Denial-of-service attacks are difficult to detect and prevent while maintaining
-acceptable access to authorized users. However, some traffic-shaping
-modules can be used to address the problem. Well-known DoS protection modules include:
-<html:pre>mod_cband mod_bwshare mod_limitipconn mod_evasive</html:pre>
-Denial-of-service prevention should be implemented for a web server if such a threat exists.
-However, specific configuration details are very dependent on the environment and often best left
-at the discretion of the administrator.</xccdf-1.2:description>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_imap">
-          <xccdf-1.2:title>IMAP and POP3 Server</xccdf-1.2:title>
-          <xccdf-1.2:description>Dovecot provides IMAP and POP3 services. It is not
-installed by default. The project page at 
-    <html:a href="http://www.dovecot.org">http://www.dovecot.org</html:a>
-contains more detailed information about Dovecot
-configuration.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_configure_dovecot">
-            <xccdf-1.2:title>Configure Dovecot if Necessary</xccdf-1.2:title>
-            <xccdf-1.2:description>If the system will operate as an IMAP or
-POP3 server, the dovecot software should be configured securely by following
-the recommendations below.</xccdf-1.2:description>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_dovecot_allow_imap_access">
-              <xccdf-1.2:title>Allow IMAP Clients to Access the Server</xccdf-1.2:title>
-              <xccdf-1.2:description>
-The default iptables configuration does not allow inbound access to any services.
-This modification will allow remote hosts to initiate connections to the IMAP daemon,
-while keeping all other ports on the server in their default protected state.
-To configure <html:code>iptables</html:code> to allow port 143 traffic, one must edit
-<html:code>/etc/sysconfig/iptables</html:code> and
-<html:code>/etc/sysconfig/ip6tables</html:code> (if IPv6 is in use).
-Add the following line, ensuring that it appears before the final LOG and DROP lines for the INPUT chain:
-<html:pre>-A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT</html:pre></xccdf-1.2:description>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_dovecot_enabling_ssl">
-              <xccdf-1.2:title>Enable SSL Support</xccdf-1.2:title>
-              <xccdf-1.2:description>SSL should be used to encrypt network traffic between the 
-Dovecot server and its clients. Users must authenticate to the Dovecot 
-server in order to read their mail, and passwords should never be 
-transmitted in clear text. In addition, protecting mail as it is 
-downloaded is a privacy measure, and clients may use SSL certificates 
-to authenticate the server, preventing another system from impersonating 
-the server.</xccdf-1.2:description>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_dovecot_support_necessary_protocols">
-              <xccdf-1.2:title>Support Only the Necessary Protocols</xccdf-1.2:title>
-              <xccdf-1.2:description>Dovecot supports the IMAP and POP3 protocols, as well as 
-SSL-protected versions of those protocols. Configure the Dovecot server 
-to support only the protocols needed by your site. Edit <html:code>/etc/dovecot/dovecot.conf</html:code>. 
-Add or correct the following lines, replacing <html:code>PROTOCOL</html:code> with 
-only the subset of protocols (<html:code>imap</html:code>, <html:code>imaps</html:code>, 
-<html:code>pop3</html:code>, <html:code>pop3s</html:code>) required:
-<html:pre>protocols = PROTOCOL</html:pre>
-If possible, require SSL protection for all transactions. The SSL 
-protocol variants listen on alternate ports (995 instead of 110 for 
-pop3s, and 993 instead of 143 for imaps), and require SSL-aware clients. 
-An alternate approach is to listen on the standard port and require the 
-client to use the STARTTLS command before authenticating.</xccdf-1.2:description>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_disabling_dovecot">
-            <xccdf-1.2:title>Disable Dovecot</xccdf-1.2:title>
-            <xccdf-1.2:description>If the system does not need to operate as an IMAP or
-POP3 server, the dovecot software should be disabled and removed.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_kerberos">
-          <xccdf-1.2:title>Kerberos</xccdf-1.2:title>
-          <xccdf-1.2:description>The Kerberos protocol is used for authentication across
-non-secure network. Authentication can happen between
-various types of principals -- users, service, or hosts.
-Their identity and encryption keys can be stored in keytab
-files.</xccdf-1.2:description>
-          <xccdf-1.2:platform idref="#machine"/>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_kerberos_disable_no_keytab" severity="medium">
-            <xccdf-1.2:title>Disable Kerberos by removing host keytab</xccdf-1.2:title>
-            <xccdf-1.2:description>Kerberos is not an approved key distribution method for
-Common Criteria. To prevent using Kerberos by system daemons,
-remove the Kerberos keytab files, especially
-<html:code>/etc/krb5.keytab</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000803</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">0418</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1055</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1402</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000120-GPOS-00061</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The key derivation function (KDF) in Kerberos is not FIPS compatible.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-kerberos_disable_no_keytab:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-kerberos_disable_no_keytab_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_ldap">
-          <xccdf-1.2:title>LDAP</xccdf-1.2:title>
-          <xccdf-1.2:description>LDAP is a popular directory service, that is, a
-standardized way of looking up information from a central database.
-Red Hat Enterprise Linux CoreOS 4 includes software that enables a system to act as both
-an LDAP client and server.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_openldap_client">
-            <xccdf-1.2:title>Configure OpenLDAP Clients</xccdf-1.2:title>
-            <xccdf-1.2:description>This section provides information on which security settings are
-important to configure in OpenLDAP clients by manually editing the appropriate
-configuration files.  Red Hat Enterprise Linux CoreOS 4 provides an automated configuration tool called
-authconfig and a graphical wrapper for authconfig called
-<html:code>system-config-authentication</html:code>. However, these tools do not provide as
-much control over configuration as manual editing of configuration files. The
-authconfig tools do not allow you to specify locations of SSL certificate
-files, which is useful when trying to use SSL cleanly across several protocols.
-Installation and configuration of OpenLDAP on Red Hat Enterprise Linux CoreOS 4 is available at</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">Before configuring any system to be an
-LDAP client, ensure that a working LDAP server is present on the
-network.</xccdf-1.2:warning>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_openldap-clients_removed" severity="low">
-              <xccdf-1.2:title>Ensure LDAP client is not installed</xccdf-1.2:title>
-              <xccdf-1.2:description>The Lightweight Directory Access Protocol (LDAP) is a service that provides
-a method for looking up information from a central database.
-The <html:code>openldap-clients</html:code> package can be removed with the following command:
-<html:pre/></xccdf-1.2:description>
-              <xccdf-1.2:rationale>If the system does not need to act as an LDAP client, it is recommended that the software is removed to reduce the potential attack surface.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_openldap-clients_removed:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_openldap-clients_removed_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_openldap_server">
-            <xccdf-1.2:title>Configure OpenLDAP Server</xccdf-1.2:title>
-            <xccdf-1.2:description>This section details some security-relevant settings
-for an OpenLDAP server.</xccdf-1.2:description>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_ldap_server_config_certificate_files">
-              <xccdf-1.2:title>Install and Protect LDAP Certificate Files</xccdf-1.2:title>
-              <xccdf-1.2:description>Create the PKI directory for LDAP certificates if it does not already exist:
-<html:pre>$ sudo mkdir /etc/pki/tls/ldap
-$ sudo chown root:root /etc/pki/tls/ldap
-$ sudo chmod 755 /etc/pki/tls/ldap</html:pre>
-Using removable media or some other secure transmission format, install the certificate files
-onto the LDAP server:
-<html:ul><html:li><html:code>/etc/pki/tls/ldap/serverkey.pem</html:code>: the private key <html:code>ldapserverkey.pem</html:code></html:li><html:li><html:code>/etc/pki/tls/ldap/servercert.pem</html:code>: the certificate file <html:code>ldapservercert.pem</html:code></html:li></html:ul>
-Verify the ownership and permissions of these files:
-<html:pre>$ sudo chown root:ldap /etc/pki/tls/ldap/serverkey.pem
-$ sudo chown root:ldap /etc/pki/tls/ldap/servercert.pem
-$ sudo chmod 640 /etc/pki/tls/ldap/serverkey.pem
-$ sudo chmod 640 /etc/pki/tls/ldap/servercert.pem</html:pre>
-Verify that the CA's public certificate file has been installed as
-<html:code>/etc/pki/tls/CA/cacert.pem</html:code>, and has the correct permissions:
-<html:pre>$ sudo mkdir /etc/pki/tls/CA
-$ sudo chown root:root /etc/pki/tls/CA/cacert.pem
-$ sudo chmod 644 /etc/pki/tls/CA/cacert.pem</html:pre>
-
-As a result of these steps, the LDAP server will have access to its own private
-certificate and the key with which that certificate is encrypted, and to the
-public certificate file belonging to the CA. Note that it would be possible for
-the key to be protected further, so that processes running as ldap could not
-read it. If this were done, the LDAP server process would need to be restarted
-manually whenever the server rebooted.</xccdf-1.2:description>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_mail">
-          <xccdf-1.2:title>Mail Server Software</xccdf-1.2:title>
-          <xccdf-1.2:description>Mail servers are used to send and receive email over the network.
-Mail is a very common service, and Mail Transfer Agents (MTAs) are obvious
-targets of network attack.
-Ensure that systems are not running MTAs unnecessarily,
-and configure needed MTAs as defensively as possible.
-<html:br/><html:br/>
-Very few systems at any site should be configured to directly receive email over the
-network. Users should instead use mail client programs to retrieve email
-from a central server that supports protocols such as IMAP or POP3.
-However, it is normal for most systems to be independently capable of sending email,
-for instance so that cron jobs can report output to an administrator.
-Most MTAs, including Postfix, support a submission-only mode in which mail can be sent from
-the local system to a central site MTA (or directly delivered to a local account),
-but the system still cannot receive mail directly over a network.
-<html:br/><html:br/>
-The <html:code>alternatives</html:code> program in Red Hat Enterprise Linux CoreOS 4 permits selection of other mail server software
-(such as Sendmail), but Postfix is the default and is preferred.
-Postfix was coded with security in mind and can also be more effectively contained by
-SELinux as its modular design has resulted in separate processes performing specific actions.
-More information is available on its website, 
-    <html:a href="http://www.postfix.org">http://www.postfix.org</html:a>.</xccdf-1.2:description>
-          <xccdf-1.2:platform idref="#machine"/>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_postfix_installed" severity="medium">
-            <xccdf-1.2:title>The Postfix package is installed</xccdf-1.2:title>
-            <xccdf-1.2:description>A mail server is required for sending emails.
-The <html:code>postfix</html:code> package can be installed with the following command:
-<html:pre/></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000046-GPOS-00022</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Emails can be used to notify designated personnel about important
-system events such as failures or warnings.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_postfix_installed:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_postfix_installed_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_sendmail_removed" severity="medium">
-            <xccdf-1.2:title>Uninstall Sendmail Package</xccdf-1.2:title>
-            <xccdf-1.2:description>Sendmail is not the default mail transfer agent and is
-not installed by default.
-The <html:code>sendmail</html:code> package can be removed with the following command:
-<html:pre/></xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000381</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The sendmail software was not developed with security in mind and
-its design prevents it from being effectively contained by SELinux.  Postfix
-should be used instead.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_sendmail_removed:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_sendmail_removed_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_postfix_client">
-            <xccdf-1.2:title>Configure SMTP For Mail Clients</xccdf-1.2:title>
-            <xccdf-1.2:description>This section discusses settings for Postfix in a submission-only
-e-mail configuration.</xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_postfix_inet_interfaces" type="string">
-              <xccdf-1.2:title>Postfix Network Interfaces</xccdf-1.2:title>
-              <xccdf-1.2:description>The setting for inet_interfaces in /etc/postfix/main.cf</xccdf-1.2:description>
-              <xccdf-1.2:value selector="loopback-only">loopback-only</xccdf-1.2:value>
-              <xccdf-1.2:value>loopback-only</xccdf-1.2:value>
-              <xccdf-1.2:value selector="localhost">localhost</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_postfix_relayhost" type="string">
-              <xccdf-1.2:title>Postfix relayhost</xccdf-1.2:title>
-              <xccdf-1.2:description>Specify the host all outbound email should be routed into.</xccdf-1.2:description>
-              <xccdf-1.2:value>smtp.$mydomain</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_postfix_root_mail_alias" type="string" interactive="true">
-              <xccdf-1.2:title>Postfix Root Mail Alias</xccdf-1.2:title>
-              <xccdf-1.2:description>Specify an email address (string) for a root mail alias.</xccdf-1.2:description>
-              <xccdf-1.2:value>system.administrator@mail.mil</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias" severity="medium">
-              <xccdf-1.2:title>Configure System to Forward All Mail For The Root Account</xccdf-1.2:title>
-              <xccdf-1.2:description>Make sure that mails delivered to root user are forwarded to a monitored
-email address. Make sure that the address
-<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_postfix_root_mail_alias" use="legacy"/> is a valid email address
-reachable from the system in question. Use the following command to
-configure the alias:
-<html:pre>$ sudo echo "root: <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_postfix_root_mail_alias" use="legacy"/>" &gt;&gt; /etc/aliases
-$ sudo newaliases</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R49)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000139</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000046-GPOS-00022</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>A number of system services utilize email messages sent to the root user to
-notify system administrators of active or impending issues.  These messages must
-be forwarded to at least one monitored email address.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_postfix_root_mail_alias:var:1" value-id="xccdf_org.ssgproject.content_value_var_postfix_root_mail_alias"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-postfix_client_configure_mail_alias:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-postfix_client_configure_mail_alias_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster" severity="medium">
-              <xccdf-1.2:title>Configure System to Forward All Mail From Postmaster to The Root Account</xccdf-1.2:title>
-              <xccdf-1.2:description>Verify the administrators are notified in the event of an audit processing failure.
-Check that the "/etc/aliases" file has a defined value for "root".
-<html:pre>$ sudo grep "postmaster:\s*root$" /etc/aliases
-
-postmaster: root</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000139</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-5.1(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000046-GPOS-00022</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>It is critical for the appropriate personnel to be aware if a system is at risk of failing to
-process audit logs as required. Without this notification, the security personnel may be
-unaware of an impending failure of the audit capability, and system operation may be adversely
-affected.
-
-Audit processing failures include software/hardware errors, failures in the audit capturing
-mechanisms, and audit storage capacity being reached or exceeded.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-postfix_client_configure_mail_alias_postmaster:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-postfix_client_configure_mail_alias_postmaster_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_postfix_client_configure_relayhost" severity="medium">
-              <xccdf-1.2:title>Configure System to Forward All Mail through a specific host</xccdf-1.2:title>
-              <xccdf-1.2:description>Set up a relay host that will act as a gateway for all outbound email.
-Edit the file <html:code>/etc/postfix/main.cf</html:code> to ensure that only the following
-<html:code>relayhost</html:code> line appears:
-<html:pre>relayhost = <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_postfix_relayhost" use="legacy"/></html:pre></xccdf-1.2:description>
-              <xccdf-1.2:rationale>A central outbound email location ensures messages sent from any network host
-can be audited for potential unexpected content.  Tooling on the central server
-may help prevent spam or viruses from being delivered.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#postfix"/>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-postfix_client_configure_relayhost_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_postfix_harden_os">
-            <xccdf-1.2:title>Configure Operating System to Protect Mail Server</xccdf-1.2:title>
-            <xccdf-1.2:description>The guidance in this section is appropriate for any host which is
-operating as a site MTA, whether the mail server runs using Sendmail, Postfix,
-or some other software.</xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#postfix"/>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_postfix_configure_ssl_certs">
-              <xccdf-1.2:title>Configure SSL Certificates for Use with SMTP AUTH</xccdf-1.2:title>
-              <xccdf-1.2:description>If SMTP AUTH is to be used, the use of SSL to protect credentials in transit is strongly recommended.
-There are also configurations for which it may be desirable to encrypt all mail in transit from one MTA to another,
-though such configurations are beyond the scope of this guide. In either event, the steps for creating and installing
-an SSL certificate are independent of the MTA in use, and are described here.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#postfix"/>
-              <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_postfix_install_ssl_cert">
-                <xccdf-1.2:title>Ensure Security of Postfix SSL Certificate</xccdf-1.2:title>
-                <xccdf-1.2:description>Create the PKI directory for mail certificates, if it does not already exist:
-<html:pre>$ sudo mkdir /etc/pki/tls/mail
-$ sudo chown root:root /etc/pki/tls/mail
-$ sudo chmod 755 /etc/pki/tls/mail</html:pre>
-Using removable media or some other secure transmission format, install the files generated in the previous
-step onto the mail server:
-<html:pre>/etc/pki/tls/mail/serverkey.pem: the private key mailserverkey.pem
-/etc/pki/tls/mail/servercert.pem: the certificate file mailservercert.pem</html:pre>
-Verify the ownership and permissions of these files:
-<html:pre>$ sudo chown root:root /etc/pki/tls/mail/serverkey.pem
-$ sudo chown root:root /etc/pki/tls/mail/servercert.pem
-$ sudo chmod 600 /etc/pki/tls/mail/serverkey.pem
-$ sudo chmod 644 /etc/pki/tls/mail/servercert.pem</html:pre>
-Verify that the CA's public certificate file has been installed as <html:code>/etc/pki/tls/CA/cacert.pem</html:code>, and has the
-correct permissions:
-<html:pre>$ sudo chown root:root /etc/pki/tls/CA/cacert.pem
-$ sudo chmod 644 /etc/pki/tls/CA/cacert.pem</html:pre></xccdf-1.2:description>
-                <xccdf-1.2:platform idref="#postfix"/>
-              </xccdf-1.2:Group>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_postfix_server_cfg">
-              <xccdf-1.2:title>Configure Postfix if Necessary</xccdf-1.2:title>
-              <xccdf-1.2:description>Postfix stores its configuration files in the directory
-/etc/postfix by default. The primary configuration file is
-<html:code>/etc/postfix/main.cf</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#postfix"/>
-              <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_postfix_server_dos">
-                <xccdf-1.2:title>Configure Postfix Resource Usage to Limit Denial of Service Attacks</xccdf-1.2:title>
-                <xccdf-1.2:description>Edit <html:code>/etc/postfix/main.cf</html:code>. Edit the following lines to
-configure the amount of system resources Postfix can consume:
-<html:pre>default_process_limit = 100
-smtpd_client_connection_count_limit = 10
-smtpd_client_connection_rate_limit = 30
-queue_minfree = 20971520
-header_size_limit = 51200
-message_size_limit = 10485760
-smtpd_recipient_limit = 100</html:pre>
-The values here are examples.</xccdf-1.2:description>
-                <xccdf-1.2:warning category="general">Note: The values given here are examples, and may
-need to be modified for any particular site. By default, the Postfix anvil
-process gathers mail receipt statistics. To get information about about what
-connection rates are typical at your site, look in <html:code>/var/log/maillog</html:code>
-for lines with the daemon name postfix/anvil.</xccdf-1.2:warning>
-                <xccdf-1.2:platform idref="#postfix"/>
-              </xccdf-1.2:Group>
-              <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_postfix_server_relay">
-                <xccdf-1.2:title>Control Mail Relaying</xccdf-1.2:title>
-                <xccdf-1.2:description>Postfix's mail relay controls are implemented with the help of the
-smtpd recipient restrictions option, which controls the restrictions placed on
-the SMTP dialogue once the sender and recipient envelope addresses are known.
-The guidance in the following sections should be applied to all systems. If
-there are systems which must be allowed to relay mail, but which cannot be
-trusted to relay unconditionally, configure SMTP AUTH with SSL support.</xccdf-1.2:description>
-                <xccdf-1.2:platform idref="#postfix"/>
-                <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_recipient_restrictions">
-                  <xccdf-1.2:title>Enact SMTP Recipient Restrictions</xccdf-1.2:title>
-                  <xccdf-1.2:description>To configure Postfix to restrict addresses to which it
-will send mail, see:
-
-    <html:a href="http://www.postfix.org/SMTPD_ACCESS_README.html#danger">http://www.postfix.org/SMTPD_ACCESS_README.html#danger</html:a>
-<html:br/>
-The full contents of <html:code>smtpd_recipient_restrictions</html:code> will
-vary by site, since this is a common place to put spam restrictions and other
-site-specific options. The <html:code>permit_mynetworks</html:code> option allows all mail to
-be relayed from the systems in <html:code>mynetworks</html:code>. Then, the
-<html:code>reject_unauth_destination</html:code> option denies all mail whose destination
-address is not local, preventing any other systems from relaying. These two
-options should always appear in this order, and should usually follow one
-another immediately unless SMTP AUTH is used.</xccdf-1.2:description>
-                  <xccdf-1.2:platform idref="#postfix"/>
-                </xccdf-1.2:Group>
-                <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_postfix_server_mail_smtpd_relay_restrictions">
-                  <xccdf-1.2:title>Enact SMTP Relay Restrictions</xccdf-1.2:title>
-                  <xccdf-1.2:description>To configure Postfix to restrict addresses to which it
-will send mail, see:
-
-    <html:a href="http://www.postfix.org/SMTPD_ACCESS_README.html#danger">http://www.postfix.org/SMTPD_ACCESS_README.html#danger</html:a>
-<html:br/>
-The full contents of <html:code>smtpd_recipient_restrictions</html:code> will
-vary by site, since this is a common place to put spam restrictions and other
-site-specific options. The <html:code>permit_mynetworks</html:code> option allows all mail to
-be relayed from the systems in <html:code>mynetworks</html:code>. Then, the
-<html:code>reject_unauth_destination</html:code> option denies all mail whose destination
-address is not local, preventing any other systems from relaying. These two
-options should always appear in this order, and should usually follow one
-another immediately unless SMTP AUTH is used.</xccdf-1.2:description>
-                  <xccdf-1.2:platform idref="#postfix"/>
-                </xccdf-1.2:Group>
-                <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_postfix_server_relay_require_tls">
-                  <xccdf-1.2:title>Use TLS for SMTP AUTH</xccdf-1.2:title>
-                  <xccdf-1.2:description>Postfix provides options to use TLS for certificate-based
-authentication and encrypted sessions. An encrypted session protects the
-information that is transmitted with SMTP mail or with SASL authentication.
-To configure Postfix to protect all SMTP AUTH transactions
-using TLS, see 
-    <html:a href="http://www.postfix.org/TLS_README.html">http://www.postfix.org/TLS_README.html</html:a>.</xccdf-1.2:description>
-                  <xccdf-1.2:platform idref="#postfix"/>
-                </xccdf-1.2:Group>
-                <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_postfix_server_relay_set_trusted">
-                  <xccdf-1.2:title>Configure Trusted Networks and Hosts</xccdf-1.2:title>
-                  <xccdf-1.2:description>Edit <html:code>/etc/postfix/main.cf</html:code>, and configure the contents of
-the <html:code>mynetworks</html:code> variable in one of the following ways:
-<html:ul><html:li>If any system in the subnet containing the MTA may be trusted to relay
-messages, add or correct the following line:
-<html:pre>mynetworks_style = subnet</html:pre>
-This is also the default setting, and is in effect if all
-<html:code>my_networks_style</html:code> directives are commented.</html:li><html:li>If only the MTA host itself is trusted to relay messages, add or correct
-the following line:
-<html:pre>mynetworks_style = host</html:pre></html:li><html:li>If the set of systems which can relay is more complicated, manually
-specify an entry for each netblock or IP address which is trusted to relay by
-setting the <html:code>mynetworks</html:code> variable directly:
-<html:pre>mynetworks = 10.0.0.0/16, 192.168.1.0/24, 127.0.0.1</html:pre></html:li></html:ul></xccdf-1.2:description>
-                  <xccdf-1.2:platform idref="#postfix"/>
-                </xccdf-1.2:Group>
-                <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_postfix_server_relay_smtp_auth_for_untrusted">
-                  <xccdf-1.2:title>Require SMTP AUTH Before Relaying from Untrusted Clients</xccdf-1.2:title>
-                  <xccdf-1.2:description>SMTP authentication allows remote clients to relay mail safely by
-requiring them to authenticate before submitting mail. Postfix's SMTP AUTH uses
-an authentication library called SASL, which is not part of Postfix itself.  To
-enable the use of SASL authentication, see
-
-    <html:a href="http://www.postfix.org/SASL_README.html">http://www.postfix.org/SASL_README.html</html:a></xccdf-1.2:description>
-                  <xccdf-1.2:platform idref="#postfix"/>
-                </xccdf-1.2:Group>
-              </xccdf-1.2:Group>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_nfs_and_rpc">
-          <xccdf-1.2:title>NFS and RPC</xccdf-1.2:title>
-          <xccdf-1.2:description>The Network File System is a popular distributed filesystem for
-the Unix environment, and is very widely deployed.  This section discusses the
-circumstances under which it is possible to disable NFS and its dependencies,
-and then details steps which should be taken to secure
-NFS's configuration. This section is relevant to systems operating as NFS
-clients, as well as to those operating as NFS servers.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_disabling_nfs">
-            <xccdf-1.2:title>Disable All NFS Services if Possible</xccdf-1.2:title>
-            <xccdf-1.2:description>If there is not a reason for the system to operate as either an
-NFS client or an NFS server, follow all instructions in this section to disable
-subsystems required by NFS.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">The steps in this section will prevent a system
-from operating as either an NFS client or an NFS server. Only perform these
-steps on systems which do not need NFS at all.</xccdf-1.2:warning>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_disabling_netfs">
-              <xccdf-1.2:title>Disable netfs if Possible</xccdf-1.2:title>
-              <xccdf-1.2:description>To determine if any network filesystems handled by netfs are
-currently mounted on the system execute the following command:
-<html:pre>$ mount -t nfs,nfs4,smbfs,cifs,ncpfs</html:pre>
-If the command did not return any output then disable netfs.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_netfs_disabled" severity="unknown">
-                <xccdf-1.2:title>Disable Network File Systems (netfs)</xccdf-1.2:title>
-                <xccdf-1.2:description>The netfs script manages the boot-time mounting of several types
-of networked filesystems, of which NFS and Samba are the most common. If these
-filesystem types are not in use, the script can be disabled, protecting the
-system somewhat against accidental or malicious changes to <html:code>/etc/fstab</html:code>
-and against flaws in the netfs script itself.
-
-The <html:code>netfs</html:code> service can be disabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-netfs-disable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: netfs.service
-</html:pre>
-<html:p>
-This will disable the <html:code>netfs</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-                <xccdf-1.2:rationale/>
-                <xccdf-1.2:platform idref="#machine"/>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:ignition" id="service_netfs_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: netfs.service
-        enabled: false
-        mask: true
-      - name: netfs.socket
-        enabled: false
-        mask: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="service_netfs_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: netfs.service
-        enabled: false
-        mask: true
-      - name: netfs.socket
-        enabled: false
-        mask: true
-</xccdf-1.2:fix>
-                <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                  <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_netfs_disabled:def:1"/>
-                </xccdf-1.2:check>
-              </xccdf-1.2:Rule>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_disabling_nfs_services">
-              <xccdf-1.2:title>Disable Services Used Only by NFS</xccdf-1.2:title>
-              <xccdf-1.2:description>If NFS is not needed, disable the NFS client daemons nfslock, rpcgssd, and rpcidmapd.
-<html:br/><html:br/>
-All of these daemons run with elevated privileges, and many listen for network
-connections. If they are not needed, they should be disabled to improve system
-security posture.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#machine"/>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_nfs_configuring_all_machines">
-            <xccdf-1.2:title>Configure All Systems which Use NFS</xccdf-1.2:title>
-            <xccdf-1.2:description>The steps in this section are appropriate for all systems which
-run NFS, whether they operate as clients or as servers.</xccdf-1.2:description>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_nfs_client_or_server_not_both">
-              <xccdf-1.2:title>Make Each System a Client or a Server, not Both</xccdf-1.2:title>
-              <xccdf-1.2:description>If NFS must be used, it should be deployed in the simplest
-configuration possible to avoid maintainability problems which may lead to
-unnecessary security exposure. Due to the reliability and security problems
-caused by NFS (specially NFSv3 and NFSv2), it is not a good idea for systems
-which act as NFS servers to also mount filesystems via NFS. At the least,
-crossed mounts (the situation in which each of two servers mounts a filesystem
-from the other) should never be used.</xccdf-1.2:description>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_nfs_configure_fixed_ports">
-              <xccdf-1.2:title>Configure NFS Services to Use Fixed Ports (NFSv3 and NFSv2)</xccdf-1.2:title>
-              <xccdf-1.2:description>Firewalling should be done at each host and at the border
-firewalls to protect the NFS daemons from remote access, since NFS servers
-should never be accessible from outside the organization. However, by default
-for NFSv3 and NFSv2, the RPC Bind service assigns each NFS service to a port
-dynamically at service startup time. Dynamic ports cannot be protected by port
-
-filtering firewalls such as <html:code>iptables</html:code>.
-
-<html:br/><html:br/>
-Therefore, restrict each service to always use a given port, so that
-firewalling can be done effectively. Note that, because of the way RPC is
-implemented, it is not possible to disable the RPC Bind service even if ports
-are assigned statically to all RPC services.
-<html:br/><html:br/>
-In NFSv4, the mounting and locking protocols have been incorporated into the
-protocol, and the server listens on the the well-known TCP port 2049. As such,
-NFSv4 does not need to interact with the <html:code>rpcbind, lockd, and rpc.statd</html:code>
-daemons, which can and should be disabled in a pure NFSv4 environment. The
-<html:code>rpc.mountd</html:code> daemon is still required on the NFS server to setup
-exports, but is not involved in any over-the-wire operations.</xccdf-1.2:description>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_nfs_configuring_clients">
-            <xccdf-1.2:title>Configure NFS Clients</xccdf-1.2:title>
-            <xccdf-1.2:description>The steps in this section are appropriate for systems which operate as NFS clients.</xccdf-1.2:description>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_disabling_nfsd">
-              <xccdf-1.2:title>Disable NFS Server Daemons</xccdf-1.2:title>
-              <xccdf-1.2:description>There is no need to run the NFS server daemons <html:code>nfs</html:code> and
-<html:code>rpcsvcgssd</html:code> except on a small number of properly secured systems
-designated as NFS servers. Ensure that these daemons are turned off on
-clients.</xccdf-1.2:description>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_mounting_remote_filesystems">
-              <xccdf-1.2:title>Mount Remote Filesystems with Restrictive Options</xccdf-1.2:title>
-              <xccdf-1.2:description>Edit the file <html:code>/etc/fstab</html:code>. For each filesystem whose type
-(column 3) is <html:code>nfs</html:code> or <html:code>nfs4</html:code>, add the text
-<html:code>,nodev,nosuid</html:code> to the list of mount options in column 4. If
-appropriate, also add <html:code>,noexec</html:code>.
-<html:br/><html:br/>
-See the section titled "Restrict Partition Mount Options" for a description of
-the effects of these options. In general, execution of files mounted via NFS
-should be considered risky because of the possibility that an adversary could
-intercept the request and substitute a malicious file. Allowing setuid files to
-be executed from remote servers is particularly risky, both for this reason and
-because it requires the clients to extend root-level trust to the NFS
-server.</xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#machine"/>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_nfs_configuring_servers">
-            <xccdf-1.2:title>Configure NFS Servers</xccdf-1.2:title>
-            <xccdf-1.2:description>The steps in this section are appropriate for systems which operate as NFS servers.</xccdf-1.2:description>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_no_all_squash_exports" severity="low">
-              <xccdf-1.2:title>Ensure All-Squashing Disabled On All Exports</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>all_squash</html:code> maps all uids and gids to an anonymous user.
-This should be disabled by removing any instances of the
-<html:code>all_squash</html:code> option from the file <html:code>/etc/exports</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:rationale>The all_squash option maps all client requests to a single anonymous
-uid/gid on the NFS server, negating the ability to track file access
-by user ID.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_configure_exports_restrictively">
-              <xccdf-1.2:title>Configure the Exports File Restrictively</xccdf-1.2:title>
-              <xccdf-1.2:description>Linux's NFS implementation uses the file <html:code>/etc/exports</html:code> to control what filesystems
-and directories may be accessed via NFS. (See the <html:code>exports(5)</html:code> manpage for more information about the
-format of this file.)
-<html:br/><html:br/>
-The syntax of the <html:code>exports</html:code> file is not necessarily checked fully on reload, and syntax errors
-can leave your NFS configuration more open than intended. Therefore, exercise caution when modifying
-the file.
-<html:br/><html:br/>
-The syntax of each line in <html:code>/etc/exports</html:code> is:
-<html:pre>/DIR	host1(opt1,opt2) host2(opt3)</html:pre>
-where <html:code>/DIR</html:code> is a directory or filesystem to export, <html:code>hostN</html:code> is an IP address, netblock,
-hostname, domain, or netgroup to which to export, and <html:code>optN</html:code> is an option.</xccdf-1.2:description>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_export_filesystems_read_only">
-              <xccdf-1.2:title>Export Filesystems Read-Only if Possible</xccdf-1.2:title>
-              <xccdf-1.2:description>If a filesystem is being exported so that users can view the files in a convenient
-fashion, but there is no need for users to edit those files, exporting the filesystem read-only
-removes an attack vector against the server. The default filesystem export mode is <html:code>ro</html:code>,
-so do not specify <html:code>rw</html:code> without a good reason.</xccdf-1.2:description>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_use_acl_enforce_auth_restrictions">
-              <xccdf-1.2:title>Use Access Lists to Enforce Authorization Restrictions</xccdf-1.2:title>
-              <xccdf-1.2:description>When configuring NFS exports, ensure that each export line in <html:code>/etc/exports</html:code> contains
-a list of hosts which are allowed to access that export. If no hosts are specified on an export line,
-then that export is available to any remote host which requests it. All lines of the exports file should
-specify the hosts (or subnets, if needed) which are allowed to access the exported directory, so that
-unknown or remote hosts will be denied.
-<html:br/><html:br/>
-Authorized hosts can be specified in several different formats:
-<html:ul><html:li>Name or alias that is recognized by the resolver</html:li><html:li>Fully qualified domain name</html:li><html:li>IP address</html:li><html:li>IP subnets in the format <html:code>address/netmask</html:code> or <html:code>address/CIDR</html:code></html:li></html:ul></xccdf-1.2:description>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_ntp">
-          <xccdf-1.2:title>Network Time Protocol</xccdf-1.2:title>
-          <xccdf-1.2:description>The Network Time Protocol is used to manage the system
-clock over a network. Computer clocks are not very accurate, so
-time will drift unpredictably on unmanaged systems. Central time
-protocols can be used both to ensure that time is consistent among
-a network of systems, and that their time is consistent with the
-outside world.
-<html:br/><html:br/>
-If every system on a network reliably reports the same time, then it is much
-easier to correlate log messages in case of an attack. In addition, a number of
-cryptographic protocols (such as Kerberos) use timestamps to prevent certain
-types of attacks. If your network does not have synchronized time, these
-protocols may be unreliable or even unusable.
-<html:br/><html:br/>
-Depending on the specifics of the network, global time accuracy may be just as
-important as local synchronization, or not very important at all. If your
-network is connected to the Internet, using a public timeserver (or one
-provided by your enterprise) provides globally accurate timestamps which may be
-essential in investigating or responding to an attack which originated outside
-of your network.
-<html:br/><html:br/>
-A typical network setup involves a small number of internal systems operating
-as NTP servers, and the remainder obtaining time information from those
-internal servers.
-<html:br/><html:br/>
-There is a choice between the daemons <html:code>ntpd</html:code> and <html:code>chronyd</html:code>, which
-are available from the repositories in the <html:code>ntp</html:code> and <html:code>chrony</html:code>
-packages respectively.
-<html:br/><html:br/>
-The default <html:code>chronyd</html:code> daemon can work well when external time references
-are only intermittently accesible, can perform well even when the network is
-congested for longer periods of time, can usually synchronize the clock faster
-and with better time accuracy, and quickly adapts to sudden changes in the rate
-of the clock, for example, due to changes in the temperature of the crystal
-oscillator. <html:code>Chronyd</html:code> should be considered for all systems which are
-frequently suspended or otherwise intermittently disconnected and reconnected
-to a network. Mobile and virtual systems for example.
-<html:br/><html:br/>
-The <html:code>ntpd</html:code> NTP daemon fully supports NTP protocol version 4 (RFC 5905),
-including broadcast, multicast, manycast clients and servers, and the orphan
-mode. It also supports extra authentication schemes based on public-key
-cryptography (RFC 5906). The NTP daemon (<html:code>ntpd</html:code>) should be considered
-for systems which are normally kept permanently on. Systems which are required
-to use broadcast or multicast IP, or to perform authentication of packets with
-the <html:code>Autokey</html:code> protocol, should consider using <html:code>ntpd</html:code>.
-<html:br/><html:br/>
-Refer to
-
-    
-    <html:a href="https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/servers/Configuring_NTP_Using_the_chrony_Suite/">https://docs.fedoraproject.org/en-US/fedora/rawhide/system-administrators-guide/servers/Configuring_NTP_Using_the_chrony_Suite/</html:a>
-
-for more detailed comparison of features of <html:code>chronyd</html:code>
-and <html:code>ntpd</html:code> daemon features respectively, and for further guidance how to
-choose between the two NTP daemons.
-<html:br/><html:br/>
-The upstream manual pages at 
-    <html:a href="http://chrony.tuxfamily.org/manual.html">http://chrony.tuxfamily.org/manual.html</html:a> for
-<html:code>chronyd</html:code> and 
-    <html:a href="http://www.ntp.org">http://www.ntp.org</html:a> for <html:code>ntpd</html:code> provide additional
-information on the capabilities and configuration of each of the NTP daemons.</xccdf-1.2:description>
-          <xccdf-1.2:platform idref="#machine"/>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_multiple_time_servers" type="string" interactive="true">
-            <xccdf-1.2:title>Vendor Approved Time Servers</xccdf-1.2:title>
-            <xccdf-1.2:description>The list of vendor-approved time servers</xccdf-1.2:description>
-            <xccdf-1.2:value>0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org</xccdf-1.2:value>
-            <xccdf-1.2:value selector="fedora">0.fedora.pool.ntp.org,1.fedora.pool.ntp.org,2.fedora.pool.ntp.org,3.fedora.pool.ntp.org</xccdf-1.2:value>
-            <xccdf-1.2:value selector="rhel">0.rhel.pool.ntp.org,1.rhel.pool.ntp.org,2.rhel.pool.ntp.org,3.rhel.pool.ntp.org</xccdf-1.2:value>
-            <xccdf-1.2:value selector="ol">0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org</xccdf-1.2:value>
-            <xccdf-1.2:value selector="suse">0.suse.pool.ntp.org,1.suse.pool.ntp.org,2.suse.pool.ntp.org,3.suse.pool.ntp.org</xccdf-1.2:value>
-            <xccdf-1.2:value selector="alinux">0.ntp.cloud.aliyuncs.com,1.ntp.aliyun.com,2.ntp1.aliyun.com,3.ntp1.cloud.aliyuncs.com</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" type="number">
-            <xccdf-1.2:title>Maximum NTP or Chrony Poll</xccdf-1.2:title>
-            <xccdf-1.2:description>The maximum NTP or Chrony poll interval number in seconds specified as a power of two.</xccdf-1.2:description>
-            <xccdf-1.2:value selector="36_hours">17</xccdf-1.2:value>
-            <xccdf-1.2:value selector="18_hours">16</xccdf-1.2:value>
-            <xccdf-1.2:value>10</xccdf-1.2:value>
-            <xccdf-1.2:value selector="system_default">10</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_chrony_installed" severity="medium">
-            <xccdf-1.2:title>The Chrony package is installed</xccdf-1.2:title>
-            <xccdf-1.2:description>System time should be synchronized between all systems in an environment. This is
-typically done by establishing an authoritative time server or set of servers and having all
-systems synchronize their clocks to them.
-The <html:code>chrony</html:code> package can be installed with the following command:
-<html:pre/></xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">0988</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1405</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000355-GPOS-00143</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Time synchronization is important to support time sensitive security mechanisms like
-Kerberos and also ensures log files have consistent time records across the enterprise,
-which aids in forensic investigations.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_chrony_installed:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_chrony_installed_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_ntp_installed" severity="high">
-            <xccdf-1.2:title>Install the ntp service</xccdf-1.2:title>
-            <xccdf-1.2:description>The ntpd service should be installed.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000160</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Time synchronization (using NTP) is required by almost all network and administrative tasks (syslog, cryptographic based services (authentication, etc.), etc.). Ntpd is regulary maintained and updated, supporting security features such as RFC 5906.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_ntp_installed:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_ntp_installed_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_chronyd_enabled" severity="medium">
-            <xccdf-1.2:title>The Chronyd service is enabled</xccdf-1.2:title>
-            <xccdf-1.2:description>chrony is a daemon which implements the Network Time Protocol (NTP) is designed to
-synchronize system clocks across a variety of systems and use a source that is highly
-accurate. More information on chrony can be found at
-
-    <html:a href="http://chrony.tuxfamily.org/">http://chrony.tuxfamily.org/</html:a>.
-Chrony can be configured to be a client and/or a server.
-To enable Chronyd service, you can run:
-<html:code># systemctl enable chronyd.service</html:code>
-This recommendation only applies if chrony is in use on the system.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="">0988</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1405</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If chrony is in use on the system proper configuration is vital to ensuring time
-synchronization is working properly.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_chronyd_enabled:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_chronyd_enabled_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_chronyd_or_ntpd_enabled" severity="medium">
-            <xccdf-1.2:title>Enable the NTP Daemon</xccdf-1.2:title>
-            <xccdf-1.2:description>
-As a user with administrator privileges, log into a node in the relevant pool:
-<html:pre>
-$ oc debug node/$NODE_NAME
-</html:pre>
-At the <html:pre>sh-4.4#</html:pre> prompt, run:
-<html:pre>
-# chroot /host
-</html:pre>
-
-Run the following command to determine the current status of the
-<html:code>chronyd</html:code> service:
-<html:pre>$ sudo systemctl is-active chronyd</html:pre>
-If the service is running, it should return the following: <html:pre>active</html:pre>
-Note: The <html:code>chronyd</html:code> daemon is enabled by default.
-<html:br/><html:br/>
-
-As a user with administrator privileges, log into a node in the relevant pool:
-<html:pre>
-$ oc debug node/$NODE_NAME
-</html:pre>
-At the <html:pre>sh-4.4#</html:pre> prompt, run:
-<html:pre>
-# chroot /host
-</html:pre>
-
-Run the following command to determine the current status of the
-<html:code>ntpd</html:code> service:
-<html:pre>$ sudo systemctl is-active ntpd</html:pre>
-If the service is running, it should return the following: <html:pre>active</html:pre>
-Note: The <html:code>ntpd</html:code> daemon is not enabled by default. Though as mentioned
-in the previous sections in certain environments the <html:code>ntpd</html:code> daemon might
-be preferred to be used rather than the <html:code>chronyd</html:code> one. Refer to:
-
-    
-    <html:a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite</html:a>
-
-for guidance which NTP daemon to choose depending on the environment used.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000160</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">0988</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1405</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">SRG-OS-000356-VMM-001340</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Enabling some of <html:code>chronyd</html:code> or <html:code>ntpd</html:code> services ensures
-that the NTP daemon will be running and that the system will synchronize its
-time to any servers specified. This is important whether the system is
-configured to be a client (and synchronize only its own clock) or it is also
-acting as an NTP server to other systems.  Synchronizing time is essential for
-authentication services such as Kerberos, but it is also important for
-maintaining accurate logs and auditing possible security breaches.
-<html:br/><html:br/>
-The <html:code>chronyd</html:code> and <html:code>ntpd</html:code> NTP daemons offer all of the
-functionality of <html:code>ntpdate</html:code>, which is now deprecated.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82682-6</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_chronyd_or_ntpd_enabled:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_chronyd_or_ntpd_enabled_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_ntp_enabled" severity="high">
-            <xccdf-1.2:title>Enable the NTP Daemon</xccdf-1.2:title>
-            <xccdf-1.2:description>
-The <html:code>ntpd</html:code> service can be enabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-ntpd-enable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: ntpd.service
-        enabled: true
-</html:pre>
-<html:p>
-This will enable the <html:code>ntpd</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT012(R03)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000160</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Enabling the <html:code>ntpd</html:code> service ensures that the <html:code>ntpd</html:code>
-service will be running and that the system will synchronize its time to
-any servers specified. This is important whether the system is configured to be
-a client (and synchronize only its own clock) or it is also acting as an NTP
-server to other systems.  Synchronizing time is essential for authentication
-services such as Kerberos, but it is also important for maintaining accurate
-logs and auditing possible security breaches.
-<html:br/><html:br/>
-The NTP daemon offers all of the functionality of <html:code>ntpdate</html:code>, which is now
-deprecated.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_ntp_enabled:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_ntp_enabled_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_ntpd_enabled" severity="medium">
-            <xccdf-1.2:title>Enable the NTP Daemon</xccdf-1.2:title>
-            <xccdf-1.2:description>
-The <html:code>ntpd</html:code> service can be enabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-ntpd-enable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: ntpd.service
-        enabled: true
-</html:pre>
-<html:p>
-This will enable the <html:code>ntpd</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Enabling the <html:code>ntpd</html:code> service ensures that the <html:code>ntpd</html:code>
-service will be running and that the system will synchronize its time to
-any servers specified. This is important whether the system is configured to be
-a client (and synchronize only its own clock) or it is also acting as an NTP
-server to other systems.  Synchronizing time is essential for authentication
-services such as Kerberos, but it is also important for maintaining accurate
-logs and auditing possible security breaches.
-<html:br/><html:br/>
-The NTP daemon offers all of the functionality of <html:code>ntpdate</html:code>, which is now
-deprecated.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ntp"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_ntpd_enabled:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_ntpd_enabled_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_chronyd_client_only" severity="low">
-            <xccdf-1.2:title>Disable chrony daemon from acting as server</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code>port</html:code> option in <html:code>/etc/chrony.conf</html:code> can be set to
-<html:code>0</html:code> to make chrony daemon to never open any listening port
-for server operation and to operate strictly in a client-only mode.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000381</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000096-GPOS-00050</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Minimizing the exposure of the server functionality of the chrony
-daemon diminishes the attack surface.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82465-6</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="chronyd_client_only" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.conf
-      - contents:
-          source: data:,
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.d/.mco-keep
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%20%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.d/ntp-server.conf
-</xccdf-1.2:fix>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-chronyd_client_only:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-chronyd_client_only_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network" severity="low">
-            <xccdf-1.2:title>Disable network management of chrony daemon</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code>cmdport</html:code> option in <html:code>/etc/chrony.conf</html:code> can be set to
-<html:code>0</html:code> to stop chrony daemon from listening on the UDP port 323
-for management connections made by chronyc.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000381</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000096-GPOS-00050</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000095-GPOS-00049</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Not exposing the management interface of the chrony daemon on
-the network diminishes the attack space.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82466-4</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="chronyd_no_chronyc_network" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.conf
-      - contents:
-          source: data:,
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.d/.mco-keep
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%20%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.d/ntp-server.conf
-</xccdf-1.2:fix>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-chronyd_no_chronyc_network:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-chronyd_no_chronyc_network_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_set_maxpoll" severity="medium">
-            <xccdf-1.2:title>Configure Time Service Maxpoll Interval</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code>maxpoll</html:code> should be configured to
-<xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy"/> in <html:code>/etc/ntp.conf</html:code> or
-<html:code>/etc/chrony.conf</html:code> to continuously poll time servers. To configure
-<html:code>maxpoll</html:code> in <html:code>/etc/ntp.conf</html:code> or <html:code>/etc/chrony.conf</html:code>
-add the following after each `server`, `pool` or `peer` entry:
-<html:pre>maxpoll <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll" use="legacy"/></html:pre>
-to <html:pre>server</html:pre> directives. If using chrony any <html:pre>pool</html:pre> directives
-should be configured too.
-If no <html:code>server</html:code> or <html:code>pool</html:code> directives are configured, the rule evaluates
-to pass.
-
-<html:p>
-Note that if the remediation shipping with this content is being used, the
-<html:b>MachineConfig</html:b> shipped does not include reference NTP servers to point
-to. It is up to the admin to set these which will vary depending on the
-cluster's requirements.
-</html:p>
-
-<html:p>
-The aforementioned remediation does include the directory <html:code>/etc/chrony.d</html:code>
-which would allow the creation of configuration files to set these servers.
-</html:p>
-
-If we'd like to set a configuration like the following:
-<html:pre>
-pool 2.rhel.pool.ntp.org iburst
-
-server 0.rhel.pool.ntp.org minpoll 4 maxpoll 10
-server 1.rhel.pool.ntp.org minpoll 4 maxpoll 10
-server 2.rhel.pool.ntp.org minpoll 4 maxpoll 10
-server 3.rhel.pool.ntp.org minpoll 4 maxpoll 10
-</html:pre>
-
-This could be done with to the following manifest:
-
-<html:pre>
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-chrony-servers
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,pool%202.rhel.pool.ntp.org%20iburst%0A%0Aserver%200.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010
-        mode: 0600
-        path: /etc/chrony.d/10-rhel-pool-and-servers.conf
-        overwrite: true
-</html:pre>
-
-Note that this needs to be done for each <html:pre>MachineConfigPool</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001891</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002046</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)(b)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000355-GPOS-00143</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000356-GPOS-00144</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000359-GPOS-00146</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Inaccurate time stamps make it more difficult to correlate
-events and can lead to an inaccurate analysis. Determining the correct
-time a particular event occurred on a system is critical when conducting
-forensic analysis and investigating system events. Sources outside the
-configured acceptable allowance (drift) may be inaccurate.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#chrony_or_ntp"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82684-2</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="chronyd_or_ntpd_set_maxpoll" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.conf
-      - contents:
-          source: data:,
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.d/.mco-keep
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%20%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.d/ntp-server.conf
-</xccdf-1.2:fix>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-export export-name="oval:ssg-var_time_service_set_maxpoll:var:1" value-id="xccdf_org.ssgproject.content_value_var_time_service_set_maxpoll"/>
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-chronyd_or_ntpd_set_maxpoll:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-chronyd_or_ntpd_set_maxpoll_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_multiple_servers" severity="medium">
-            <xccdf-1.2:title>Specify Additional Remote NTP Servers</xccdf-1.2:title>
-            <xccdf-1.2:description>Depending on specific functional requirements of a concrete
-production environment, the Red Hat Enterprise Linux CoreOS 4 system can be
-configured to utilize the services of the <html:code>chronyd</html:code> NTP daemon (the
-default), or services of the <html:code>ntpd</html:code> NTP daemon. Refer to
-
-    
-    <html:a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite</html:a>
-
-for more detailed comparison of the features of both of the choices, and for
-further guidance how to choose between the two NTP daemons.
-<html:br/>
-Additional NTP servers can be specified for time synchronization. To do so,
-perform the following:
-<html:ul><html:li> if the system is configured to use the <html:code>chronyd</html:code> as the NTP daemon
-(the default), edit the file <html:code>/etc/chrony.conf</html:code> as follows,</html:li><html:li> if the system is configured to use the <html:code>ntpd</html:code> as the NTP daemon,
-edit the file <html:code>/etc/ntp.conf</html:code> as documented below.</html:li></html:ul>
-Add additional lines of the following form, substituting the IP address or
-hostname of a remote NTP server for <html:em>ntpserver</html:em>:
-<html:pre>server <html:i>ntpserver</html:i></html:pre>
-
-<html:p>
-Note that if the remediation shipping with this content is being used, the
-<html:b>MachineConfig</html:b> shipped does not include reference NTP servers to point
-to. It is up to the admin to set these which will vary depending on the
-cluster's requirements.
-</html:p>
-
-<html:p>
-The aforementioned remediation does include the directory <html:code>/etc/chrony.d</html:code>
-which would allow the creation of configuration files to set these servers.
-</html:p>
-
-If we'd like to set a configuration like the following:
-
-<html:pre>
-pool 2.rhel.pool.ntp.org iburst
-
-server 0.rhel.pool.ntp.org minpoll 4 maxpoll 10
-server 1.rhel.pool.ntp.org minpoll 4 maxpoll 10
-server 2.rhel.pool.ntp.org minpoll 4 maxpoll 10
-server 3.rhel.pool.ntp.org minpoll 4 maxpoll 10
-</html:pre>
-
-This could be done with to the following manifest:
-
-<html:pre>
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-chrony-servers
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,pool%202.rhel.pool.ntp.org%20iburst%0A%0Aserver%200.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010
-        mode: 0600
-        path: /etc/chrony.d/10-rhel-pool-and-servers.conf
-        overwrite: true
-</html:pre>
-
-Note that this needs to be done for each <html:pre>MachineConfigPool</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">0988</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1405</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(2)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Specifying additional NTP servers increases the availability of
-accurate time data, in the event that one of the specified servers becomes
-unavailable. This is typical for a system acting as an NTP server for
-other systems.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82685-9</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="chronyd_or_ntpd_specify_multiple_servers" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.conf
-      - contents:
-          source: data:,
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.d/.mco-keep
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%20%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.d/ntp-server.conf
-</xccdf-1.2:fix>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-chronyd_or_ntpd_specify_multiple_servers:def:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_chronyd_or_ntpd_specify_remote_server" severity="medium">
-            <xccdf-1.2:title>Specify a Remote NTP Server</xccdf-1.2:title>
-            <xccdf-1.2:description>Depending on specific functional requirements of a concrete
-production environment, the Red Hat Enterprise Linux CoreOS 4 system can be
-configured to utilize the services of the <html:code>chronyd</html:code> NTP daemon (the
-default), or services of the <html:code>ntpd</html:code> NTP daemon. Refer to
-
-    
-    <html:a href="https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite">https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite</html:a>
-
-for more detailed comparison of the features of both of the choices, and for
-further guidance how to choose between the two NTP daemons.
-<html:br/>
-To specify a remote NTP server for time synchronization, perform the following:
-<html:ul><html:li> if the system is configured to use the <html:code>chronyd</html:code> as the NTP daemon (the
-default), edit the file <html:code>/etc/chrony.conf</html:code> as follows,</html:li><html:li> if the system is configured to use the <html:code>ntpd</html:code> as the NTP daemon,
-edit the file <html:code>/etc/ntp.conf</html:code> as documented below.</html:li></html:ul>
-Add or correct the following lines, substituting the IP or hostname of a remote
-NTP server for <html:em>ntpserver</html:em>:
-<html:pre>server <html:i>ntpserver</html:i></html:pre>
-This instructs the NTP software to contact that remote server to obtain time
-data.
-
-<html:p>
-Note that if the remediation shipping with this content is being used, the
-<html:b>MachineConfig</html:b> shipped does not include reference NTP servers to point
-to. It is up to the admin to set these which will vary depending on the
-cluster's requirements.
-</html:p>
-
-<html:p>
-The aforementioned remediation does include the directory <html:code>/etc/chrony.d</html:code>
-which would allow the creation of configuration files to set these servers.
-</html:p>
-
-If we'd like to set a configuration like the following:
-
-<html:pre>
-pool 2.rhel.pool.ntp.org iburst
-
-server 0.rhel.pool.ntp.org minpoll 4 maxpoll 10
-server 1.rhel.pool.ntp.org minpoll 4 maxpoll 10
-server 2.rhel.pool.ntp.org minpoll 4 maxpoll 10
-server 3.rhel.pool.ntp.org minpoll 4 maxpoll 10
-</html:pre>
-
-This could be done with to the following manifest:
-
-<html:pre>
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-chrony-servers
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,pool%202.rhel.pool.ntp.org%20iburst%0A%0Aserver%200.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%201.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%202.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010%0Aserver%203.rhel.pool.ntp.org%20minpoll%204%20maxpoll%2010
-        mode: 0600
-        path: /etc/chrony.d/10-rhel-pool-and-servers.conf
-        overwrite: true
-</html:pre>
-
-Note that this needs to be done for each <html:pre>MachineConfigPool</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.3.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000160</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001891</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(2)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-12(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">SRG-OS-000355-VMM-001330</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Synchronizing with an NTP server makes it possible to collate system
-logs from multiple sources or correlate computer events with real time events.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine_and_chrony_or_ntp"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82683-4</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="chronyd_or_ntpd_specify_remote_server" complexity="low" disruption="low" reboot="true" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %23%20Allow%20for%20extra%20configuration%20files.%20This%20is%20useful%0A%23%20for%20admins%20specifying%20their%20own%20NTP%20servers%0Ainclude%20/etc/chrony.d/%2A.conf%0A%0A%23%20Set%20chronyd%20as%20client-only.%0Aport%200%0A%0A%23%20Disable%20chronyc%20from%20the%20network%0Acmdport%200%0A%0A%23%20Record%20the%20rate%20at%20which%20the%20system%20clock%20gains/losses%20time.%0Adriftfile%20/var/lib/chrony/drift%0A%0A%23%20Allow%20the%20system%20clock%20to%20be%20stepped%20in%20the%20first%20three%20updates%0A%23%20if%20its%20offset%20is%20larger%20than%201%20second.%0Amakestep%201.0%203%0A%0A%23%20Enable%20kernel%20synchronization%20of%20the%20real-time%20clock%20%28RTC%29.%0Artcsync%0A%0A%23%20Enable%20hardware%20timestamping%20on%20all%20interfaces%20that%20support%20it.%0A%23hwtimestamp%20%2A%0A%0A%23%20Increase%20the%20minimum%20number%20of%20selectable%20sources%20required%20to%20adjust%0A%23%20the%20system%20clock.%0A%23minsources%202%0A%0A%23%20Allow%20NTP%20client%20access%20from%20local%20network.%0A%23allow%20192.168.0.0/16%0A%0A%23%20Serve%20time%20even%20if%20not%20synchronized%20to%20a%20time%20source.%0A%23local%20stratum%2010%0A%0A%23%20Require%20authentication%20%28nts%20or%20key%20option%29%20for%20all%20NTP%20sources.%0A%23authselectmode%20require%0A%0A%23%20Specify%20file%20containing%20keys%20for%20NTP%20authentication.%0Akeyfile%20/etc/chrony.keys%0A%0A%23%20Insert/delete%20leap%20seconds%20by%20slewing%20instead%20of%20stepping.%0A%23leapsecmode%20slew%0A%0A%23%20Get%20TAI-UTC%20offset%20and%20leap%20seconds%20from%20the%20system%20tz%20database.%0Aleapsectz%20right/UTC%0A%0A%23%20Specify%20directory%20for%20log%20files.%0Alogdir%20/var/log/chrony%0A%0A%23%20Select%20which%20information%20is%20logged.%0A%23log%20measurements%20statistics%20tracking }}
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.conf
-      - contents:
-          source: data:,
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.d/.mco-keep
-      - contents:
-          source: data:,{{ %23%0A%23%20This%20file%20controls%20the%20configuration%20of%20the%20ntp%20server%0A%23%20%7B%7B.var_multiple_time_servers%7D%7D%20we%20have%20to%20put%20variable%20array%20name%20here%20for%20mutilines%20remediation%20%0A%7B%7B%24var_time_service_set_maxpoll%3A%3D.var_time_service_set_maxpoll%7D%7D%0A%7B%7Brange%20%24element%3A%3D.var_multiple_time_servers%7CtoArrayByComma%7D%7Dserver%20%7B%7B%24element%7D%7D%20minpoll%204%20maxpoll%20%7B%7B%24var_time_service_set_maxpoll%7D%7D%0A%7B%7Bend%7D%7D }}
-        mode: 420
-        overwrite: true
-        path: /etc/chrony.d/ntp-server.conf
-</xccdf-1.2:fix>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-chronyd_or_ntpd_specify_remote_server:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-chronyd_or_ntpd_specify_remote_server_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_chronyd_server_directive" severity="medium">
-            <xccdf-1.2:title>Ensure Chrony is only configured with the server directive</xccdf-1.2:title>
-            <xccdf-1.2:description>Check that Chrony only has time sources configured with the <html:code>server</html:code> directive.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule doesn't come with a remediation, the time source needs to be added by the adminstrator.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001891</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000355-GPOS-00143</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000356-GPOS-00144</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000359-GPOS-00146</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Depending on the infrastruture being used the <html:code>pool</html:code> directive may not be supported.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#chrony"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-chronyd_server_directive:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-chronyd_server_directive_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_chronyd_specify_remote_server" severity="medium">
-            <xccdf-1.2:title>A remote time server for Chrony is configured</xccdf-1.2:title>
-            <xccdf-1.2:description><html:code>Chrony</html:code> is a daemon which implements the Network Time Protocol (NTP). It is designed to
-synchronize system clocks across a variety of systems and use a source that is highly
-accurate. More information on <html:code>chrony</html:code> can be found at
-
-    <html:a href="http://chrony.tuxfamily.org/">http://chrony.tuxfamily.org/</html:a>.
-<html:code>Chrony</html:code> can be configured to be a client and/or a server.
-Add or edit server or pool lines to <html:code>/etc/chrony.conf</html:code> as appropriate:
-<html:pre>server &lt;remote-server&gt;</html:pre>
-Multiple servers may be configured.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R43)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000160</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001891</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">0988</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1405</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If <html:code>chrony</html:code> is in use on the system proper configuration is vital to ensuring time
-synchronization is working properly.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#chrony"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-chronyd_specify_remote_server:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_ntpd_specify_multiple_servers" severity="unknown">
-            <xccdf-1.2:title>Specify Additional Remote NTP Servers</xccdf-1.2:title>
-            <xccdf-1.2:description>Additional NTP servers can be specified for time synchronization
-in the file <html:code>/etc/ntp.conf</html:code>.  To do so, add additional lines of the
-following form, substituting the IP address or hostname of a remote NTP server for
-<html:em>ntpserver</html:em>:
-<html:pre>server <html:i>ntpserver</html:i></html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(2)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Specifying additional NTP servers increases the availability of
-accurate time data, in the event that one of the specified servers becomes
-unavailable. This is typical for a system acting as an NTP server for
-other systems.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-ntpd_specify_multiple_servers:def:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_ntpd_specify_remote_server" severity="medium">
-            <xccdf-1.2:title>Specify a Remote NTP Server</xccdf-1.2:title>
-            <xccdf-1.2:description>To specify a remote NTP server for time synchronization, edit
-the file <html:code>/etc/ntp.conf</html:code>. Add or correct the following lines,
-substituting the IP or hostname of a remote NTP server for <html:em>ntpserver</html:em>:
-<html:pre>server <html:i>ntpserver</html:i></html:pre>
-This instructs the NTP software to contact that remote server to obtain time
-data.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO11.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">MEA02.01</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.3.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.4.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.11</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.7.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-8(1)(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-10.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Synchronizing with an NTP server makes it possible
-to collate system logs from multiple sources or correlate computer events with
-real time events.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#ntp"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-ntpd_specify_remote_server:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-ntpd_specify_remote_server_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_obsolete">
-          <xccdf-1.2:title>Obsolete Services</xccdf-1.2:title>
-          <xccdf-1.2:description>This section discusses a number of network-visible
-services which have historically caused problems for system
-security, and for which disabling or severely limiting the service
-has been the best available guidance for some time. As a result of
-this, many of these services are not installed as part of Red Hat Enterprise Linux CoreOS 4
-by default.
-<html:br/><html:br/>
-Organizations which are running these services should
-switch to more secure equivalents as soon as possible.
-If it remains absolutely necessary to run one of
-these services for legacy reasons, care should be taken to restrict
-the service as much as possible, for instance by configuring host
-
-firewall software such as <html:code>iptables</html:code> to restrict access to the
-
-vulnerable service to only those remote hosts which have a known
-need to use it.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_inetd_and_xinetd">
-            <xccdf-1.2:title>Xinetd</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code>xinetd</html:code> service acts as a dedicated listener for some
-network services (mostly, obsolete ones) and can be used to provide access
-controls and perform some logging. It has been largely obsoleted by other
-features, and it is not installed by default. The older Inetd service
-is not even available as part of Red Hat Enterprise Linux CoreOS 4.</xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#machine"/>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_nis">
-            <xccdf-1.2:title>NIS</xccdf-1.2:title>
-            <xccdf-1.2:description>The Network Information Service (NIS), also known as 'Yellow
-Pages' (YP), and its successor NIS+ have been made obsolete by
-Kerberos, LDAP, and other modern centralized authentication
-services. NIS should not be used because it suffers from security
-problems inherent in its design, such as inadequate protection of
-important authentication information.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_r_services">
-            <xccdf-1.2:title>Rlogin, Rsh, and Rexec</xccdf-1.2:title>
-            <xccdf-1.2:description>The Berkeley r-commands are legacy services which
-allow cleartext remote access and have an insecure trust
-model.</xccdf-1.2:description>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_no_rsh_trust_files" severity="high">
-              <xccdf-1.2:title>Remove Rsh Trust Files</xccdf-1.2:title>
-              <xccdf-1.2:description>The files <html:code>/etc/hosts.equiv</html:code> and <html:code>~/.rhosts</html:code> (in
-each user's home directory) list remote hosts and users that are trusted by the
-local system when using the rshd daemon.
-To remove these files, run the following command to delete them from any
-location:
-<html:pre>$ sudo rm /etc/hosts.equiv</html:pre>
-<html:pre>$ rm ~/.rhosts</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001436</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>This action is only meaningful if <html:code>.rhosts</html:code> support is permitted
-through PAM. Trust files are convenient, but when used in conjunction with
-the R-services, they can allow unauthenticated access to a system.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-no_rsh_trust_files:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-no_rsh_trust_files_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_talk">
-            <xccdf-1.2:title>Chat/Messaging Services</xccdf-1.2:title>
-            <xccdf-1.2:description>The talk software makes it possible for users to send and receive messages
-across systems through a terminal session.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_telnet">
-            <xccdf-1.2:title>Telnet</xccdf-1.2:title>
-            <xccdf-1.2:description>The telnet protocol does not provide confidentiality or integrity
-for information transmitted on the network. This includes authentication
-information such as passwords. Organizations which use telnet should be
-actively working to migrate to a more secure protocol.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_tftp">
-            <xccdf-1.2:title>TFTP Server</xccdf-1.2:title>
-            <xccdf-1.2:description>TFTP is a lightweight version of the FTP protocol which has
-traditionally been used to configure networking equipment. However,
-TFTP provides little security, and modern versions of networking
-operating systems frequently support configuration via SSH or other
-more secure protocols. A TFTP server should be run only if no more
-secure method of supporting existing equipment can be
-found.</xccdf-1.2:description>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_tftpd_secure_directory" type="string" interactive="true">
-              <xccdf-1.2:title>TFTP server secure directory</xccdf-1.2:title>
-              <xccdf-1.2:description>Specify the directory which is used by TFTP server as a root directory when running in secure mode.</xccdf-1.2:description>
-              <xccdf-1.2:value>/var/lib/tftpboot</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_printing">
-          <xccdf-1.2:title>Print Support</xccdf-1.2:title>
-          <xccdf-1.2:description>The Common Unix Printing System (CUPS) service provides both local
-and network printing support. A system running the CUPS service can accept
-print jobs from other systems, process them, and send them to the appropriate
-printer. It also provides an interface for remote administration through a web
-browser. The CUPS service is installed and activated by default. The project
-homepage and more detailed documentation are available at
-
-    <html:a href="http://www.cups.org">http://www.cups.org</html:a>.
-<html:br/><html:br/></xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_configure_printing">
-            <xccdf-1.2:title>Configure the CUPS Service if Necessary</xccdf-1.2:title>
-            <xccdf-1.2:description>CUPS provides the ability to easily share local printers with
-other systems over the network. It does this by allowing systems to share
-lists of available printers. Additionally, each system that runs the CUPS
-service can potentially act as a print server. Whenever possible, the printer
-sharing and print server capabilities of CUPS should be limited or disabled.
-The following recommendations should demonstrate how to do just that.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_proxy">
-          <xccdf-1.2:title>Proxy Server</xccdf-1.2:title>
-          <xccdf-1.2:description>A proxy server is a very desirable target for a
-potential adversary because much (or all) sensitive data for a
-given infrastructure may flow through it. Therefore, if one is
-required, the system acting as a proxy server should be dedicated
-to that purpose alone and be stored in a physically secure
-location. The system's default proxy server software is Squid, and
-provided in an RPM package of the same name.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_disabling_squid">
-            <xccdf-1.2:title>Disable Squid if Possible</xccdf-1.2:title>
-            <xccdf-1.2:description>If Squid was installed and activated, but the system
-does not need to act as a proxy server, then it should be disabled
-and removed.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_radius">
-          <xccdf-1.2:title>Remote Authentication Dial-In User Service (RADIUS)</xccdf-1.2:title>
-          <xccdf-1.2:description>Remote Authentication Dial-In User Service (RADIUS) is a networking
-protocol, operating on port 1812 that provides centralized
-Authentication, Authorization, and Accounting (AAA or Triple A)
-management for users who connect and use a network service. </xccdf-1.2:description>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_rng">
-          <xccdf-1.2:title>Hardware RNG Entropy Gatherer Daemon</xccdf-1.2:title>
-          <xccdf-1.2:description>The rngd feeds random data from hardware device to kernel random device.</xccdf-1.2:description>
-          <xccdf-1.2:platform idref="#machine"/>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_rngd_enabled" severity="low">
-            <xccdf-1.2:title>Enable the Hardware RNG Entropy Gatherer Service</xccdf-1.2:title>
-            <xccdf-1.2:description>The Hardware RNG Entropy Gatherer service should be enabled.
-
-The <html:code>rngd</html:code> service can be enabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-rngd-enable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: rngd.service
-        enabled: true
-</html:pre>
-<html:p>
-This will enable the <html:code>rngd</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_RBG_EXT.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The <html:code>rngd</html:code> service
-feeds random data from hardware device to kernel random device.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82535-6</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_rngd_enabled:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_rngd_enabled_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_routing">
-          <xccdf-1.2:title>Network Routing</xccdf-1.2:title>
-          <xccdf-1.2:description>A router is a very desirable target for a
-potential adversary because they fulfill a variety of 
-infrastructure networking roles such as access to network segments,
-gateways to other networks, filtering, etc. Therefore, if one is
-required, the system acting as a router should be dedicated
-to that purpose alone and be stored in a physically secure
-location. The system's default routing software is Quagga, and
-provided in an RPM package of the same name.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_disabling_quagga">
-            <xccdf-1.2:title>Disable Quagga if Possible</xccdf-1.2:title>
-            <xccdf-1.2:description>If Quagga was installed and activated, but the system
-does not need to act as a router, then it should be disabled
-and removed.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_smb">
-          <xccdf-1.2:title>Samba(SMB) Microsoft Windows File Sharing Server</xccdf-1.2:title>
-          <xccdf-1.2:description>When properly configured, the Samba service allows
-Linux systems to provide file and print sharing to Microsoft
-Windows systems. There are two software packages that provide
-Samba support. The first, <html:code>samba-client</html:code>, provides a series of
-command line tools that enable a client system to access Samba
-shares. The second, simply labeled <html:code>samba</html:code>, provides the Samba
-service. It is this second package that allows a Linux system to
-act as an Active Directory server, a domain controller, or as a
-domain member. Only the <html:code>samba-client</html:code> package is installed by
-default.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_configuring_samba">
-            <xccdf-1.2:title>Configure Samba if Necessary</xccdf-1.2:title>
-            <xccdf-1.2:description>All settings for the Samba daemon can be found in
-<html:code>/etc/samba/smb.conf</html:code>. Settings are divided between a
-<html:code>[global]</html:code> configuration section and a series of user
-created share definition sections meant to describe file or print
-shares on the system. By default, Samba will operate in user mode
-and allow client systems to access local home directories and
-printers. It is recommended that these settings be changed or that
-additional limitations be set in place.</xccdf-1.2:description>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_samba-common_installed" severity="medium">
-              <xccdf-1.2:title>Install the Samba Common Package</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>samba-common</html:code> package should be installed.
-The <html:code>samba-common</html:code> package can be installed with the following command:
-<html:pre/></xccdf-1.2:description>
-              <xccdf-1.2:rationale>If the samba-common package is not installed, samba cannot be configured.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_samba-common_installed:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_smb_disable_printing">
-              <xccdf-1.2:title>Restrict Printer Sharing</xccdf-1.2:title>
-              <xccdf-1.2:description>By default, Samba utilizes the CUPS printing service to enable
-printer sharing with Microsoft Windows workstations. If there are no printers
-on the local system, or if printer sharing with Microsoft Windows is not
-required, disable the printer sharing capability by commenting out the
-following lines, found in <html:code>/etc/samba/smb.conf</html:code>:
-<html:pre>[global]
-  load printers = yes
-  cups options = raw
-[printers]
-  comment = All Printers
-  path = /usr/spool/samba
-  browseable = no
-  guest ok = no
-  writable = no
-  printable = yes</html:pre>
-There may be other options present, but these are the only options enabled and
-uncommented by default. Removing the <html:code>[printers]</html:code> share should be enough
-for most users.  If the Samba printer sharing capability is needed, consider
-disabling the Samba network browsing capability or restricting access to a
-particular set of users or network addresses. Set the <html:code>valid users</html:code>
-parameter to a small subset of users or restrict it to a particular group of
-users with the shorthand <html:code>@</html:code>. Separate each user or group of users with
-a space. For example, under the <html:code>[printers]</html:code> share:
-<html:pre>[printers]
-  valid users = user @printerusers</html:pre></xccdf-1.2:description>
-            </xccdf-1.2:Group>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_smb_restrict_file_sharing">
-              <xccdf-1.2:title>Restrict SMB File Sharing to Configured Networks</xccdf-1.2:title>
-              <xccdf-1.2:description>Only users with local user accounts will be able to log in to
-Samba shares by default. Shares can be limited to particular users or network
-addresses. Use the <html:code>hosts allow</html:code> and <html:code>hosts deny</html:code> directives
-accordingly, and consider setting the valid users directive to a limited subset
-of users or to a group of users. Separate each address, user, or user group
-with a space as follows for a particular <html:i>share</html:i> or global:
-<html:pre>[<html:i>share</html:i>]
-  hosts allow = 192.168.1. 127.0.0.1
-  valid users = userone usertwo @usergroup</html:pre>
-It is also possible to limit read and write access to particular users with the
-read list and write list options, though the permissions set by the system
-itself will override these settings. Set the read only attribute for each share
-to ensure that global settings will not accidentally override the individual
-share settings. Then, as with the valid users directive, separate each user or
-group of users with a space:
-<html:pre>[<html:i>share</html:i>]
-  read only = yes
-  write list = userone usertwo @usergroup</html:pre></xccdf-1.2:description>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_disabling_samba">
-            <xccdf-1.2:title>Disable Samba if Possible</xccdf-1.2:title>
-            <xccdf-1.2:description>Even after the Samba server package has been installed, it
-will remain disabled. Do not enable this service unless it is
-absolutely necessary to provide Microsoft Windows file and print
-sharing functionality.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_snmp">
-          <xccdf-1.2:title>SNMP Server</xccdf-1.2:title>
-          <xccdf-1.2:description>The Simple Network Management Protocol allows
-administrators to monitor the state of network devices, including
-computers. Older versions of SNMP were well-known for weak
-security, such as plaintext transmission of the community string
-(used for authentication) and usage of easily-guessable
-choices for the community string.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_disabling_snmp_service">
-            <xccdf-1.2:title>Disable SNMP Server if Possible</xccdf-1.2:title>
-            <xccdf-1.2:description>The system includes an SNMP daemon that allows for its remote
-monitoring, though it not installed by default. If it was installed and
-activated but is not needed, the software should be disabled and removed.</xccdf-1.2:description>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_net-snmp_removed" severity="unknown">
-              <xccdf-1.2:title>Uninstall net-snmp Package</xccdf-1.2:title>
-              <xccdf-1.2:description>
-The <html:code>net-snmp</html:code> package provides the snmpd service.
-The <html:code>net-snmp</html:code> package can be removed with the following command:
-<html:pre/></xccdf-1.2:description>
-              <xccdf-1.2:rationale>If there is no need to run SNMP server software,
-removing the package provides a safeguard against its
-activation.</xccdf-1.2:rationale>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_net-snmp_removed:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_net-snmp_removed_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_snmp_configure_server">
-            <xccdf-1.2:title>Configure SNMP Server if Necessary</xccdf-1.2:title>
-            <xccdf-1.2:description>If it is necessary to run the snmpd agent on the system, some best
-practices should be followed to minimize the security risk from the
-installation. The multiple security models implemented by SNMP cannot be fully
-covered here so only the following general configuration advice can be offered:
-<html:ul><html:li>use only SNMP version 3 security models and enable the use of authentication and encryption</html:li><html:li>write access to the MIB (Management Information Base) should be allowed only if necessary</html:li><html:li>all access to the MIB should be restricted following a principle of least privilege</html:li><html:li>network access should be limited to the maximum extent possible including restricting to expected network
-addresses both in the configuration files and in the system firewall rules</html:li><html:li>ensure SNMP agents send traps only to, and accept SNMP queries only from, authorized management
-stations</html:li><html:li>ensure that permissions on the <html:code>snmpd.conf</html:code> configuration file (by default, in <html:code>/etc/snmp</html:code>) are 640 or more restrictive</html:li><html:li>ensure that any MIB files' permissions are also 640 or more restrictive</html:li></html:ul></xccdf-1.2:description>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_snmpd_ro_string" type="string" interactive="true">
-              <xccdf-1.2:title>SNMP read-only community string</xccdf-1.2:title>
-              <xccdf-1.2:description>Specify the SNMP community string used for read-only access.</xccdf-1.2:description>
-              <xccdf-1.2:value>changemero</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_snmpd_rw_string" type="string" interactive="true">
-              <xccdf-1.2:title>SNMP read-write community string</xccdf-1.2:title>
-              <xccdf-1.2:description>Specify the SNMP community string used for read-write access.</xccdf-1.2:description>
-              <xccdf-1.2:value>changemerw</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_ssh">
-          <xccdf-1.2:title>SSH Server</xccdf-1.2:title>
-          <xccdf-1.2:description>The SSH protocol is recommended for remote login and
-remote file transfer. SSH provides confidentiality and integrity
-for data exchanged between two systems, as well as server
-authentication, through the use of public key cryptography. The
-implementation included with the system is called OpenSSH, and more
-detailed documentation is available from its website,
-
-    <html:a href="https://www.openssh.com">https://www.openssh.com</html:a>.
-Its server program is called <html:code>sshd</html:code> and provided by the RPM package
-<html:code>openssh-server</html:code>.</xccdf-1.2:description>
-          <xccdf-1.2:platform idref="#machine"/>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_firewalld_sshd_zone" type="string">
-            <xccdf-1.2:title>SSH enabled firewalld zone</xccdf-1.2:title>
-            <xccdf-1.2:description>Specify firewalld zone to enable SSH service. This value is used only for remediation purposes.</xccdf-1.2:description>
-            <xccdf-1.2:value selector="block">block</xccdf-1.2:value>
-            <xccdf-1.2:value>public</xccdf-1.2:value>
-            <xccdf-1.2:value selector="dmz">dmz</xccdf-1.2:value>
-            <xccdf-1.2:value selector="drop">drop</xccdf-1.2:value>
-            <xccdf-1.2:value selector="external">external</xccdf-1.2:value>
-            <xccdf-1.2:value selector="home">home</xccdf-1.2:value>
-            <xccdf-1.2:value selector="internal">internal</xccdf-1.2:value>
-            <xccdf-1.2:value selector="public">public</xccdf-1.2:value>
-            <xccdf-1.2:value selector="trusted">trusted</xccdf-1.2:value>
-            <xccdf-1.2:value selector="work">work</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sshd_approved_ciphers" type="string">
-            <xccdf-1.2:title>SSH Approved ciphers by FIPS</xccdf-1.2:title>
-            <xccdf-1.2:description>Specify the FIPS approved ciphers that are used for data integrity protection by the SSH server.</xccdf-1.2:description>
-            <xccdf-1.2:value selector="stig">aes256-ctr,aes192-ctr,aes128-ctr</xccdf-1.2:value>
-            <xccdf-1.2:value>aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se</xccdf-1.2:value>
-            <xccdf-1.2:value selector="cis_rhel7">chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc</xccdf-1.2:value>
-            <xccdf-1.2:value selector="cis_sle12">chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc</xccdf-1.2:value>
-            <xccdf-1.2:value selector="cis_sle15">chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc</xccdf-1.2:value>
-            <xccdf-1.2:value selector="cis_alinux2">chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sshd_approved_macs" type="string">
-            <xccdf-1.2:title>SSH Approved MACs by FIPS</xccdf-1.2:title>
-            <xccdf-1.2:description>Specify the FIPS approved MACs (message authentication code) algorithms
-	that are used for data integrity protection by the SSH server.</xccdf-1.2:description>
-            <xccdf-1.2:value selector="stig">hmac-sha2-512,hmac-sha2-256</xccdf-1.2:value>
-            <xccdf-1.2:value>hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com</xccdf-1.2:value>
-            <xccdf-1.2:value selector="cis_rhel7">umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-etm@openssh.com</xccdf-1.2:value>
-            <xccdf-1.2:value selector="cis_sle12">umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-etm@openssh.com</xccdf-1.2:value>
-            <xccdf-1.2:value selector="cis_sle15">umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-etm@openssh.com</xccdf-1.2:value>
-            <xccdf-1.2:value selector="cis_alinux2">hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" type="number">
-            <xccdf-1.2:title>SSH session Idle time</xccdf-1.2:title>
-            <xccdf-1.2:description>Specify duration of allowed idle time.</xccdf-1.2:description>
-            <xccdf-1.2:value selector="10_minutes">600</xccdf-1.2:value>
-            <xccdf-1.2:value selector="120_minutes">7200</xccdf-1.2:value>
-            <xccdf-1.2:value selector="14_minutes">840</xccdf-1.2:value>
-            <xccdf-1.2:value selector="15_minutes">900</xccdf-1.2:value>
-            <xccdf-1.2:value selector="30_minutes">1800</xccdf-1.2:value>
-            <xccdf-1.2:value selector="5_minutes">300</xccdf-1.2:value>
-            <xccdf-1.2:value selector="60_minutes">3600</xccdf-1.2:value>
-            <xccdf-1.2:value>300</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sshd_listening_port" type="number">
-            <xccdf-1.2:title>SSH Server Listening Port</xccdf-1.2:title>
-            <xccdf-1.2:description>Specify port the SSH server is listening.</xccdf-1.2:description>
-            <xccdf-1.2:value>22</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sshd_max_auth_tries_value" type="number">
-            <xccdf-1.2:title>SSH Max authentication attempts</xccdf-1.2:title>
-            <xccdf-1.2:description>Specify the maximum number of authentication attempts per connection.</xccdf-1.2:description>
-            <xccdf-1.2:value selector="10">10</xccdf-1.2:value>
-            <xccdf-1.2:value selector="3">3</xccdf-1.2:value>
-            <xccdf-1.2:value selector="4">4</xccdf-1.2:value>
-            <xccdf-1.2:value selector="5">5</xccdf-1.2:value>
-            <xccdf-1.2:value>4</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_sshd_required" type="number">
-            <xccdf-1.2:title>SSH is required to be installed</xccdf-1.2:title>
-            <xccdf-1.2:description>Specify if the Policy requires SSH to be installed. Used by SSH Rules
-to determine if SSH should be uninstalled or configured.<html:br/>
-A value of 0 means that the policy doesn't care if OpenSSH server is installed or not. If it is installed, scanner will check for it's configuration, if it's not installed, the check will pass.<html:br/>
-A value of 1 indicates that OpenSSH server package is not required by the policy;<html:br/>
-A value of 2 indicates that OpenSSH server package is required by the policy.<html:br/></xccdf-1.2:description>
-            <xccdf-1.2:value>0</xccdf-1.2:value>
-            <xccdf-1.2:value selector="no">1</xccdf-1.2:value>
-            <xccdf-1.2:value selector="yes">2</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sshd_max_sessions" type="number">
-            <xccdf-1.2:title>SSH Max Sessions Count</xccdf-1.2:title>
-            <xccdf-1.2:description>Specify the maximum number of open sessions permitted.</xccdf-1.2:description>
-            <xccdf-1.2:value selector="10">10</xccdf-1.2:value>
-            <xccdf-1.2:value selector="4">4</xccdf-1.2:value>
-            <xccdf-1.2:value selector="3">3</xccdf-1.2:value>
-            <xccdf-1.2:value selector="2">2</xccdf-1.2:value>
-            <xccdf-1.2:value selector="1">1</xccdf-1.2:value>
-            <xccdf-1.2:value selector="0">0</xccdf-1.2:value>
-            <xccdf-1.2:value>10</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sshd_set_keepalive" type="number">
-            <xccdf-1.2:title>SSH Max Keep Alive Count</xccdf-1.2:title>
-            <xccdf-1.2:description>Specify the maximum number of idle message counts before session is terminated.</xccdf-1.2:description>
-            <xccdf-1.2:value selector="10">10</xccdf-1.2:value>
-            <xccdf-1.2:value selector="3">3</xccdf-1.2:value>
-            <xccdf-1.2:value selector="5">5</xccdf-1.2:value>
-            <xccdf-1.2:value selector="0">0</xccdf-1.2:value>
-            <xccdf-1.2:value selector="1">1</xccdf-1.2:value>
-            <xccdf-1.2:value>0</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_openssh-server_installed" severity="medium">
-            <xccdf-1.2:title>Install the OpenSSH Server Package</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code>openssh-server</html:code> package should be installed.
-The <html:code>openssh-server</html:code> package can be installed with the following command:
-<html:pre/></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002418</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002420</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002421</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002422</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSH_EXT.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSHS_EXT.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000423-GPOS-00187</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000424-GPOS-00188</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000425-GPOS-00189</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000426-GPOS-00190</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Without protection of the transmitted information, confidentiality, and
-integrity may be compromised because unprotected communications can be
-intercepted and either read or altered.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_openssh-server_installed:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_openssh-server_removed" severity="medium">
-            <xccdf-1.2:title>Remove the OpenSSH Server Package</xccdf-1.2:title>
-            <xccdf-1.2:description>The <html:code>openssh-server</html:code> package should be removed.
-The <html:code>openssh-server</html:code> package can be removed with the following command:
-<html:pre/></xccdf-1.2:description>
-            <xccdf-1.2:rationale>Without protection of the transmitted information, confidentiality, and
-integrity may be compromised because unprotected communications can be
-intercepted and either read or altered.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_openssh-server_removed:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_sshd_disabled" severity="unknown">
-            <xccdf-1.2:title>Disable SSH Server If Possible (Unusual)</xccdf-1.2:title>
-            <xccdf-1.2:description>The SSH server service, sshd, is commonly needed.
-However, if it can be disabled, do so.
-
-
-The <html:code>sshd</html:code> service can be disabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-sshd-disable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - enabled: false
-        name: sshd.service
-</html:pre>
-<html:p>
-This will disable the <html:code>sshd</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p>
-
-
-This is unusual, as SSH is a common method for encrypted and authenticated
-remote access.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-3(6)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(4)</xccdf-1.2:reference>
-            <xccdf-1.2:rationale/>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:ignition" id="service_sshd_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: sshd.service
-        enabled: false
-        mask: true
-      - name: sshd.socket
-        enabled: false
-        mask: true
-</xccdf-1.2:fix>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="service_sshd_disabled" complexity="low" disruption="medium" reboot="true" strategy="disable">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: sshd.service
-        enabled: false
-        mask: true
-      - name: sshd.socket
-        enabled: false
-        mask: true
-</xccdf-1.2:fix>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_sshd_disabled:def:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config" severity="medium">
-            <xccdf-1.2:title>Verify Group Who Owns SSH Server config file</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the group owner of <html:code>/etc/ssh/sshd_config</html:code>, run the command:
-<html:pre>$ sudo chgrp root /etc/ssh/sshd_config</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Service configuration files enable or disable features of their respective
-services that if configured incorrectly can lead to insecure and vulnerable
-configurations. Therefore, service configuration files should be owned by the
-correct group to prevent unauthorized changes.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_groupowner_sshd_config:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_groupowner_sshd_config_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_owner_sshd_config" severity="medium">
-            <xccdf-1.2:title>Verify Owner on SSH Server config file</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the owner of <html:code>/etc/ssh/sshd_config</html:code>, run the command:
-<html:pre>$ sudo chown root /etc/ssh/sshd_config </html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Service configuration files enable or disable features of their respective
-services that if configured incorrectly can lead to insecure and vulnerable
-configurations. Therefore, service configuration files should be owned by the
-correct group to prevent unauthorized changes.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_owner_sshd_config:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_owner_sshd_config_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_sshd_config" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on SSH Server config file</xccdf-1.2:title>
-            <xccdf-1.2:description>
-To properly set the permissions of <html:code>/etc/ssh/sshd_config</html:code>, run the command:
-<html:pre>$ sudo chmod 0600 /etc/ssh/sshd_config</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Service configuration files enable or disable features of their respective
-services that if configured incorrectly can lead to insecure and vulnerable
-configurations. Therefore, service configuration files should be owned by the
-correct group to prevent unauthorized changes.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_sshd_config:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_sshd_config_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on SSH Server Private *_key Key Files</xccdf-1.2:title>
-            <xccdf-1.2:description>SSH server private keys - files that match the <html:code>/etc/ssh/*_key</html:code> glob, have to have restricted permissions.
-If those files are owned by the <html:code>root</html:code> user and the <html:code>root</html:code> group, they have to have the <html:code>0640</html:code> permission or stricter.
-If they are owned by the <html:code>root</html:code> user, but by a dedicated group <html:code>ssh_keys</html:code>, they can have the <html:code>0640</html:code> permission or stricter.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R36)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If an unauthorized user obtains the private SSH host key file, the host could be
-impersonated.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_sshd_private_key:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_sshd_private_key_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key" severity="medium">
-            <xccdf-1.2:title>Verify Permissions on SSH Server Public *.pub Key Files</xccdf-1.2:title>
-            <xccdf-1.2:description> To properly set the permissions of <html:code>/etc/ssh/*.pub</html:code>, run the command: <html:pre>$ sudo chmod 0644 /etc/ssh/*.pub</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.13.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(1)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If a public host key file is modified by an unauthorized user, the SSH service
-may be compromised.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-file_permissions_sshd_pub_key:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-file_permissions_sshd_pub_key_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_iptables_sshd_disabled" severity="unknown">
-            <xccdf-1.2:title>Remove SSH Server iptables Firewall exception (Unusual)</xccdf-1.2:title>
-            <xccdf-1.2:description>By default, inbound connections to SSH's port are allowed. If the SSH
-server is not being used, this exception should be removed from the
-firewall configuration.
-<html:br/><html:br/>
-Edit the files <html:code>/etc/sysconfig/iptables</html:code> and
-<html:code>/etc/sysconfig/ip6tables</html:code> (if IPv6 is in use). In each file, locate
-and delete the line:
-<html:pre>-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT</html:pre>
-This is unusual, as SSH is a common method for encrypted and authenticated
-remote access.</xccdf-1.2:description>
-            <xccdf-1.2:rationale>If inbound SSH connections are not expected, disallowing access to the SSH
-port will avoid possible exploitation of the port by an attacker.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_ssh_client">
-            <xccdf-1.2:title>Configure OpenSSH Client if Necessary</xccdf-1.2:title>
-            <xccdf-1.2:description>The following configuration changes apply to the SSH client. They can
-improve security parameters relwevant to the client user, e.g. increasing
-entropy while generating initialization vectors. Note that these changes
-influence only the default SSH client configuration. Changes in this group
-can be overridden by the client user by modifying files within the
-<html:pre>~/.ssh</html:pre> directory or by supplying parameters on the command line.</xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_ssh_client_rekey_limit" severity="medium">
-              <xccdf-1.2:title>Configure session renegotiation for SSH client</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>RekeyLimit</html:code> parameter specifies how often
-the session key is renegotiated, both in terms of
-amount of data that may be transmitted and the time
-elapsed. To decrease the default limits, put line
-<html:code>RekeyLimit <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_ssh_client_rekey_limit_size" use="legacy"/> <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_ssh_client_rekey_limit_time" use="legacy"/></html:code> to file <html:code>/etc/ssh/ssh_config.d/02-rekey-limit.conf</html:code>.
-Make sure that there is no other <html:code>RekeyLimit</html:code> configuration preceding
-the <html:code>include</html:code> directive in the main config file
-<html:code>/etc/ssh/ssh_config</html:code>. Check also other files in
-<html:code>/etc/ssh/ssh_config.d</html:code> directory. Files are processed according to
-lexicographical order of file names. Make sure that there is no file
-processed before <html:code>02-rekey-limit.conf</html:code> containing definition of
-<html:code>RekeyLimit</html:code>.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000068</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSH_EXT.1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000423-GPOS-00187</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000033-GPOS-00014</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000424-GPOS-00188</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>By decreasing the limit based on the amount of data and enabling
-time-based limit, effects of potential attacks against
-encryption keys are limited.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-var_ssh_client_rekey_limit_time:var:1" value-id="xccdf_org.ssgproject.content_value_var_ssh_client_rekey_limit_time"/>
-                <xccdf-1.2:check-export export-name="oval:ssg-var_ssh_client_rekey_limit_size:var:1" value-id="xccdf_org.ssgproject.content_value_var_ssh_client_rekey_limit_size"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-ssh_client_rekey_limit:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-ssh_client_rekey_limit_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_ssh_server">
-            <xccdf-1.2:title>Configure OpenSSH Server if Necessary</xccdf-1.2:title>
-            <xccdf-1.2:description>If the system needs to act as an SSH server, then
-certain changes should be made to the OpenSSH daemon configuration
-file <html:code>/etc/ssh/sshd_config</html:code>. The following recommendations can be
-applied to this file. See the <html:code>sshd_config(5)</html:code> man page for more
-detailed information.</xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_rekey_limit_size" type="string">
-              <xccdf-1.2:title>SSH RekeyLimit - size</xccdf-1.2:title>
-              <xccdf-1.2:description>Specify the size component of the rekey limit.</xccdf-1.2:description>
-              <xccdf-1.2:value selector="sshd_default">default</xccdf-1.2:value>
-              <xccdf-1.2:value>512M</xccdf-1.2:value>
-              <xccdf-1.2:value selector="512M">512M</xccdf-1.2:value>
-              <xccdf-1.2:value selector="1G">1G</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_rekey_limit_time" type="string">
-              <xccdf-1.2:title>SSH RekeyLimit - size</xccdf-1.2:title>
-              <xccdf-1.2:description>Specify the size component of the rekey limit.</xccdf-1.2:description>
-              <xccdf-1.2:value selector="sshd_default">none</xccdf-1.2:value>
-              <xccdf-1.2:value>1h</xccdf-1.2:value>
-              <xccdf-1.2:value selector="1hour">1h</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sshd_disable_compression" type="string">
-              <xccdf-1.2:title>SSH Compression Setting</xccdf-1.2:title>
-              <xccdf-1.2:description>Specify the compression setting for SSH connections.</xccdf-1.2:description>
-              <xccdf-1.2:value selector="no">no</xccdf-1.2:value>
-              <xccdf-1.2:value selector="delayed">delayed</xccdf-1.2:value>
-              <xccdf-1.2:value>no</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sshd_priv_separation" type="string">
-              <xccdf-1.2:title>SSH Privilege Separation Setting</xccdf-1.2:title>
-              <xccdf-1.2:description>Specify whether and how sshd separates privileges when handling incoming network connections.</xccdf-1.2:description>
-              <xccdf-1.2:value selector="no">no</xccdf-1.2:value>
-              <xccdf-1.2:value selector="yes">yes</xccdf-1.2:value>
-              <xccdf-1.2:value selector="sandbox">sandbox</xccdf-1.2:value>
-              <xccdf-1.2:value>sandbox</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sshd_set_login_grace_time" type="number" interactive="true">
-              <xccdf-1.2:title>SSH LoginGraceTime setting</xccdf-1.2:title>
-              <xccdf-1.2:description>Configure parameters for how long the servers stays connected before the user has successfully logged in</xccdf-1.2:description>
-              <xccdf-1.2:value>60</xccdf-1.2:value>
-              <xccdf-1.2:value selector="60">60</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sshd_set_maxstartups" type="string" interactive="true">
-              <xccdf-1.2:title>SSH MaxStartups setting</xccdf-1.2:title>
-              <xccdf-1.2:description>Configure parameters for maximum concurrent unauthenticated connections to the SSH daemon.</xccdf-1.2:description>
-              <xccdf-1.2:value>10:30:100</xccdf-1.2:value>
-              <xccdf-1.2:value selector="10:30:60">10:30:60</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0" severity="medium">
-              <xccdf-1.2:title>Set SSH Client Alive Count Max to zero</xccdf-1.2:title>
-              <xccdf-1.2:description>The SSH server sends at most <html:code>ClientAliveCountMax</html:code> messages
-during a SSH session and waits for a response from the SSH client.
-The option <html:code>ClientAliveInterval</html:code> configures timeout after
-each <html:code>ClientAliveCountMax</html:code> message. If the SSH server does not
-receive a response from the client, then the connection is considered idle
-and terminated.
-
-To ensure the SSH idle timeout occurs precisely when the
-<html:code>ClientAliveInterval</html:code> is set, set the <html:code>ClientAliveCountMax</html:code> to
-value of <html:code>0</html:code> in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000879</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001133</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002361</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000126-GPOS-00066</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000163-GPOS-00072</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000279-GPOS-00109</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000480-VMM-002000</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>This ensures a user login will be terminated as soon as the <html:code>ClientAliveInterval</html:code>
-is reached.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:requires idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-83406-9</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_set_keepalive_0" complexity="low" disruption="low" reboot="false" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_set_keepalive_0:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_set_keepalive_0_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_set_keepalive" severity="medium">
-              <xccdf-1.2:title>Set SSH Client Alive Count Max</xccdf-1.2:title>
-              <xccdf-1.2:description>The SSH server sends at most <html:code>ClientAliveCountMax</html:code> messages
-during a SSH session and waits for a response from the SSH client.
-The option <html:code>ClientAliveInterval</html:code> configures timeout after
-each <html:code>ClientAliveCountMax</html:code> message. If the SSH server does not
-receive a response from the client, then the connection is considered idle
-and terminated.
-For SSH earlier than v8.2, a <html:code>ClientAliveCountMax</html:code> value of <html:code>0</html:code>
-causes an idle timeout precisely when the <html:code>ClientAliveInterval</html:code> is set.
-Starting with v8.2, a value of <html:code>0</html:code> disables the timeout functionality
-completely. If the option is set to a number greater than <html:code>0</html:code>, then
-the idle session will be disconnected after
-<html:code>ClientAliveInterval * ClientAliveCountMax</html:code> seconds.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R29)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000879</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001133</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002361</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000163-GPOS-00072</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000279-GPOS-00109</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000480-VMM-002000</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>This ensures a user login will be terminated as soon as the <html:code>ClientAliveInterval</html:code>
-is reached.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:requires idref="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82464-9</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_set_keepalive" complexity="low" disruption="low" reboot="false" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-export export-name="oval:ssg-var_sshd_set_keepalive:var:1" value-id="xccdf_org.ssgproject.content_value_var_sshd_set_keepalive"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_set_keepalive:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout" severity="medium">
-              <xccdf-1.2:title>Set SSH Idle Timeout Interval</xccdf-1.2:title>
-              <xccdf-1.2:description>SSH allows administrators to set an idle timeout interval. After this interval
-has passed, the idle user will be automatically logged out.
-<html:br/><html:br/>
-To set an idle timeout interval, edit the following line in <html:code>/etc/ssh/sshd_config</html:code> as
-follows:
-<html:pre>ClientAliveInterval <html:b><xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value" use="legacy"/></html:b></html:pre>
-<html:br/><html:br/>
-The timeout <html:b>interval</html:b> is given in seconds. For example, have a timeout
-of 10 minutes, set <html:b>interval</html:b> to 600.
-<html:br/><html:br/>
-If a shorter timeout has already been set for the login shell, that value will
-preempt any SSH setting made in <html:code>/etc/ssh/sshd_config</html:code>. Keep in mind that
-some processes may stop SSH  from correctly detecting that the user is idle.</xccdf-1.2:description>
-              <xccdf-1.2:warning category="dependency">SSH disconnecting idle clients will not have desired effect without also
-configuring ClientAliveCountMax in the SSH service configuration.</xccdf-1.2:warning>
-              <xccdf-1.2:warning category="general">Following conditions may prevent the SSH session to time out:
-<html:ul><html:li>Remote processes on the remote machine generates output. As the output has to be transferred over the network to the client, the timeout is reset every time such transfer happens.</html:li><html:li>Any <html:code>scp</html:code> or <html:code>sftp</html:code> activity by the same user to the host resets the timeout.</html:li></html:ul></xccdf-1.2:warning>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R29)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000879</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001133</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002361</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-2(5)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.CM-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf">Req-8.1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000126-GPOS-00066</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000163-GPOS-00072</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000279-GPOS-00109</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000395-GPOS-00175</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000480-VMM-002000</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Terminating an idle ssh session within a short time period reduces the window of
-opportunity for unauthorized personnel to take control of a management session
-enabled on the console or console port that has been let unattended.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:requires idref="xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82549-7</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_set_idle_timeout" complexity="low" disruption="low" reboot="false" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_idle_timeout_value:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_idle_timeout_value"/>
-                <xccdf-1.2:check-export export-name="oval:ssg-var_sshd_set_keepalive:var:1" value-id="xccdf_org.ssgproject.content_value_var_sshd_set_keepalive"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_set_idle_timeout:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_disable_host_auth" severity="medium">
-              <xccdf-1.2:title>Disable Host-Based Authentication</xccdf-1.2:title>
-              <xccdf-1.2:description>SSH's cryptographic host-based authentication is
-more secure than <html:code>.rhosts</html:code> authentication. However, it is
-not recommended that hosts unilaterally trust one another, even
-within an organization.
-<html:br/>
-The default SSH configuration disables host-based authentication. The appropriate
-configuration is used if no value is set for <html:code>HostbasedAuthentication</html:code>.
-<html:br/>
-To explicitly disable host-based authentication, add or correct the
-following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>HostbasedAuthentication no</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0421</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0422</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0431</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0974</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1173</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1401</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1504</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1505</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1546</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1557</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1558</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1559</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1560</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1561</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00229</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000480-VMM-002000</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>SSH trust relationships mean a compromise on one host
-can allow an attacker to move trivially to other hosts.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="disable_host_auth">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018%2F04%2F09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fbin%3A%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Fsbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_rsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ecdsa_key%0AHostKey%20%2Fetc%2Fssh%2Fssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20512M%201h%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20%2Fetc%2Fsysconfig%2Fsshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%202m%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh%2Fauthorized_keys%20and%20.ssh%2Fauthorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh%2Fauthorized_keys%0AAuthorizedKeysFile%09.ssh%2Fauthorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20%2Fetc%2Fssh%2Fssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~%2F.ssh%2Fknown_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~%2F.rhosts%20and%20~%2F.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s%2Fkey%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20%2Fetc%2Fpam.d%2Fsshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20no%0AClientAliveInterval%20600%0AClientAliveCountMax%200%0A%23UseDNS%20no%0A%23PidFile%20%2Fvar%2Frun%2Fsshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20%2Fetc%2Fissue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09%2Fusr%2Flibexec%2Fopenssh%2Fsftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20sandbox
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-disable_host_auth:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-disable_host_auth_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2" severity="high">
-              <xccdf-1.2:title>Allow Only SSH Protocol 2</xccdf-1.2:title>
-              <xccdf-1.2:description>Only SSH protocol version 2 connections should be
-permitted. The default setting in
-<html:code>/etc/ssh/sshd_config</html:code> is correct, and can be
-verified by ensuring that the following
-line appears:
-<html:pre>Protocol 2</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">As of <html:code>openssh-server</html:code> version <html:code>7.4</html:code> and above, the only protocol
-supported is version 2, and line <html:pre>Protocol 2</html:pre> in
-<html:code>/etc/ssh/sshd_config</html:code> is not necessary.</xccdf-1.2:warning>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO13.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS01.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000197</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 3.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0487</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1449</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1506</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(1)(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">SC-13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">MA-4(6)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000074-GPOS-00042</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000033-VMM-000140</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>SSH protocol version 1 is an insecure implementation of the SSH protocol and
-has many well-known vulnerability exploits. Exploits of the SSH daemon could provide
-immediate root access to the system.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_allow_only_protocol2:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_disable_compression" severity="medium">
-              <xccdf-1.2:title>Disable Compression Or Set Compression to delayed</xccdf-1.2:title>
-              <xccdf-1.2:description>Compression is useful for slow network connections over long
-distances but can cause performance issues on local LANs. If use of compression
-is required, it should be enabled only after a user has authenticated; otherwise,
-it should be disabled. To disable compression or delay compression until after
-a user has successfully authenticated, add or correct the following line in the
-<html:code>/etc/ssh/sshd_config</html:code> file:
-<html:pre>Compression <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_sshd_disable_compression" use="legacy"/></html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000480-VMM-002000</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>If compression is allowed in an SSH connection prior to authentication,
-vulnerabilities in the compression software could result in compromise of the
-system from an unauthenticated connection, potentially with root privileges.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_disable_compression" complexity="low" disruption="low" reboot="false" strategy="restrict">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-export export-name="oval:ssg-var_sshd_disable_compression:var:1" value-id="xccdf_org.ssgproject.content_value_var_sshd_disable_compression"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_disable_compression:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_disable_compression_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" severity="high">
-              <xccdf-1.2:title>Disable SSH Access via Empty Passwords</xccdf-1.2:title>
-              <xccdf-1.2:description>Disallow SSH login with empty passwords.
-The default SSH configuration disables logins with empty passwords. The appropriate
-configuration is used if no value is set for <html:code>PermitEmptyPasswords</html:code>.
-<html:br/>
-To explicitly disallow SSH login from accounts with empty passwords,
-add or correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:br/>
-<html:pre>PermitEmptyPasswords no</html:pre>
-Any accounts with empty passwords should be disabled immediately, and PAM configuration
-should prevent users from being able to assign themselves empty passwords.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R17)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000766</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000106-GPOS-00053</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00229</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000480-VMM-002000</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Configuring this setting for the SSH daemon provides additional assurance
-that remote login via SSH will require a password, even in the event of
-misconfiguration elsewhere.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_disable_empty_passwords" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_disable_empty_passwords:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth" severity="medium">
-              <xccdf-1.2:title>Disable GSSAPI Authentication</xccdf-1.2:title>
-              <xccdf-1.2:description>Unless needed, SSH should not permit extraneous or unnecessary
-authentication mechanisms like GSSAPI.
-<html:br/>
-The default SSH configuration disallows authentications based on GSSAPI. The appropriate
-configuration is used if no value is set for <html:code>GSSAPIAuthentication</html:code>.
-<html:br/>
-To explicitly disable GSSAPI authentication, add or correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>GSSAPIAuthentication no</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000318</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000368</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001812</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001813</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001814</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0418</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1055</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1402</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSH_EXT.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000364-GPOS-00151</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000480-VMM-002000</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>GSSAPI authentication is used to provide additional authentication mechanisms to
-applications. Allowing GSSAPI authentication through SSH exposes the system's
-GSSAPI to remote hosts, increasing the attack surface of the system.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_disable_gssapi_auth" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_disable_gssapi_auth:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_disable_gssapi_auth_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth" severity="medium">
-              <xccdf-1.2:title>Disable Kerberos Authentication</xccdf-1.2:title>
-              <xccdf-1.2:description>Unless needed, SSH should not permit extraneous or unnecessary
-authentication mechanisms like Kerberos.
-<html:br/>
-The default SSH configuration disallows authentication validation through Kerberos.
-The appropriate configuration is used if no value is set for <html:code>KerberosAuthentication</html:code>.
-<html:br/>
-To explicitly disable Kerberos authentication, add or correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>KerberosAuthentication no</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000318</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000368</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001812</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001813</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001814</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0421</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0422</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0431</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0974</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1173</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1401</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1504</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1505</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1546</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1557</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1558</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1559</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1560</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1561</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FTP_ITC_EXT.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSH_EXT.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000364-GPOS-00151</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000480-VMM-002000</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Kerberos authentication for SSH is often implemented using GSSAPI. If Kerberos
-is enabled through SSH, the SSH daemon provides a means of access to the
-system's Kerberos implementation. 
-Configuring these settings for the SSH daemon provides additional assurance that remote logon via SSH will not use unused methods of authentication, even in the event of misconfiguration elsewhere. </xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_disable_kerb_auth" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_disable_kerb_auth:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth" severity="medium">
-              <xccdf-1.2:title>Disable PubkeyAuthentication Authentication</xccdf-1.2:title>
-              <xccdf-1.2:description>Unless needed, SSH should not permit extraneous or unnecessary
-authentication mechanisms. To disable PubkeyAuthentication authentication, add or
-correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>PubkeyAuthentication no</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:rationale>PubkeyAuthentication authentication is used to provide additional authentication mechanisms to
-applications. Allowing PubkeyAuthentication authentication through SSH allows users to
-generate their own authentication tokens, increasing the attack surface of the system.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_disable_pubkey_auth" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_disable_pubkey_auth:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_disable_pubkey_auth_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts" severity="medium">
-              <xccdf-1.2:title>Disable SSH Support for .rhosts Files</xccdf-1.2:title>
-              <xccdf-1.2:description>SSH can emulate the behavior of the obsolete rsh
-command in allowing users to enable insecure access to their
-accounts via <html:code>.rhosts</html:code> files.
-<html:br/>
-The default SSH configuration disables support for <html:code>.rhosts</html:code>. The appropriate
-configuration is used if no value is set for <html:code>IgnoreRhosts</html:code>.
-<html:br/>
-To explicitly disable support for .rhosts files, add or correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>IgnoreRhosts yes</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000107-VMM-000530</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>SSH trust relationships mean a compromise on one host
-can allow an attacker to move trivially to other hosts.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82665-1</xccdf-1.2:ident>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_disable_rhosts" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_disable_rhosts:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa" severity="medium">
-              <xccdf-1.2:title>Disable SSH Support for Rhosts RSA Authentication</xccdf-1.2:title>
-              <xccdf-1.2:description>SSH can allow authentication through the obsolete rsh
-command through the use of the authenticating user's SSH keys. This should be disabled.
-<html:br/><html:br/>
-To ensure this behavior is disabled, add or correct the
-following line in <html:code>/etc/ssh/sshd_config</html:code>:
-<html:pre>RhostsRSAAuthentication no</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">As of <html:code>openssh-server</html:code> version <html:code>7.4</html:code> and above,
-the <html:code>RhostsRSAAuthentication</html:code> option has been deprecated, and the line
-<html:pre>RhostsRSAAuthentication no</html:pre> in <html:code>/etc/ssh/sshd_config</html:code> is not
-necessary.</xccdf-1.2:warning>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Configuring this setting for the SSH daemon provides additional
-assurance that remote login via SSH will require a password, even
-in the event of misconfiguration elsewhere.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_disable_rhosts_rsa:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_disable_root_login" severity="medium">
-              <xccdf-1.2:title>Disable SSH Root Login</xccdf-1.2:title>
-              <xccdf-1.2:description>The root user should never be allowed to login to a
-system directly over a network.
-To disable root login via SSH, add or correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>PermitRootLogin no</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">BP28(R19)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://www.ssi.gouv.fr/administration/bonnes-pratiques/">NT007(R21)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000770</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-2(5)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FAU_GEN.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000109-GPOS-00056</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000480-VMM-002000</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Even though the communications channel may be encrypted, an additional layer of
-security is gained by extending the policy of not logging directly on as root.
-In addition, logging in with a user-specific account provides individual
-accountability of actions performed on the system and also helps to minimize
-direct attack attempts on root's password.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_disable_root_login" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_disable_root_login:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login" severity="medium">
-              <xccdf-1.2:title>Disable SSH root Login with a Password (Insecure)</xccdf-1.2:title>
-              <xccdf-1.2:description>To disable password-based root logins over SSH, add or correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>PermitRootLogin prohibit-password</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:warning category="general">While this disables password-based root logins, direct root logins
-through other means such as through SSH keys or GSSAPI will still be
-permitted. Permitting any sort of root login remotely opens up the
-root account to attack.
-To fully disable direct root logins over SSH (which is considered a
-best practice) and prevent remote attacks against the root account,
-see CCE-27100-7, CCE-27445-6, CCE-80901-2, and similar.</xccdf-1.2:warning>
-              <xccdf-1.2:rationale>Even though the communications channel may be encrypted, an additional
-layer of security is gained by preventing use of a password.
-This also helps to minimize direct attack attempts on root's password.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_disable_root_password_login" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_disable_root_password_login:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_disable_root_password_login_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding" severity="medium">
-              <xccdf-1.2:title>Disable SSH TCP Forwarding</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>AllowTcpForwarding</html:code> parameter specifies whether TCP forwarding is permitted.
-To disable TCP forwarding, add or correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>AllowTcpForwarding no</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:rationale>Leaving port forwarding enabled can expose the organization to security risks and back-doors.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_disable_tcp_forwarding" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_disable_tcp_forwarding:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts" severity="medium">
-              <xccdf-1.2:title>Disable SSH Support for User Known Hosts</xccdf-1.2:title>
-              <xccdf-1.2:description>SSH can allow system users to connect to systems if a cache of the remote
-systems public keys is available.  This should be disabled.
-<html:br/><html:br/>
-To ensure this behavior is disabled, add or correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>IgnoreUserKnownHosts yes</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FIA_UAU.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Configuring this setting for the SSH daemon provides additional
-assurance that remote login via SSH will require a password, even
-in the event of misconfiguration elsewhere.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_disable_user_known_hosts" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_disable_user_known_hosts:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_disable_user_known_hosts_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding" severity="medium">
-              <xccdf-1.2:title>Disable X11 Forwarding</xccdf-1.2:title>
-              <xccdf-1.2:description>The X11Forwarding parameter provides the ability to tunnel X11 traffic
-through the connection to enable remote graphic connections.
-SSH has the capability to encrypt remote X11 connections when SSH's
-<html:code>X11Forwarding</html:code> option is enabled.
-<html:br/>
-The default SSH configuration disables X11Forwarding. The appropriate
-configuration is used if no value is set for <html:code>X11Forwarding</html:code>.
-<html:br/>
-To explicitly disable X11 Forwarding, add or correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>X11Forwarding no</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Disable X11 forwarding unless there is an operational requirement to use X11
-applications directly. There is a small risk that the remote X11 servers of
-users who are logged in via SSH with X11 forwarding could be compromised by
-other users on the X11 server. Note that even if X11 forwarding is disabled,
-users can always install their own forwarders.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_disable_x11_forwarding" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_disable_x11_forwarding:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_disable_x11_forwarding_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env" severity="medium">
-              <xccdf-1.2:title>Do Not Allow SSH Environment Options</xccdf-1.2:title>
-              <xccdf-1.2:description>Ensure that users are not able to override environment variables of the SSH daemon.
-<html:br/>
-The default SSH configuration disables environment processing. The appropriate
-configuration is used if no value is set for <html:code>PermitUserEnvironment</html:code>.
-<html:br/>
-To explicitly disable Environment options, add or correct the following
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>PermitUserEnvironment no</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-7(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00229</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000480-VMM-002000</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>SSH environment options potentially allow users to bypass
-access restriction in some configurations.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_do_not_permit_user_env" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_do_not_permit_user_env:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_do_not_permit_user_env_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth" severity="medium">
-              <xccdf-1.2:title>Enable GSSAPI Authentication</xccdf-1.2:title>
-              <xccdf-1.2:description>Sites setup to use Kerberos or other GSSAPI Authenticaion require setting
-sshd to accept this authentication.
-To enable GSSAPI authentication, add or correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>GSSAPIAuthentication yes</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:rationale>Kerberos authentication for SSH is often implemented using GSSAPI. If
-Kerberos is enabled through SSH, the SSH daemon provides a means of access
-to the system's Kerberos implementation. Vulnerabilities in the system's
-Kerberos implementations may be subject to exploitation.
-
-For enterprises, Kerberos is often enabled and used with GSSAPI for 
-centralized user account management which may necessitate enabling of
-GSSAPI functionality in SSH. </xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_enable_gssapi_auth" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_enable_gssapi_auth:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_enable_gssapi_auth_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_enable_pam" severity="medium">
-              <xccdf-1.2:title>Enable PAM</xccdf-1.2:title>
-              <xccdf-1.2:description>UsePAM Enables the Pluggable Authentication Module interface. If set to &#x201C;yes&#x201D; this will
-enable PAM authentication using ChallengeResponseAuthentication and
-PasswordAuthentication in addition to PAM account and session module processing for all
-authentication types.
-
-To enable PAM authentication, add or correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>UsePAM yes</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000877</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000125-GPOS-00065</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>When UsePAM is set to yes, PAM runs through account and session types properly. This is
-important if you want to restrict access to services based off of IP, time or other factors of
-the account. Additionally, you can make sure users inherit certain environment variables
-on login or disallow access to the server.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_enable_pam" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_enable_pam:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_enable_pam_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth" severity="medium">
-              <xccdf-1.2:title>Enable Public Key Authentication</xccdf-1.2:title>
-              <xccdf-1.2:description>Enable SSH login with public keys.
-<html:br/>
-The default SSH configuration enables authentication based on public keys. The appropriate
-configuration is used if no value is set for <html:code>PubkeyAuthentication</html:code>.
-<html:br/>
-To explicitly enable Public Key Authentication, add or correct the following
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>PubkeyAuthentication yes</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000765</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000766</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000767</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000768</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000105-GPOS-00052</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000106-GPOS-00053</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000107-GPOS-00054</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000108-GPOS-00055</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Without the use of multifactor authentication, the ease of access to
-privileged functions is greatly increased. Multifactor authentication
-requires using two or more factors to achieve authentication.
-A privileged account is defined as an information system account with
-authorizations of a privileged user. 
-The DoD CAC with DoD-approved PKI is an example of multifactor
-authentication.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_enable_pubkey_auth" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_enable_pubkey_auth:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_enable_pubkey_auth_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes" severity="medium">
-              <xccdf-1.2:title>Enable Use of Strict Mode Checking</xccdf-1.2:title>
-              <xccdf-1.2:description>SSHs <html:code>StrictModes</html:code> option checks file and ownership permissions in
-the user's home directory <html:code>.ssh</html:code> folder before accepting login. If world-
-writable permissions are found, logon is rejected.
-<html:br/>
-The default SSH configuration has <html:code>StrictModes</html:code> enabled. The appropriate
-configuration is used if no value is set for <html:code>StrictModes</html:code>.
-<html:br/>
-To explicitly enable <html:code>StrictModes</html:code> in SSH, add or correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>StrictModes yes</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000480-VMM-002000</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>If other users have access to modify user-specific SSH configuration files, they
-may be able to log into the system as another user.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_enable_strictmodes" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_enable_strictmodes:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_enable_strictmodes_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner" severity="medium">
-              <xccdf-1.2:title>Enable SSH Warning Banner</xccdf-1.2:title>
-              <xccdf-1.2:description>To enable the warning banner and ensure it is consistent
-across the system, add or correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>Banner /etc/issue</html:pre>
-Another section contains information on how to create an
-appropriate system-wide warning banner.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000048</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000050</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001384</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001385</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001386</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001387</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001388</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FTA_TAB.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000023-GPOS-00006</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000228-GPOS-00088</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000023-VMM-000060</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000024-VMM-000070</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The warning message reinforces policy awareness during the logon process and
-facilitates possible legal action against attackers. Alternatively, systems
-whose ownership should not be obvious should ensure usage of a banner that does
-not provide easy attribution.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_enable_warning_banner" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_enable_warning_banner:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_enable_warning_banner_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net" severity="medium">
-              <xccdf-1.2:title>Enable SSH Warning Banner</xccdf-1.2:title>
-              <xccdf-1.2:description>To enable the warning banner and ensure it is consistent
-across the system, add or correct the following line in
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>Banner /etc/issue.net</html:pre>
-Another section contains information on how to create an
-appropriate system-wide warning banner.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.fbi.gov/file-repository/cjis-security-policy-v5_5_20160601-2-1.pdf">5.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000048</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000050</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001384</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001385</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001386</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001387</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001388</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-8(c)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FTA_TAB.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000023-GPOS-00006</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000228-GPOS-00088</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000023-VMM-000060</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">SRG-OS-000024-VMM-000070</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>The warning message reinforces policy awareness during the logon process and
-facilitates possible legal action against attackers. Alternatively, systems
-whose ownership should not be obvious should ensure usage of a banner that does
-not provide easy attribution.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_enable_warning_banner_net" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_enable_warning_banner_net:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding" severity="high">
-              <xccdf-1.2:title>Enable Encrypted X11 Forwarding</xccdf-1.2:title>
-              <xccdf-1.2:description>By default, remote X11 connections are not encrypted when initiated
-by users. SSH has the capability to encrypt remote X11 connections when SSH's
-<html:code>X11Forwarding</html:code> option is enabled.
-<html:br/><html:br/>
-To enable X11 Forwarding, add or correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>X11Forwarding yes</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">20</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI03.08</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI07.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">BAI10.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS03.01</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.4.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 7.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.12.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(2)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">DE.AE-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.IP-1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Non-encrypted X displays allow an attacker to capture keystrokes and to execute commands
-remotely.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_enable_x11_forwarding" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_enable_x11_forwarding:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_enable_x11_forwarding_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_limit_user_access" severity="unknown">
-              <xccdf-1.2:title>Limit Users' SSH Access</xccdf-1.2:title>
-              <xccdf-1.2:description>By default, the SSH configuration allows any user with an account
-to access the system. In order to specify the users that are allowed to login
-via SSH and deny all other users, add or correct the following line in the
-<html:code>/etc/ssh/sshd_config</html:code> file:
-<html:pre>AllowUsers USER1 USER2</html:pre>
-Where <html:code>USER1</html:code> and <html:code>USER2</html:code> are valid user names.</xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.11</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.3.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.PT-3</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Specifying which accounts are allowed SSH access into the system reduces the
-possibility of unauthorized access to the system.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82664-4</xccdf-1.2:ident>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_limit_user_access_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_print_last_log" severity="medium">
-              <xccdf-1.2:title>Enable SSH Print Last Log</xccdf-1.2:title>
-              <xccdf-1.2:description>Ensure that SSH will display the date and time of the last successful account logon.
-<html:br/>
-The default SSH configuration enables print of the date and time of the last login.
-The appropriate configuration is used if no value is set for <html:code>PrintLastLog</html:code>.
-<html:br/>
-To explicitly enable LastLog in SSH, add or correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>PrintLastLog yes</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-9</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Providing users feedback on when account accesses last occurred facilitates user
-recognition and reporting of unauthorized account use.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_print_last_log" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_print_last_log:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_print_last_log_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_rekey_limit" severity="medium">
-              <xccdf-1.2:title>Force frequent session key renegotiation</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>RekeyLimit</html:code> parameter specifies how often
-the session key of the is renegotiated, both in terms of
-amount of data that may be transmitted and the time
-elapsed.<html:br/>
-To decrease the default limits, add or correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>RekeyLimit <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_rekey_limit_size" use="legacy"/> <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_rekey_limit_time" use="legacy"/></html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000068</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FCS_SSH_EXT.1.8</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000033-GPOS-00014</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>By decreasing the limit based on the amount of data and enabling
-time-based limit, effects of potential attacks against
-encryption keys are limited.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-export export-name="oval:ssg-var_rekey_limit_time:var:1" value-id="xccdf_org.ssgproject.content_value_var_rekey_limit_time"/>
-                <xccdf-1.2:check-export export-name="oval:ssg-var_rekey_limit_size:var:1" value-id="xccdf_org.ssgproject.content_value_var_rekey_limit_size"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_rekey_limit:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time" severity="medium">
-              <xccdf-1.2:title>Ensure SSH LoginGraceTime is configured</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>LoginGraceTime</html:code> parameter to the SSH server specifies the time allowed for successful authentication to
-the SSH server. The longer the Grace period is the more open unauthenticated connections
-can exist. Like other session controls in this session the Grace Period should be limited to
-appropriate limits to ensure the service is available for needed access.</xccdf-1.2:description>
-              <xccdf-1.2:rationale>Setting the <html:code>LoginGraceTime</html:code> parameter to a low number will minimize the risk of successful
-brute force attacks to the SSH server. It will also limit the number of concurrent
-unauthenticated connections.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-export export-name="oval:ssg-var_sshd_set_login_grace_time:var:1" value-id="xccdf_org.ssgproject.content_value_var_sshd_set_login_grace_time"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_set_login_grace_time:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_set_login_grace_time_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info" severity="low">
-              <xccdf-1.2:title>Set LogLevel to INFO</xccdf-1.2:title>
-              <xccdf-1.2:description>The INFO parameter specifices that record login and logout activity will be logged.
-<html:br/>
-The default SSH configuration sets the log level to INFO. The appropriate
-configuration is used if no value is set for <html:code>LogLevel</html:code>.
-<html:br/>
-To explicitly specify the log level in SSH, add or correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>LogLevel INFO</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>SSH provides several logging levels with varying amounts of verbosity. <html:code>DEBUG</html:code> is specifically
-not recommended other than strictly for debugging SSH communications since it provides
-so much data that it is difficult to identify important security information. <html:code>INFO</html:code> level is the
-basic level that only records login activity of SSH users. In many situations, such as Incident
-Response, it is important to determine when a particular user was active on a system. The
-logout record can eliminate those users who disconnected, which helps narrow the field.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_set_loglevel_info" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_set_loglevel_info:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_set_loglevel_info_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose" severity="medium">
-              <xccdf-1.2:title>Set SSH Daemon LogLevel to VERBOSE</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>VERBOSE</html:code> parameter configures the SSH daemon to record login and logout activity.
-To specify the log level in
-SSH, add or correct the following line in
-
-
-<html:code>/etc/ssh/sshd_config</html:code>:
-
-<html:pre>LogLevel VERBOSE</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000067</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R7.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000032-GPOS-00013</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>SSH provides several logging levels with varying amounts of verbosity. <html:code>DEBUG</html:code> is specifically
-not recommended other than strictly for debugging SSH communications since it provides
-so much data that it is difficult to identify important security information. <html:code>INFO</html:code> or
-<html:code>VERBOSE</html:code> level is the basic level that only records login activity of SSH users. In many
-situations, such as Incident Response, it is important to determine when a particular user was active
-on a system. The logout record can eliminate those users who disconnected, which helps narrow the
-field.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="sshd_set_loglevel_verbose" complexity="low" disruption="low" reboot="false" strategy="restrict">apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%09%24OpenBSD%3A%20sshd_config%2Cv%201.103%202018/04/09%2020%3A41%3A22%20tj%20Exp%20%24%0A%0A%23%20This%20is%20the%20sshd%20server%20system-wide%20configuration%20file.%20%20See%0A%23%20sshd_config%285%29%20for%20more%20information.%0A%0A%23%20This%20sshd%20was%20compiled%20with%20PATH%3D/usr/local/bin%3A/usr/bin%3A/usr/local/sbin%3A/usr/sbin%0A%0A%23%20The%20strategy%20used%20for%20options%20in%20the%20default%20sshd_config%20shipped%20with%0A%23%20OpenSSH%20is%20to%20specify%20options%20with%20their%20default%20value%20where%0A%23%20possible%2C%20but%20leave%20them%20commented.%20%20Uncommented%20options%20override%20the%0A%23%20default%20value.%0A%0A%23%20If%20you%20want%20to%20change%20the%20port%20on%20a%20SELinux%20system%2C%20you%20have%20to%20tell%0A%23%20SELinux%20about%20this%20change.%0A%23%20semanage%20port%20-a%20-t%20ssh_port_t%20-p%20tcp%20%23PORTNUMBER%0A%23%0A%23Port%2022%0A%23AddressFamily%20any%0A%23ListenAddress%200.0.0.0%0A%23ListenAddress%20%3A%3A%0A%0AHostKey%20/etc/ssh/ssh_host_rsa_key%0AHostKey%20/etc/ssh/ssh_host_ecdsa_key%0AHostKey%20/etc/ssh/ssh_host_ed25519_key%0A%0A%23%20Ciphers%20and%20keying%0ARekeyLimit%20%7B%7B.var_rekey_limit_size%7D%7D%20%7B%7B.var_rekey_limit_time%7D%7D%0A%0A%23%20System-wide%20Crypto%20policy%3A%0A%23%20This%20system%20is%20following%20system-wide%20crypto%20policy.%20The%20changes%20to%0A%23%20Ciphers%2C%20MACs%2C%20KexAlgoritms%20and%20GSSAPIKexAlgorithsm%20will%20not%20have%20any%0A%23%20effect%20here.%20They%20will%20be%20overridden%20by%20command-line%20options%20passed%20on%0A%23%20the%20server%20start%20up.%0A%23%20To%20opt%20out%2C%20uncomment%20a%20line%20with%20redefinition%20of%20%20CRYPTO_POLICY%3D%0A%23%20variable%20in%20%20/etc/sysconfig/sshd%20%20to%20overwrite%20the%20policy.%0A%23%20For%20more%20information%2C%20see%20manual%20page%20for%20update-crypto-policies%288%29.%0A%0A%23%20Logging%0A%23SyslogFacility%20AUTH%0ASyslogFacility%20AUTHPRIV%0A%23LogLevel%20INFO%0A%0A%23%20Authentication%3A%0A%0A%23LoginGraceTime%20%7B%7B.var_sshd_set_login_grace_time%7D%7D%0APermitRootLogin%20no%0AStrictModes%20yes%0A%23MaxAuthTries%206%0A%23MaxSessions%2010%0A%0APubkeyAuthentication%20yes%0A%0A%23%20The%20default%20is%20to%20check%20both%20.ssh/authorized_keys%20and%20.ssh/authorized_keys2%0A%23%20but%20this%20is%20overridden%20so%20installations%20will%20only%20check%20.ssh/authorized_keys%0AAuthorizedKeysFile%09.ssh/authorized_keys%0A%0A%23AuthorizedPrincipalsFile%20none%0A%0A%23AuthorizedKeysCommand%20none%0A%23AuthorizedKeysCommandUser%20nobody%0A%0A%23%20For%20this%20to%20work%20you%20will%20also%20need%20host%20keys%20in%20/etc/ssh/ssh_known_hosts%0AHostbasedAuthentication%20no%0A%23%20Change%20to%20yes%20if%20you%20don%27t%20trust%20~/.ssh/known_hosts%20for%0A%23%20HostbasedAuthentication%0AIgnoreUserKnownHosts%20yes%0A%23%20Don%27t%20read%20the%20user%27s%20~/.rhosts%20and%20~/.shosts%20files%0AIgnoreRhosts%20yes%0A%0A%23%20To%20disable%20tunneled%20clear%20text%20passwords%2C%20change%20to%20no%20here%21%0A%23PasswordAuthentication%20yes%0APermitEmptyPasswords%20no%0APasswordAuthentication%20no%0A%0A%23%20Change%20to%20no%20to%20disable%20s/key%20passwords%0A%23ChallengeResponseAuthentication%20yes%0AChallengeResponseAuthentication%20no%0A%0A%23%20Kerberos%20options%0AKerberosAuthentication%20no%0A%23KerberosOrLocalPasswd%20yes%0A%23KerberosTicketCleanup%20yes%0A%23KerberosGetAFSToken%20no%0A%23KerberosUseKuserok%20yes%0A%0A%23%20GSSAPI%20options%0AGSSAPIAuthentication%20no%0AGSSAPICleanupCredentials%20no%0A%23GSSAPIStrictAcceptorCheck%20yes%0A%23GSSAPIKeyExchange%20no%0A%23GSSAPIEnablek5users%20no%0A%0A%23%20Set%20this%20to%20%27yes%27%20to%20enable%20PAM%20authentication%2C%20account%20processing%2C%0A%23%20and%20session%20processing.%20If%20this%20is%20enabled%2C%20PAM%20authentication%20will%0A%23%20be%20allowed%20through%20the%20ChallengeResponseAuthentication%20and%0A%23%20PasswordAuthentication.%20%20Depending%20on%20your%20PAM%20configuration%2C%0A%23%20PAM%20authentication%20via%20ChallengeResponseAuthentication%20may%20bypass%0A%23%20the%20setting%20of%20%22PermitRootLogin%20without-password%22.%0A%23%20If%20you%20just%20want%20the%20PAM%20account%20and%20session%20checks%20to%20run%20without%0A%23%20PAM%20authentication%2C%20then%20enable%20this%20but%20set%20PasswordAuthentication%0A%23%20and%20ChallengeResponseAuthentication%20to%20%27no%27.%0A%23%20WARNING%3A%20%27UsePAM%20no%27%20is%20not%20supported%20in%20Fedora%20and%20may%20cause%20several%0A%23%20problems.%0AUsePAM%20yes%0A%0A%23AllowAgentForwarding%20yes%0A%23AllowTcpForwarding%20yes%0A%23GatewayPorts%20no%0AX11Forwarding%20yes%0A%23X11DisplayOffset%2010%0A%23X11UseLocalhost%20yes%0A%23PermitTTY%20yes%0A%0A%23%20It%20is%20recommended%20to%20use%20pam_motd%20in%20/etc/pam.d/sshd%20instead%20of%20PrintMotd%2C%0A%23%20as%20it%20is%20more%20configurable%20and%20versatile%20than%20the%20built-in%20version.%0APrintMotd%20no%0A%0APrintLastLog%20yes%0A%23TCPKeepAlive%20yes%0APermitUserEnvironment%20no%0ACompression%20%7B%7B.var_sshd_disable_compression%7D%7D%0AClientAliveInterval%20%7B%7B.sshd_idle_timeout_value%7D%7D%0AClientAliveCountMax%20%7B%7B.var_sshd_set_keepalive%7D%7D%0A%23UseDNS%20no%0A%23PidFile%20/var/run/sshd.pid%0A%23MaxStartups%2010%3A30%3A100%0A%23PermitTunnel%20no%0A%23ChrootDirectory%20none%0A%23VersionAddendum%20none%0A%0A%23%20no%20default%20banner%20path%0ABanner%20/etc/issue%0A%0A%23%20Accept%20locale-related%20environment%20variables%0AAcceptEnv%20LANG%20LC_CTYPE%20LC_NUMERIC%20LC_TIME%20LC_COLLATE%20LC_MONETARY%20LC_MESSAGES%0AAcceptEnv%20LC_PAPER%20LC_NAME%20LC_ADDRESS%20LC_TELEPHONE%20LC_MEASUREMENT%0AAcceptEnv%20LC_IDENTIFICATION%20LC_ALL%20LANGUAGE%0AAcceptEnv%20XMODIFIERS%0A%0A%23%20override%20default%20of%20no%20subsystems%0ASubsystem%09sftp%09/usr/libexec/openssh/sftp-server%0A%0A%23%20Example%20of%20overriding%20settings%20on%20a%20per-user%20basis%0A%23Match%20User%20anoncvs%0A%23%09X11Forwarding%20no%0A%23%09AllowTcpForwarding%20no%0A%23%09PermitTTY%20no%0A%23%09ForceCommand%20cvs%20server%0A%0AUsePrivilegeSeparation%20%7B%7B.var_sshd_priv_separation%7D%7D }}
-        mode: 0600
-        path: /etc/ssh/sshd_config
-        overwrite: true
-</xccdf-1.2:fix>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_set_loglevel_verbose:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_set_loglevel_verbose_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries" severity="medium">
-              <xccdf-1.2:title>Set SSH authentication attempt limit</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>MaxAuthTries</html:code> parameter specifies the maximum number of authentication attempts
-permitted per connection. Once the number of failures reaches half this value, additional failures are logged.
-to set MaxAUthTries edit <html:code>/etc/ssh/sshd_config</html:code> as follows:
-<html:pre>MaxAuthTries <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_sshd_max_auth_tries_value" use="legacy"/></html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="">0421</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0422</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0431</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">0974</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1173</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1401</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1504</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1505</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1546</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1557</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1558</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1559</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1560</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="">1561</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>Setting the MaxAuthTries parameter to a low number will minimize the risk of successful
-brute force attacks to the SSH server.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_max_auth_tries_value:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_max_auth_tries_value"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_set_max_auth_tries:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_set_max_auth_tries_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_set_max_sessions" severity="medium">
-              <xccdf-1.2:title>Set SSH MaxSessions limit</xccdf-1.2:title>
-              <xccdf-1.2:description>The <html:code>MaxSessions</html:code> parameter specifies the maximum number of open sessions permitted
-from a given connection. To set MaxSessions edit
-<html:code>/etc/ssh/sshd_config</html:code> as follows: <html:pre>MaxSessions <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_sshd_max_sessions" use="legacy"/></html:pre></xccdf-1.2:description>
-              <xccdf-1.2:rationale>To protect a system from denial of service due to a large number of concurrent
-sessions, use the rate limiting function of MaxSessions to protect availability
-of sshd logins and prevent overwhelming the daemon.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-export export-name="oval:ssg-var_sshd_max_sessions:var:1" value-id="xccdf_org.ssgproject.content_value_var_sshd_max_sessions"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_set_max_sessions:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_set_max_sessions_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_set_maxstartups" severity="medium">
-              <xccdf-1.2:title>Ensure SSH MaxStartups is configured</xccdf-1.2:title>
-              <xccdf-1.2:description>The MaxStartups parameter specifies the maximum number of concurrent
-unauthenticated connections to the SSH daemon. Additional connections will be
-dropped until authentication succeeds or the LoginGraceTime expires for a
-connection. To confgure MaxStartups, you should add or correct the following
-line in the
-<html:code>/etc/ssh/sshd_config</html:code> file:
-<html:pre>MaxStartups <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_sshd_set_maxstartups" use="legacy"/></html:pre>
-CIS recommends a MaxStartups value of '10:30:60', or more restrictive where
-dictated by site policy.</xccdf-1.2:description>
-              <xccdf-1.2:rationale>To protect a system from denial of service due to a large number of pending
-authentication connection attempts, use the rate limiting function of MaxStartups
-to protect availability of sshd logins and prevent overwhelming the daemon.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_set_maxstartups:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_set_maxstartups_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sshd_use_priv_separation" severity="medium">
-              <xccdf-1.2:title>Enable Use of Privilege Separation</xccdf-1.2:title>
-              <xccdf-1.2:description>When enabled, SSH will create an unprivileged child process that
-has the privilege of the authenticated user. To enable privilege separation in
-SSH, add or correct the following line in the <html:code>/etc/ssh/sshd_config</html:code> file:
-<html:pre>UsePrivilegeSeparation <xccdf-1.2:sub idref="xccdf_org.ssgproject.content_value_var_sshd_priv_separation" use="legacy"/></html:pre></xccdf-1.2:description>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">13</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">14</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">18</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">APO01.06</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.02</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf">3.1.12</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000366</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(a)(4)(i)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.308(b)(3)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.310(b)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(1)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.gpo.gov/fdsys/pkg/CFR-2007-title45-vol1/pdf/CFR-2007-title45-vol1-chapA-subchapC.pdf">164.312(e)(2)(ii)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 5.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.10.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.1.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.11.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.13.2.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.14.1.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.6.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.3.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.8.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-003-8 R5.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-004-6 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R2.3</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.1</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://www.nerc.com/pa/Stand/Standard%20Purpose%20Statement%20DL/US_Standard_One-Stop-Shop.xlsx">CIP-007-3 R5.1.2</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-17(a)</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AC-6</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-4</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.DS-5</xccdf-1.2:reference>
-              <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-              <xccdf-1.2:rationale>SSH daemon privilege separation causes the SSH process to drop root privileges
-when not needed which would decrease the impact of software vulnerabilities in
-the unprivileged section.</xccdf-1.2:rationale>
-              <xccdf-1.2:platform idref="#machine"/>
-              <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-                <xccdf-1.2:check-export export-name="oval:ssg-sshd_required:var:1" value-id="xccdf_org.ssgproject.content_value_sshd_required"/>
-                <xccdf-1.2:check-export export-name="oval:ssg-var_sshd_priv_separation:var:1" value-id="xccdf_org.ssgproject.content_value_var_sshd_priv_separation"/>
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sshd_use_priv_separation:def:1"/>
-              </xccdf-1.2:check>
-              <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-                <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sshd_use_priv_separation_ocil:questionnaire:1"/>
-              </xccdf-1.2:check>
-            </xccdf-1.2:Rule>
-            <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_sshd_strengthen_firewall">
-              <xccdf-1.2:title>Strengthen Firewall Configuration if Possible</xccdf-1.2:title>
-              <xccdf-1.2:description>If the SSH server is expected to only receive connections from
-the local network, then strengthen the default firewall rule for the SSH service
-to only accept connections from the appropriate network segment(s).
-<html:br/><html:br/>
-Determine an appropriate network block, <html:code>netwk</html:code>, network mask, <html:code>mask</html:code>, and
-network protocol, <html:code>ip_protocol</html:code>, representing the systems on your network which will
-be allowed to access this SSH server.
-<html:br/><html:br/>
-Run the following command:
-<html:pre>firewall-cmd --permanent --add-rich-rule='rule family="ip_protocol" source address="netwk/mask" service name="ssh" accept'</html:pre></xccdf-1.2:description>
-              <xccdf-1.2:platform idref="#machine"/>
-            </xccdf-1.2:Group>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_sssd">
-          <xccdf-1.2:title>System Security Services Daemon</xccdf-1.2:title>
-          <xccdf-1.2:description>The System Security Services Daemon (SSSD) is a system daemon that provides access
-to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD,
-openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline
-support to systems utilizing SSSD. SSSD using caching to reduce load on authentication
-servers permit offline authentication as well as store extended user data.
-<html:br/><html:br/>
-For more information, see</xccdf-1.2:description>
-          <xccdf-1.2:platform idref="#sssd"/>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sssd_certificate_verification_digest_function" type="string" interactive="true">
-            <xccdf-1.2:title>SSSD certificate_verification option</xccdf-1.2:title>
-            <xccdf-1.2:description>Value of the certificate_verification option in
-the SSSD config.</xccdf-1.2:description>
-            <xccdf-1.2:value selector="sha1">sha1</xccdf-1.2:value>
-            <xccdf-1.2:value selector="sha256">sha256</xccdf-1.2:value>
-            <xccdf-1.2:value selector="sha384">sha384</xccdf-1.2:value>
-            <xccdf-1.2:value selector="sha512">sha512</xccdf-1.2:value>
-            <xccdf-1.2:value>sha1</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sssd_memcache_timeout" type="number">
-            <xccdf-1.2:title>SSSD memcache_timeout option</xccdf-1.2:title>
-            <xccdf-1.2:description>Value of the memcache_timeout option in the [nss] section
-of SSSD config /etc/sssd/sssd.conf.</xccdf-1.2:description>
-            <xccdf-1.2:value selector="3_minutes">180</xccdf-1.2:value>
-            <xccdf-1.2:value selector="5_minutes">300</xccdf-1.2:value>
-            <xccdf-1.2:value selector="10_minutes">600</xccdf-1.2:value>
-            <xccdf-1.2:value selector="15_minutes">900</xccdf-1.2:value>
-            <xccdf-1.2:value selector="30_minutes">1800</xccdf-1.2:value>
-            <xccdf-1.2:value selector="1_day">86400</xccdf-1.2:value>
-            <xccdf-1.2:value>300</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sssd_ssh_known_hosts_timeout" type="number">
-            <xccdf-1.2:title>SSSD ssh_known_hosts_timeout option</xccdf-1.2:title>
-            <xccdf-1.2:description>Value of the ssh_known_hosts_timeout option in the [ssh] section
-of SSSD configuration file /etc/sssd/sssd.conf.</xccdf-1.2:description>
-            <xccdf-1.2:value selector="3_minutes">180</xccdf-1.2:value>
-            <xccdf-1.2:value selector="5_minutes">300</xccdf-1.2:value>
-            <xccdf-1.2:value selector="10_minutes">600</xccdf-1.2:value>
-            <xccdf-1.2:value selector="15_minutes">900</xccdf-1.2:value>
-            <xccdf-1.2:value selector="30_minutes">1800</xccdf-1.2:value>
-            <xccdf-1.2:value selector="1_day">86400</xccdf-1.2:value>
-            <xccdf-1.2:value>180</xccdf-1.2:value>
-          </xccdf-1.2:Value>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sssd_enable_smartcards" severity="medium">
-            <xccdf-1.2:title>Enable Smartcards in SSSD</xccdf-1.2:title>
-            <xccdf-1.2:description>SSSD should be configured to authenticate access to the system using smart cards.
-To enable smart cards in SSSD, set <html:code>pam_cert_auth</html:code> to <html:code>True</html:code> under the
-<html:code>[pam]</html:code> section in <html:code>/etc/sssd/sssd.conf</html:code>. For example:
-<html:pre>[pam]
-pam_cert_auth = True
-</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001954</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000765</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000766</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000767</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000768</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">0421</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">0422</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">0431</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">0974</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1173</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1401</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1504</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1505</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1546</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1557</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1558</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1559</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1560</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1561</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000375-GPOS-00160</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000105-GPOS-00052</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000106-GPOS-00053</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000107-GPOS-00054</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000108-GPOS-00055</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">SRG-OS-000107-VMM-000530</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Using an authentication device, such as a CAC or token that is separate from
-the information system, ensures that even if the information system is
-compromised, that compromise will not affect credentials stored on the
-authentication device.
-<html:br/><html:br/>
-Multi-Factor Authentication (MFA) solutions that require devices separate from
-information systems gaining access include, for example, hardware tokens
-providing time-based or challenge-response authenticators and smart cards such
-as the U.S. Government Personal Identity Verification card and the DoD Common
-Access Card.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sssd_enable_smartcards:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sssd_enable_smartcards_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sssd_offline_cred_expiration" severity="medium">
-            <xccdf-1.2:title>Configure SSSD to Expire Offline Credentials</xccdf-1.2:title>
-            <xccdf-1.2:description>SSSD should be configured to expire offline credentials after 1 day.
-
-To configure SSSD to expire offline credentials, set
-<html:code>offline_credentials_expiration</html:code> to <html:code>1</html:code> under the <html:code>[pam]</html:code>
-section in <html:code>/etc/sssd/sssd.conf</html:code>. For example:
-<html:pre>[pam]
-offline_credentials_expiration = 1
-</html:pre></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">12</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">15</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">16</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.cisecurity.org/controls/">5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.04</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.05</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.07</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS05.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.03</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isaca.org/resources/cobit">DSS06.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-002007</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.5.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.6.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/isa-62443-2-1-2009-security-for-industrial-automat">4.3.3.7.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.10</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.5</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.8</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 1.9</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.isa.org/products/ansi-isa-62443-3-3-99-03-03-2013-security-for-indu">SR 2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.18.1.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.7.1.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.4</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.2.6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.3.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.iso.org/standard/54534.html">A.9.4.3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-6(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-5(13)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-6</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf">PR.AC-7</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000383-GPOS-00166</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">SRG-OS-000383-VMM-001570</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>If cached authentication information is out-of-date, the validity of the
-authentication information may be questionable.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sssd_offline_cred_expiration:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sssd_offline_cred_expiration_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_sssd_run_as_sssd_user" severity="medium">
-            <xccdf-1.2:title>Configure SSSD to run as user sssd</xccdf-1.2:title>
-            <xccdf-1.2:description>SSSD processes should be configured to run as user sssd, not root.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000480-GPOS-00227</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>To minimize privileges of SSSD processes, they are configured to
-run as non-root user.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#sssd"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82536-4</xccdf-1.2:ident>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-sssd_run_as_sssd_user:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-sssd_run_as_sssd_user_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_sssd-ldap">
-            <xccdf-1.2:title>System Security Services Daemon (SSSD) - LDAP</xccdf-1.2:title>
-            <xccdf-1.2:description>The System Security Services Daemon (SSSD) is a system daemon that provides access
-to different identity and authentication providers such as Red Hat's IdM, Microsoft's AD,
-openLDAP, MIT Kerberos, etc. It uses a common framework that can provide caching and offline
-support to systems utilizing SSSD. SSSD using caching to reduce load on authentication
-servers permit offline authentication as well as store extended user data.
-<html:br/><html:br/>
-SSSD can support many backends including LDAP. The <html:code>sssd-ldap</html:code> backend
-allows SSSD to fetch identity information from an LDAP server.</xccdf-1.2:description>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:Value id="xccdf_org.ssgproject.content_value_var_sssd_ldap_tls_ca_dir" type="string">
-              <xccdf-1.2:title>SSSD LDAP Backend Client CA Certificate Location</xccdf-1.2:title>
-              <xccdf-1.2:description>Path of a directory that contains Certificate Authority certificates.</xccdf-1.2:description>
-              <xccdf-1.2:value>/etc/openldap/cacerts</xccdf-1.2:value>
-            </xccdf-1.2:Value>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_usbguard">
-          <xccdf-1.2:title>USBGuard daemon</xccdf-1.2:title>
-          <xccdf-1.2:description>The USBGuard daemon enforces the USB device authorization policy for all USB devices.</xccdf-1.2:description>
-          <xccdf-1.2:platform idref="#not_s390x_arch"/>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_package_usbguard_installed" severity="medium">
-            <xccdf-1.2:title>Install usbguard Package</xccdf-1.2:title>
-            <xccdf-1.2:description>
-The <html:code>usbguard</html:code> package can be installed with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-usbguard-install
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-  extensions:
-    - usbguard
-</html:pre>
-<html:p>
-This will install the <html:code>usbguard</html:code> package in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001958</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1418</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-8(3)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000378-GPOS-00163</xccdf-1.2:reference>
-            <xccdf-1.2:rationale><html:code>usbguard</html:code> is a software framework that helps to protect
-against rogue USB devices by implementing basic whitelisting/blacklisting
-capabilities based on USB device attributes.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#not_s390x_arch"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82524-0</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="package_usbguard_installed">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-  extensions:
-    - usbguard
-</xccdf-1.2:fix>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-package_usbguard_installed:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-package_usbguard_installed_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_service_usbguard_enabled" severity="medium">
-            <xccdf-1.2:title>Enable the USBGuard Service</xccdf-1.2:title>
-            <xccdf-1.2:description>The USBGuard service should be enabled.
-
-The <html:code>usbguard</html:code> service can be enabled with the following manifest:
-<html:pre>
----
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  labels:
-    machineconfiguration.openshift.io/role: master
-  name: 75-master-usbguard-enable
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: usbguard.service
-        enabled: true
-</html:pre>
-<html:p>
-This will enable the <html:code>usbguard</html:code> service in all the
-nodes labeled with the "master" role.
-</html:p>
-<html:p>
-Note that this needs to be done for each <html:code>MachineConfigPool</html:code>
-</html:p>
-<html:p>
-For more information on how to configure nodes with the Machine Config
-Operator see
-<html:a href="https://docs.openshift.com/container-platform/4.6/post_installation_configuration/machine-configuration-tasks.html">the relevant documentation</html:a>.
-</html:p></xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000416</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-001958</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="">1418</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-8(3)(a)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000378-GPOS-00163</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>The <html:code>usbguard</html:code> service must be running in order to
-enforce the USB device authorization policy for all USB devices.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#machine"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82537-2</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="service_usbguard_enabled">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  annotations:
-    complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    systemd:
-      units:
-      - name: usbguard.service
-        enabled: true
-</xccdf-1.2:fix>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-service_usbguard_enabled:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-service_usbguard_enabled_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend" severity="medium">
-            <xccdf-1.2:title>Log USBGuard daemon audit events using Linux Audit</xccdf-1.2:title>
-            <xccdf-1.2:description>To configure USBGuard daemon to log via Linux Audit
-(as opposed directly to a file),
-<html:code>AuditBackend</html:code> option in <html:code>/etc/usbguard/usbguard-daemon.conf</html:code>
-needs to be set to <html:code>LinuxAudit</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000169</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/cci/">CCI-000172</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">AU-2</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-8(3)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000062-GPOS-00031</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000471-GPOS-00215</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Using the Linux Audit logging allows for centralized trace
-of events.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#usbguard"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82538-0</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="configure_usbguard_auditbackend">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  annotations:
-    complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed
-    complianceascode.io/ocp-version: '&gt;=4.7.0'
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0A%23%0A%23%20Rule%20set%20file%20path.%0A%23%0A%23%20The%20USBGuard%20daemon%20will%20use%20this%20file%20to%20load%20the%20policy%0A%23%20rule%20set%20from%20it%20and%20to%20write%20new%20rules%20received%20via%20the%0A%23%20IPC%20interface.%0A%23%0A%23%20RuleFile%3D/path/to/rules.conf%0A%23%0ARuleFile%3D/etc/usbguard/rules.conf%0A%0A%23%0A%23%20Rule%20set%20folder%20path.%0A%23%0A%23%20The%20USBGuard%20daemon%20will%20use%20this%20folder%20to%20load%20the%20policy%0A%23%20rule%20set%20from%20it%20and%20to%20write%20new%20rules%20received%20via%20the%0A%23%20IPC%20interface.%20Usually%2C%20we%20set%20the%20option%20to%0A%23%20/etc/usbguard/rules.d/.%20The%20USBGuard%20daemon%20is%20supposed%20to%0A%23%20behave%20like%20any%20other%20standard%20Linux%20daemon%20therefore%20it%0A%23%20loads%20rule%20files%20in%20alpha-numeric%20order.%20File%20names%20inside%0A%23%20RuleFolder%20directory%20should%20start%20with%20a%20two-digit%20number%0A%23%20prefix%20indicating%20the%20position%2C%20in%20which%20the%20rules%20are%0A%23%20scanned%20by%20the%20daemon.%0A%23%0A%23%20RuleFolder%3D/path/to/rulesfolder/%0A%23%0ARuleFolder%3D/etc/usbguard/rules.d/%0A%0A%23%0A%23%20Implicit%20policy%20target.%0A%23%0A%23%20How%20to%20treat%20devices%20that%20don%27t%20match%20any%20rule%20in%20the%0A%23%20policy.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20-%20authorize%20the%20device%0A%23%20%2A%20block%20%20-%20block%20the%20device%0A%23%20%2A%20reject%20-%20remove%20the%20device%0A%23%0AImplicitPolicyTarget%3Dblock%0A%0A%23%0A%23%20Present%20device%20policy.%0A%23%0A%23%20How%20to%20treat%20devices%20that%20are%20already%20connected%20when%20the%0A%23%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20%20%20%20%20%20%20-%20authorize%20every%20present%20device%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20just%20sync%20the%20internal%20state%20and%20leave%20it%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0APresentDevicePolicy%3Dapply-policy%0A%0A%23%0A%23%20Present%20controller%20policy.%0A%23%0A%23%20How%20to%20treat%20USB%20controllers%20that%20are%20already%20connected%0A%23%20when%20the%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20allow%20%20%20%20%20%20%20%20-%20authorize%20every%20present%20device%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20just%20sync%20the%20internal%20state%20and%20leave%20it%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0APresentControllerPolicy%3Dkeep%0A%0A%23%0A%23%20Inserted%20device%20policy.%0A%23%0A%23%20How%20to%20treat%20USB%20devices%20that%20are%20already%20connected%0A%23%20%2Aafter%2A%20the%20daemon%20starts.%20One%20of%3A%0A%23%0A%23%20%2A%20block%20%20%20%20%20%20%20%20-%20deauthorize%20every%20present%20device%0A%23%20%2A%20reject%20%20%20%20%20%20%20-%20remove%20every%20present%20device%0A%23%20%2A%20apply-policy%20-%20evaluate%20the%20ruleset%20for%20every%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20device%0A%23%0AInsertedDevicePolicy%3Dapply-policy%0A%0A%23%0A%23%20Control%20which%20devices%20are%20authorized%20by%20default.%0A%23%0A%23%20The%20USBGuard%20daemon%20modifies%20some%20the%20default%20authorization%20state%20attributes%0A%23%20of%20controller%20devices.%20This%20setting%2C%20enables%20you%20to%20define%20what%20value%20the%0A%23%20default%20authorization%20is%20set%20to.%0A%23%0A%23%20%2A%20keep%20%20%20%20%20%20%20%20%20-%20do%20not%20change%20the%20authorization%20state%0A%23%20%2A%20none%20%20%20%20%20%20%20%20%20-%20every%20new%20device%20starts%20out%20deauthorized%0A%23%20%2A%20all%20%20%20%20%20%20%20%20%20%20-%20every%20new%20device%20starts%20out%20authorized%0A%23%20%2A%20internal%20%20%20%20%20-%20internal%20devices%20start%20out%20authorized%2C%20external%20devices%20start%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20out%20deauthorized%20%28this%20requires%20the%20ACPI%20tables%20to%20properly%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20label%20internal%20devices%2C%20and%20kernel%20support%29%0A%23%0A%23AuthorizedDefault%3Dnone%0A%0A%23%0A%23%20Restore%20controller%20device%20state.%0A%23%0A%23%20The%20USBGuard%20daemon%20modifies%20some%20attributes%20of%20controller%0A%23%20devices%20like%20the%20default%20authorization%20state%20of%20new%20child%20device%0A%23%20instances.%20Using%20this%20setting%2C%20you%20can%20control%20whether%20the%0A%23%20daemon%20will%20try%20to%20restore%20the%20attribute%20values%20to%20the%20state%0A%23%20before%20modification%20on%20shutdown.%0A%23%0A%23%20SECURITY%20CONSIDERATIONS%3A%20If%20set%20to%20true%2C%20the%20USB%20authorization%0A%23%20policy%20could%20be%20bypassed%20by%20performing%20some%20sort%20of%20attack%20on%20the%0A%23%20daemon%20%28via%20a%20local%20exploit%20or%20via%20a%20USB%20device%29%20to%20make%20it%20shutdown%0A%23%20and%20restore%20to%20the%20operating-system%20default%20state%20%28known%20to%20be%20permissive%29.%0A%23%0ARestoreControllerDeviceState%3Dfalse%0A%0A%23%0A%23%20Device%20manager%20backend%0A%23%0A%23%20Which%20device%20manager%20backend%20implementation%20to%20use.%20One%20of%3A%0A%23%0A%23%20%2A%20uevent%20%20%20-%20Netlink%20based%20implementation%20which%20uses%20sysfs%20to%20scan%20for%20present%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20devices%20and%20an%20uevent%20netlink%20socket%20for%20receiving%20USB%20device%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20related%20events.%0A%23%20%2A%20umockdev%20-%20umockdev%20based%20device%20manager%20capable%20of%20simulating%20devices%20based%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20on%20umockdev-record%20files.%20Useful%20for%20testing.%0A%23%0ADeviceManagerBackend%3Duevent%0A%0A%23%21%21%21%20WARNING%3A%20It%27s%20good%20practice%20to%20set%20at%20least%20one%20of%20the%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20two%20options%20bellow.%20If%20none%20of%20them%20are%20set%2C%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20the%20daemon%20will%20accept%20IPC%20connections%20from%20%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20anyone%2C%20thus%20allowing%20anyone%20to%20modify%20the%20%20%20%20%21%21%21%0A%23%21%21%21%20%20%20%20%20%20%20%20%20%20rule%20set%20and%20%28de%29authorize%20USB%20devices.%20%20%20%20%20%20%20%21%21%21%0A%0A%23%0A%23%20Users%20allowed%20to%20use%20the%20IPC%20interface.%0A%23%0A%23%20A%20space%20delimited%20list%20of%20usernames%20that%20the%20daemon%20will%0A%23%20accept%20IPC%20connections%20from.%0A%23%0A%23%20IPCAllowedUsers%3Dusername1%20username2%20...%0A%23%0AIPCAllowedUsers%3Droot%0A%0A%23%0A%23%20Groups%20allowed%20to%20use%20the%20IPC%20interface.%0A%23%0A%23%20A%20space%20delimited%20list%20of%20groupnames%20that%20the%20daemon%20will%0A%23%20accept%20IPC%20connections%20from.%0A%23%0A%23%20IPCAllowedGroups%3Dgroupname1%20groupname2%20...%0A%23%0AIPCAllowedGroups%3Dwheel%0A%0A%23%0A%23%20IPC%20access%20control%20definition%20files%20path.%0A%23%0A%23%20The%20files%20at%20this%20location%20will%20be%20interpreted%20by%20the%20daemon%0A%23%20as%20access%20control%20definition%20files.%20The%20%28base%29name%20of%20a%20file%0A%23%20should%20be%20in%20the%20form%3A%0A%23%0A%23%20%20%20%5Buser%5D%5B%3A%3Cgroup%3E%5D%0A%23%0A%23%20and%20should%20contain%20lines%20in%20the%20form%3A%0A%23%0A%23%20%20%20%3Csection%3E%3D%5Bprivilege%5D%20...%0A%23%0A%23%20This%20way%20each%20file%20defines%20who%20is%20able%20to%20connect%20to%20the%20IPC%0A%23%20bus%20and%20what%20privileges%20he%20has.%0A%23%0AIPCAccessControlFiles%3D/etc/usbguard/IPCAccessControl.d/%0A%0A%23%0A%23%20Generate%20device%20specific%20rules%20including%20the%20%22via-port%22%0A%23%20attribute.%0A%23%0A%23%20This%20option%20modifies%20the%20behavior%20of%20the%20allowDevice%0A%23%20action.%20When%20instructed%20to%20generate%20a%20permanent%20rule%2C%0A%23%20the%20action%20can%20generate%20a%20port%20specific%20rule.%20Because%0A%23%20some%20systems%20have%20unstable%20port%20numbering%2C%20the%20generated%0A%23%20rule%20might%20not%20match%20the%20device%20after%20rebooting%20the%20system.%0A%23%0A%23%20If%20set%20to%20false%2C%20the%20generated%20rule%20will%20still%20contain%0A%23%20the%20%22parent-hash%22%20attribute%20which%20also%20defines%20an%20association%0A%23%20to%20the%20parent%20device.%20See%20usbguard-rules.conf%285%29%20for%20more%0A%23%20details.%0A%23%0ADeviceRulesWithPort%3Dfalse%0A%0A%23%0A%23%20USBGuard%20Audit%20events%20log%20backend%0A%23%0A%23%20One%20of%3A%0A%23%0A%23%20%2A%20FileAudit%20-%20Log%20audit%20events%20into%20a%20file%20specified%20by%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20AuditFilePath%20setting%20%28see%20below%29%0A%23%20%2A%20LinuxAudit%20-%20Log%20audit%20events%20using%20the%20Linux%20Audit%0A%23%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20subsystem%20%28using%20audit_log_user_message%29%0A%23%0AAuditBackend%3DLinuxAudit%0A%0A%23%0A%23%20USBGuard%20audit%20events%20log%20file%20path.%0A%23%0A%23AuditFilePath%3D/var/log/usbguard/usbguard-audit.log%0A%0A%23%0A%23%20Hides%20personally%20identifiable%20information%20such%20as%20device%20serial%20numbers%20and%0A%23%20hashes%20of%20descriptors%20%28which%20include%20the%20serial%20number%29%20from%20audit%20entries.%0A%23%0A%23HidePII%3Dfalse }}
-        mode: 0600
-        path: /etc/usbguard/usbguard-daemon.conf
-        overwrite: true
-</xccdf-1.2:fix>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-configure_usbguard_auditbackend:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-configure_usbguard_auditbackend_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_usbguard_allow_hid" severity="medium">
-            <xccdf-1.2:title>Authorize Human Interface Devices in USBGuard daemon</xccdf-1.2:title>
-            <xccdf-1.2:description>To allow authorization of Human Interface Devices (keyboard, mouse)
-by USBGuard daemon,
-add the line
-<html:code>allow with-interface match-all { 03:*:* }</html:code>
-to <html:code>/etc/usbguard/rules.conf</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB human interface devices are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB human interface devices are allowed. This assumes that an administrator modified the file with some purpose in mind.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000114-GPOS-00059</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Without allowing Human Interface Devices, it might not be possible
-to interact with the system.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#not_s390x_arch"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-usbguard_allow_hid:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-usbguard_allow_hid_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub" severity="medium">
-            <xccdf-1.2:title>Authorize Human Interface Devices and USB hubs in USBGuard daemon</xccdf-1.2:title>
-            <xccdf-1.2:description>To allow authorization of USB devices combining human interface device and hub capabilities
-by USBGuard daemon,
-add the line
-<html:code>allow with-interface match-all { 03:*:* 09:00:* }</html:code>
-to <html:code>/etc/usbguard/rules.conf</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB human interface devices and hubs are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB human interface devices and hubs are allowed. This assumes that an administrator modified the file with some purpose in mind.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">CM-8(3)</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf">IA-3</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000114-GPOS-00059</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Without allowing Human Interface Devices, it might not be possible
-to interact with the system. Without allowing hubs, it might not be possible to use any
-USB devices on the system.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#not_s390x_arch"/>
-            <xccdf-1.2:ident system="https://nvd.nist.gov/cce/index.cfm">CCE-82539-8</xccdf-1.2:ident>
-            <xccdf-1.2:fix system="urn:xccdf:fix:script:kubernetes" id="usbguard_allow_hid_and_hub">---
-apiVersion: machineconfiguration.openshift.io/v1
-kind: MachineConfig
-metadata:
-  annotations:
-    complianceascode.io/depends-on: xccdf_org.ssgproject.content_rule_package_usbguard_installed
-spec:
-  config:
-    ignition:
-      version: 3.1.0
-    storage:
-      files:
-      - contents:
-          source: data:,{{ %0Aallow%20with-interface%20match-all%20%7B%2003%3A%2A%3A%2A%2009%3A00%3A%2A%20%7D }}
-        mode: 0600
-        path: /etc/usbguard/rules.d/75-hid-and-hub.conf
-        overwrite: true
-</xccdf-1.2:fix>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-usbguard_allow_hid_and_hub:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-usbguard_allow_hid_and_hub_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-          <xccdf-1.2:Rule selected="false" id="xccdf_org.ssgproject.content_rule_usbguard_allow_hub" severity="medium">
-            <xccdf-1.2:title>Authorize USB hubs in USBGuard daemon</xccdf-1.2:title>
-            <xccdf-1.2:description>To allow authorization of USB hub devices by USBGuard daemon,
-add line
-<html:code>allow with-interface match-all { 09:00:* }</html:code>
-to <html:code>/etc/usbguard/rules.conf</html:code>.</xccdf-1.2:description>
-            <xccdf-1.2:warning category="general">This rule should be understood primarily as a convenience administration feature. This rule ensures that if the USBGuard default rules.conf file is present, it will alter it so that USB hub devices are allowed. However, if the rules.conf file is altered by system administrator, the rule does not check if USB hub devices are allowed. This assumes that an administrator modified the file with some purpose in mind.</xccdf-1.2:warning>
-            <xccdf-1.2:reference href="https://www.niap-ccevs.org/Profile/PP.cfm">FMT_SMF_EXT.1</xccdf-1.2:reference>
-            <xccdf-1.2:reference href="https://public.cyber.mil/stigs/downloads/?_dl_facet_stigs=operating-systems%2Cgeneral-purpose-os">SRG-OS-000114-GPOS-00059</xccdf-1.2:reference>
-            <xccdf-1.2:rationale>Without allowing hubs, it might not be possible to use any
-USB devices on the system.</xccdf-1.2:rationale>
-            <xccdf-1.2:platform idref="#not_s390x_arch"/>
-            <xccdf-1.2:check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-oval.xml" name="oval:ssg-usbguard_allow_hub:def:1"/>
-            </xccdf-1.2:check>
-            <xccdf-1.2:check system="http://scap.nist.gov/schema/ocil/2">
-              <xccdf-1.2:check-content-ref href="ssg-rhcos4-ocil.xml" name="ocil:ssg-usbguard_allow_hub_ocil:questionnaire:1"/>
-            </xccdf-1.2:check>
-          </xccdf-1.2:Rule>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_xwindows">
-          <xccdf-1.2:title>X Window System</xccdf-1.2:title>
-          <xccdf-1.2:description>The X Window System implementation included with the
-system is called X.org.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_disabling_xwindows">
-            <xccdf-1.2:title>Disable X Windows</xccdf-1.2:title>
-            <xccdf-1.2:description>Unless there is a mission-critical reason for the
-system to run a graphical user interface, ensure X is not set to start
-automatically at boot and remove the X Windows software packages.
-There is usually no reason to run X Windows
-on a dedicated server system, as it increases the system's attack surface and consumes
-system resources. Administrators of server systems should instead login via
-SSH or on the text console.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-      </xccdf-1.2:Group>
-      <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_intro">
-        <xccdf-1.2:title>Introduction</xccdf-1.2:title>
-        <xccdf-1.2:description>The purpose of this guidance is to provide security configuration
-recommendations and baselines for the Red Hat Enterprise Linux CoreOS 4 operating
-system. Recommended settings for the basic operating system are provided,
-as well as for many network services that the system can provide to other systems.
-The guide is intended for system administrators. Readers are assumed to
-possess basic system administration skills for Unix-like systems, as well
-as some familiarity with the product's documentation and administration
-conventions. Some instructions within this guide are complex.
-All directions should be followed completely and with understanding of
-their effects in order to avoid serious adverse effects on the system
-and its security.</xccdf-1.2:description>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_general-principles">
-          <xccdf-1.2:title>General Principles</xccdf-1.2:title>
-          <xccdf-1.2:description>The following general principles motivate much of the advice in this
-guide and should also influence any configuration decisions that are
-not explicitly covered.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_principle-encrypt-transmitted-data">
-            <xccdf-1.2:title>Encrypt Transmitted Data Whenever Possible</xccdf-1.2:title>
-            <xccdf-1.2:description>Data transmitted over a network, whether wired or wireless, is susceptible
-to passive monitoring. Whenever practical solutions for encrypting
-such data exist, they should be applied. Even if data is expected to
-be transmitted only over a local network, it should still be encrypted.
-Encrypting authentication data, such as passwords, is particularly
-important. Networks of Red Hat Enterprise Linux CoreOS 4 machines can and should be configured
-so that no unencrypted authentication data is ever transmitted between
-machines.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_principle-least-privilege">
-            <xccdf-1.2:title>Least Privilege</xccdf-1.2:title>
-            <xccdf-1.2:description>Grant the least privilege necessary for user accounts and software to perform tasks.
-For example, <html:code>sudo</html:code> can be implemented to limit authorization to super user
-accounts on the system only to designated personnel. Another example is to limit
-logins on server systems to only those administrators who need to log into them in
-order to perform administration tasks. Using SELinux also follows the principle of
-least privilege: SELinux policy can confine software to perform only actions on the
-system that are specifically allowed. This can be far more restrictive than the
-actions permissible by the traditional Unix permissions model.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_principle-minimize-software">
-            <xccdf-1.2:title>Minimize Software to Minimize Vulnerability</xccdf-1.2:title>
-            <xccdf-1.2:description>The simplest way to avoid vulnerabilities in software is to avoid
-installing that software. On Red Hat Enterprise Linux CoreOS 4,the RPM Package Manager (originally Red Hat Package Manager, abbreviated RPM)
-allows for careful management of
-the set of software packages installed on a system. Installed software
-contributes to system vulnerability in several ways. Packages that
-include setuid programs may provide local attackers a potential path to
-privilege escalation. Packages that include network services may give
-this opportunity to network-based attackers. Packages that include
-programs which are predictably executed by local users (e.g. after
-graphical login) may provide opportunities for trojan horses or other
-attack code to be run undetected. The number of software packages
-installed on a system can almost always be significantly pruned to include
-only the software for which there is an environmental or operational need.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_principle-separate-servers">
-            <xccdf-1.2:title>Run Different Network Services on Separate Systems</xccdf-1.2:title>
-            <xccdf-1.2:description>Whenever possible, a server should be dedicated to serving exactly one
-network service. This limits the number of other services that can
-be compromised in the event that an attacker is able to successfully
-exploit a software flaw in one network service.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_principle-use-security-tools">
-            <xccdf-1.2:title>Configure Security Tools to Improve System Robustness</xccdf-1.2:title>
-            <xccdf-1.2:description>Several tools exist which can be effectively used to improve a system's
-resistance to and detection of unknown attacks. These tools can improve
-robustness against attack at the cost of relatively little configuration
-effort. In particular, this guide recommends and discusses the use of
-host-based firewalling, SELinux for protection against
-vulnerable services, and a logging and auditing infrastructure for
-detection of problems.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-        <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_how-to-use">
-          <xccdf-1.2:title>How to Use This Guide</xccdf-1.2:title>
-          <xccdf-1.2:description>Readers should heed the following points when using the guide.</xccdf-1.2:description>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_intro-formatting-conventions">
-            <xccdf-1.2:title>Formatting Conventions</xccdf-1.2:title>
-            <xccdf-1.2:description>Commands intended for shell execution, as well as configuration file text,
-are featured in a <html:code>monospace font</html:code>. <html:i>Italics</html:i> are used
-to indicate instances where the system administrator must substitute
-the appropriate information into a command or configuration file.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_intro-read-sections-completely">
-            <xccdf-1.2:title>Read Sections Completely and in Order</xccdf-1.2:title>
-            <xccdf-1.2:description>Each section may build on information and recommendations discussed in
-prior sections. Each section should be read and understood completely;
-instructions should never be blindly applied. Relevant discussion may
-occur after instructions for an action.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_intro-reboot-required">
-            <xccdf-1.2:title>Reboot Required</xccdf-1.2:title>
-            <xccdf-1.2:description>A system reboot is implicitly required after some actions in order to
-complete the reconfiguration of the system. In many cases, the changes
-will not take effect until a reboot is performed. In order to ensure
-that changes are applied properly and to test functionality, always
-reboot the system after applying a set of recommendations from this guide.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_intro-root-shell-assumed">
-            <xccdf-1.2:title>Root Shell Environment Assumed</xccdf-1.2:title>
-            <xccdf-1.2:description>Most of the actions listed in this document are written with the
-assumption that they will be executed by the root user running the
-<html:code>/bin/bash</html:code> shell. Commands preceded with a hash mark (#)
-assume that the administrator will execute the commands as root, i.e.
-apply the command via <html:code>sudo</html:code> whenever possible, or use
-<html:code>su</html:code> to gain root privileges if <html:code>sudo</html:code> cannot be
-used. Commands which can be executed as a non-root user are are preceded
-by a dollar sign ($) prompt.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-          <xccdf-1.2:Group id="xccdf_org.ssgproject.content_group_intro-test-non-production">
-            <xccdf-1.2:title>Test in Non-Production Environment</xccdf-1.2:title>
-            <xccdf-1.2:description>This guidance should always be tested in a non-production environment
-before deployment. This test environment should simulate the setup in
-which the system will be deployed as closely as possible.</xccdf-1.2:description>
-          </xccdf-1.2:Group>
-        </xccdf-1.2:Group>
-      </xccdf-1.2:Group>
-    </xccdf-1.2:Benchmark>
-  </ds:component>
-  <ds:component id="scap_org.open-scap_comp_ssg-rhcos4-oval.xml" timestamp="2022-08-11T18:55:33">
-    <oval-def:oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
-      <oval-def:generator>
-        <oval:product_name>combine_ovals.py from SCAP Security Guide</oval:product_name>
-        <oval:product_version>ssg: [0, 1, 64], python: 3.10.6</oval:product_version>
-        <oval:schema_version>5.11</oval:schema_version>
-        <oval:timestamp>2022-08-11T18:55:18</oval:timestamp>
-      </oval-def:generator>
-      <oval-def:definitions>
-        <oval-def:definition class="compliance" id="oval:ssg-kerberos_disable_no_keytab:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kerberos by removing host keytab</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that there is no Kerberos keytab file present in /etc</oval-def:description>
-            <oval-def:reference ref_id="kerberos_disable_no_keytab" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kerberos_disable_no_keytab:tst:1" comment="Restrict Kerberos operation by removing keytab files"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-postfix_client_configure_mail_alias:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure System to Forward All Mail For The Root Account</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if root has the correct mail alias.</oval-def:description>
-            <oval-def:reference ref_id="postfix_client_configure_mail_alias" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Check if root has the correct mail alias.">
-            <oval-def:criterion comment="Check if root has the correct mail alias." test_ref="oval:ssg-test_postfix_client_configure_mail_alias:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-postfix_client_configure_mail_alias_postmaster:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure System to Forward All Mail From Postmaster to The Root Account</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if postmaster has the correct mail alias.</oval-def:description>
-            <oval-def:reference ref_id="postfix_client_configure_mail_alias_postmaster" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Check if postmaster has the correct mail alias.">
-            <oval-def:criterion comment="Check if postmaster has the correct mail alias." test_ref="oval:ssg-test_postfix_client_configure_mail_alias_postmaster:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-chronyd_client_only:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable chrony daemon from acting as server</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Configure the port setting in {{{ chrony_conf_path }}} to disable
-      server operation.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82465-6" source="CCE"/>
-            <oval-def:reference ref_id="chronyd_client_only" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition definition_ref="oval:ssg-service_chronyd_enabled:def:1" comment="service chronyd enabled"/>
-            <oval-def:criterion test_ref="oval:ssg-test_chronyd_client_only:tst:1" comment="check if port is 0 in /etc/chrony.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-chronyd_no_chronyc_network:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable network management of chrony daemon</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Configure the cmdport setting in {{{ chrony_conf_path }}} to disable
-      chronyc management connections over network.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82466-4" source="CCE"/>
-            <oval-def:reference ref_id="chronyd_no_chronyc_network" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition definition_ref="oval:ssg-service_chronyd_enabled:def:1" comment="service chronyd enabled"/>
-            <oval-def:criterion test_ref="oval:ssg-test_chronyd_no_chronyc_network:tst:1" comment="check if cmdport is 0 in /etc/chrony.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-chronyd_or_ntpd_set_maxpoll:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure Time Service Maxpoll Interval</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Configure the maxpoll setting in /etc/ntp.conf or chrony.conf
-      to continuously poll the time source servers.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82684-2" source="CCE"/>
-            <oval-def:reference ref_id="chronyd_or_ntpd_set_maxpoll" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="check if no server entry is set in /etc/ntp.conf" test_ref="oval:ssg-test_ntp_no_server:tst:1"/>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="check if maxpoll is set in /etc/ntp.conf" test_ref="oval:ssg-test_ntp_set_maxpoll:tst:1"/>
-                <oval-def:criterion comment="check if all server entries have maxpoll set in /etc/ntp.conf" test_ref="oval:ssg-test_ntp_all_server_has_maxpoll:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="check if no server or pool entry is set in /etc/chrony.conf" test_ref="oval:ssg-test_chrony_no_server_nor_pool:tst:1"/>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="check if maxpoll is set in /etc/chrony.conf" test_ref="oval:ssg-test_chrony_set_maxpoll:tst:1"/>
-                <oval-def:criterion comment="check if all server entries have maxpoll set in /etc/chrony.conf" test_ref="oval:ssg-test_chrony_all_server_has_maxpoll:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-chronyd_or_ntpd_specify_multiple_servers:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Specify Additional Remote NTP Servers</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Multiple remote chronyd or ntpd NTP Servers for time synchronization should be specified (and dependencies are met)</oval-def:description>
-            <oval-def:reference ref_id="CCE-82685-9" source="CCE"/>
-            <oval-def:reference ref_id="chronyd_or_ntpd_specify_multiple_servers" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria comment="chronyd enabled and multiple remote servers specified" operator="AND">
-              <oval-def:extend_definition comment="service chronyd enabled" definition_ref="oval:ssg-service_chronyd_enabled:def:1"/>
-              <oval-def:extend_definition comment="multiple chronyd remote servers specified" definition_ref="oval:ssg-chronyd_specify_multiple_servers:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="ntpd enabled and multile remote servers specified" operator="AND">
-              <oval-def:extend_definition comment="service ntpd enabled" definition_ref="oval:ssg-service_ntpd_enabled:def:1"/>
-              <oval-def:extend_definition comment="multiple ntpd remote servers specified" definition_ref="oval:ssg-ntpd_specify_multiple_servers:def:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-chronyd_or_ntpd_specify_remote_server:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Specify a Remote NTP Server</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>A remote chronyd or ntpd NTP Server for time synchronization should be specified (and dependencies are met)</oval-def:description>
-            <oval-def:reference ref_id="CCE-82683-4" source="CCE"/>
-            <oval-def:reference ref_id="chronyd_or_ntpd_specify_remote_server" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria comment="chronyd enabled and remote server specified" operator="AND">
-              <oval-def:extend_definition comment="service chronyd enabled" definition_ref="oval:ssg-service_chronyd_enabled:def:1"/>
-              <oval-def:extend_definition comment="chronyd remote server specified" definition_ref="oval:ssg-chronyd_specify_remote_server:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="ntpd enabled and remote server specified" operator="AND">
-              <oval-def:extend_definition comment="service ntpd enabled" definition_ref="oval:ssg-service_ntpd_enabled:def:1"/>
-              <oval-def:extend_definition comment="ntpd remote server specified" definition_ref="oval:ssg-ntpd_specify_remote_server:def:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-chronyd_server_directive:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure Chrony is only configured with the server directive</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure Chrony has time sources configured with server directive</oval-def:description>
-            <oval-def:reference ref_id="chronyd_server_directive" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="chrony.conf only has server directive">
-            <oval-def:criterion test_ref="oval:ssg-test_chronyd_server_directive_with_server:tst:1"/>
-            <oval-def:criterion test_ref="oval:ssg-test_chronyd_server_directive_no_pool:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-chronyd_specify_remote_server:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>A remote time server for Chrony is configured</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>A remote NTP Server for time synchronization should be
-      specified (and dependencies are met)</oval-def:description>
-            <oval-def:reference ref_id="chronyd_specify_remote_server" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="chrony.conf conditions are met">
-            <oval-def:criterion test_ref="oval:ssg-test_chronyd_remote_server:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-ntpd_specify_multiple_servers:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Specify Additional Remote NTP Servers</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Multiple ntpd NTP Servers for time synchronization should be specified.</oval-def:description>
-            <oval-def:reference ref_id="ntpd_specify_multiple_servers" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="ntp.conf conditions are met">
-            <oval-def:criterion test_ref="oval:ssg-test_ntpd_multiple_servers:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-ntpd_specify_remote_server:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Specify a Remote NTP Server</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>A remote ntpd NTP Server for time synchronization should be
-      specified (and dependencies are met)</oval-def:description>
-            <oval-def:reference ref_id="ntpd_specify_remote_server" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="ntp.conf conditions are met">
-            <oval-def:criterion test_ref="oval:ssg-test_ntp_remote_server:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_chronyd_or_ntpd_enabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable the NTP Daemon</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>At least one of the chronyd or ntpd services should be enabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82682-6" source="CCE"/>
-            <oval-def:reference ref_id="service_chronyd_or_ntpd_enabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="chronyd or ntpd service enabled" operator="OR">
-            <oval-def:extend_definition comment="service chronyd enabled" definition_ref="oval:ssg-service_chronyd_enabled:def:1"/>
-            <oval-def:extend_definition comment="service ntpd enabled" definition_ref="oval:ssg-service_ntpd_enabled:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-no_rsh_trust_files:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Remove Rsh Trust Files</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>There should not be any .rhosts or hosts.equiv files on the system.</oval-def:description>
-            <oval-def:reference ref_id="no_rsh_trust_files" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_no_rsh_trust_files_root:tst:1" negate="true"/>
-            <oval-def:criterion test_ref="oval:ssg-test_no_rsh_trust_files_home:tst:1" negate="true"/>
-            <oval-def:criterion test_ref="oval:ssg-test_no_rsh_trust_files_etc:tst:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_sshd_private_key:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Permissions on SSH Server Private *_key Key Files</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The system sshd key is owned by root:root and has the 0600 permission, or by a root:ssh_keys with the 0640 permission</oval-def:description>
-            <oval-def:reference ref_id="file_permissions_sshd_private_key" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="No keys that have unsafe ownership/permissions combination exist" test_ref="oval:ssg-test_no_offending_keys:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-ssh_client_rekey_limit:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure session renegotiation for SSH client</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'RekeyLimit' is configured with the correct value in /etc/ssh/ssh_config and /etc/ssh/ssh_config.d/*.conf</oval-def:description>
-            <oval-def:reference ref_id="ssh_client_rekey_limit" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="RekeyLimit is correctly configured for ssh client" operator="AND">
-            <oval-def:criterion comment="check that RekeyLimit is not configured in /etc/ssh/ssh_config" test_ref="oval:ssg-test_ssh_client_rekey_limit_main_config:tst:1" negate="true"/>
-            <oval-def:criterion comment="check correct RekeyLimit configuration in /etc/ssh/ssh_config.d/*.conf" test_ref="oval:ssg-test_ssh_client_rekey_limit_include_configs:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_allow_only_protocol2:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Allow Only SSH Protocol 2</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The OpenSSH daemon should be running protocol 2.</oval-def:description>
-            <oval-def:reference ref_id="sshd_allow_only_protocol2" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="SSH is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="SSH version is equal or higher than 7.4 or it is configured with protocol 2" operator="OR">
-                <oval-def:extend_definition comment="OpenSSH version 7.4 or higher supports only protocol 2" definition_ref="oval:ssg-sshd_version_equal_or_higher_than_74:def:1"/>
-                <oval-def:criterion comment="Check Protocol in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_allow_only_protocol2:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_disable_compression:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Compression Or Set Compression to delayed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>SSH should either have compression disabled or set to delayed.</oval-def:description>
-            <oval-def:reference ref_id="sshd_disable_compression" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="SSH is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criterion comment="Check Compression in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_disable_compression:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_disable_rhosts_rsa:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable SSH Support for Rhosts RSA Authentication</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>SSH can allow authentication through the obsolete rsh command
-      through the use of the authenticating user's SSH keys. This should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="sshd_disable_rhosts_rsa" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="SSH is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="SSH version is equal or higher than 7.4 has deprecated RhostsRSAAuthentication" operator="OR">
-                <oval-def:extend_definition comment="OpenSSH version 7.4 or higher has deprecated RhostsRSAAuthentication" definition_ref="oval:ssg-sshd_version_equal_or_higher_than_74:def:1"/>
-                <oval-def:criterion comment="Check RhostsRSAAuthentication in /etc/ssh/sshd_config" negate="true" test_ref="oval:ssg-test_sshd_disable_rhosts_rsa:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_rekey_limit:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Force frequent session key renegotiation</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure {{{ parameter }}} is configured with the appropriate value in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_rekey_limit" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured corectly" operator="OR">
-                <oval-def:criterion comment="Check the RekeyLimit in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_rekey_limit:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_set_idle_timeout:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Set SSH Idle Timeout Interval</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The SSH idle timeout interval should be set to an
-      appropriate value.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82549-7" source="CCE"/>
-            <oval-def:reference ref_id="sshd_set_idle_timeout" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="SSH is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="ClientAliveInterval is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check ClientAliveInterval in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_idle_timeout:tst:1"/>
-              </oval-def:criteria>
-              <oval-def:extend_definition comment="The SSH ClientAliveCountMax is set to zero" definition_ref="oval:ssg-sshd_set_keepalive:def:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_set_keepalive:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Set SSH Client Alive Count Max</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The SSH ClientAliveCountMax should be set to an appropriate
-      value (and dependencies are met)</oval-def:description>
-            <oval-def:reference ref_id="CCE-82464-9" source="CCE"/>
-            <oval-def:reference ref_id="sshd_set_keepalive" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="SSH is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured" operator="OR">
-                <oval-def:criterion comment="Check ClientAliveCountMax in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_clientalivecountmax:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_set_login_grace_time:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure SSH LoginGraceTime is configured</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The SSH number seconds for login grace time should be set to an
-      appropriate value.</oval-def:description>
-            <oval-def:reference ref_id="sshd_set_login_grace_time" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="SSH is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criterion comment="Check LoginGraceTime in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_login_grace_time:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_set_max_auth_tries:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Set SSH authentication attempt limit</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The SSH MaxAuthTries should be set to an
-      appropriate value.</oval-def:description>
-            <oval-def:reference ref_id="sshd_set_max_auth_tries" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="SSH is not being used or conditions are met" operator="OR">
-            <oval-def:extend_definition comment="sshd service is disabled" definition_ref="oval:ssg-service_sshd_disabled:def:1"/>
-            <oval-def:criterion comment="Check MaxAuthTries in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_max_auth_tries:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_set_max_sessions:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Set SSH MaxSessions limit</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The SSH number of max sessions should be set to an
-      appropriate value.</oval-def:description>
-            <oval-def:reference ref_id="sshd_set_max_sessions" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="SSH is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criterion comment="Check MaxSessions in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_max_sessions:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_set_maxstartups:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure SSH MaxStartups is configured</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'MaxStartups' is configured in
-      '/etc/ssh/sshd_config'</oval-def:description>
-            <oval-def:reference ref_id="sshd_set_maxstartups" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-tst_maxstartups_start_parameter:tst:1" comment="SSH MaxStartups start parameter is less than or equal to 10"/>
-              <oval-def:criterion test_ref="oval:ssg-tst_maxstartups_rate_parameter:tst:1" comment="SSH MaxStartups rate parameter is greater than or equal to 30"/>
-              <oval-def:criterion test_ref="oval:ssg-tst_maxstartups_full_parameter:tst:1" comment="SSH MaxStartups full parameter is less than or equal to 100"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_use_priv_separation:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable Use of Privilege Separation</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'UsePrivilegeSeparation' is configured with value 'sandbox' in '/etc/ssh/sshd_config'</oval-def:description>
-            <oval-def:reference ref_id="sshd_use_priv_separation" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check the UsePrivilegeSeparation in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_use_priv_separation:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sssd_enable_smartcards:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable Smartcards in SSSD</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>SSSD should be configured to authenticate access to the system
-    using smart cards.</oval-def:description>
-            <oval-def:reference ref_id="sssd_enable_smartcards" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Check pam_cert_auth in /etc/sssd/sssd.conf" test_ref="oval:ssg-test_sssd_enable_smartcards:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sssd_offline_cred_expiration:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure SSSD to Expire Offline Credentials</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>SSSD should be configured to expire offline credentials after 1 day.</oval-def:description>
-            <oval-def:reference ref_id="sssd_offline_cred_expiration" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="Check offline_credentials_expiration in /etc/sssd/sssd.conf" test_ref="oval:ssg-test_sssd_offline_cred_expiration:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sssd_run_as_sssd_user:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure SSSD to run as user sssd</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>SSSD processes should be configured to run as user sssd, not root.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82536-4" source="CCE"/>
-            <oval-def:reference ref_id="sssd_run_as_sssd_user" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check user setting in SSSD configuration" test_ref="oval:ssg-test_sssd_run_as_sssd_user:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-configure_usbguard_auditbackend:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Log USBGuard daemon audit events using Linux Audit</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'AuditBackend' is configured with value 'LinuxAudit' in /etc/usbguard/usbguard-daemon.conf</oval-def:description>
-            <oval-def:reference ref_id="CCE-82538-0" source="CCE"/>
-            <oval-def:reference ref_id="configure_usbguard_auditbackend" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="usbguard is configured correctly and configuration file exists" operator="AND">
-            <oval-def:criteria comment="usbguard is configured correctly" operator="OR">
-              <oval-def:criterion comment="Check the AuditBackend in /etc/usbguard/usbguard-daemon.conf" test_ref="oval:ssg-test_configure_usbguard_auditbackend:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="test if configuration file /etc/usbguard/usbguard-daemon.conf exists for configure_usbguard_auditbackend" test_ref="oval:ssg-test_configure_usbguard_auditbackend_config_file_exists:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-usbguard_allow_hid:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Authorize Human Interface Devices in USBGuard daemon</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that /etc/usbguard/rules.conf exists and that it contains at least one non white space character.</oval-def:description>
-            <oval-def:reference ref_id="usbguard_allow_hid" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Check that /etc/usbguard/rules.conf contains at least one non whitespace character." operator="AND">
-            <oval-def:extend_definition comment="Check that /etc/usbguard/rules.conf contains at least one non whitespace character." definition_ref="oval:ssg-usbguard_rules_not_empty_not_missing:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-usbguard_allow_hid_and_hub:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Authorize Human Interface Devices and USB hubs in USBGuard daemon</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82539-8" source="CCE"/>
-            <oval-def:reference ref_id="usbguard_allow_hid_and_hub" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Check that /etc/usbguard/rules.conf contains at least one non whitespace character." operator="AND">
-            <oval-def:extend_definition comment="Check that /etc/usbguard/rules.conf contains at least one non whitespace character." definition_ref="oval:ssg-usbguard_rules_not_empty_not_missing:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-usbguard_allow_hub:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Authorize USB hubs in USBGuard daemon</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that /etc/usbguard/rules.conf contains at least one non whitespace character and exists.</oval-def:description>
-            <oval-def:reference ref_id="usbguard_allow_hub" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Check that /etc/usbguard/rules.conf contains at least one non whitespace character." operator="AND">
-            <oval-def:extend_definition comment="Check that /etc/usbguard/rules.conf contains at least one non whitespace character." definition_ref="oval:ssg-usbguard_rules_not_empty_not_missing:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-banner_etc_issue:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Modify the System Login Banner</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The system login banner text should be set correctly.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82555-4" source="CCE"/>
-            <oval-def:reference ref_id="banner_etc_issue" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="/etc/issue is set appropriately" test_ref="oval:ssg-test_banner_etc_issue:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-disallow_bypass_password_sudo:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disallow Configuration to Bypass Password Requirements for Privilege Escalation</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Disallow Configuration to Bypass Password Requirements for Privilege Escalation.</oval-def:description>
-            <oval-def:reference ref_id="disallow_bypass_password_sudo" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check absence of conf pam_succeed_if in /etc/pam.d/sudo" test_ref="oval:ssg-test_disallow_bypass_password_sudo:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-display_login_attempts:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure PAM Displays Last Logon/Access Notification</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Configure the system to notify users of last login/access using pam_lastlog.</oval-def:description>
-            <oval-def:reference ref_id="display_login_attempts" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Conditions for pam_lastlog are satisfied" test_ref="oval:ssg-test_display_login_attempts:tst:1"/>
-            <oval-def:criterion comment="silent option for pam_lastlog is not set" test_ref="oval:ssg-test_display_login_attempts_silent:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-account_passwords_pam_faillock_audit:def:1" version="5">
-          <oval-def:metadata>
-            <oval-def:title>Account Lockouts Must Be Logged</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Account Lockouts Must Be Logged</oval-def:description>
-            <oval-def:reference ref_id="account_passwords_pam_faillock_audit" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR" comment="Check expected value for pam_faillock.so audit parameter">
-            <oval-def:criteria operator="AND" comment="Check expected pam_faillock.so audit parameter in pam files">
-              <oval-def:criterion test_ref="oval:ssg-test_pam_faillock_audit_parameter_system_auth:tst:1" comment="Check the audit parameter in auth section of system-auth file"/>
-              <oval-def:criterion test_ref="oval:ssg-test_pam_faillock_audit_parameter_password_auth:tst:1" comment="Check the audit parameter in auth section of password-auth file"/>
-              <oval-def:criterion test_ref="oval:ssg-test_pam_faillock_audit_parameter_no_faillock_conf:tst:1" comment="Ensure /etc/security/faillock.conf is not used together with pam files"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND" comment="Check expected pam_faillock.so audit parameter in faillock.conf">
-              <oval-def:criterion test_ref="oval:ssg-test_pam_faillock_audit_parameter_no_pamd_system:tst:1" comment="Check the audit parameter is not present system-auth file"/>
-              <oval-def:criterion test_ref="oval:ssg-test_pam_faillock_audit_parameter_no_pamd_password:tst:1" comment="Check the audit parameter is not present password-auth file"/>
-              <oval-def:criterion test_ref="oval:ssg-test_pam_faillock_audit_parameter_faillock_conf:tst:1" comment="Ensure the audit parameter is present in /etc/security/faillock.conf"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-disable_ctrlaltdel_burstaction:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Ctrl-Alt-Del Burst Action</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Configure the CtrlAltDelBurstAction setting in /etc/systemd/system.conf
-      or /etc/systemd/system.conf.d/* to none to prevent a reboot if Ctrl-Alt-Delete is
-      pressed more than 7 times in 2 seconds.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82495-3" source="CCE"/>
-            <oval-def:reference ref_id="disable_ctrlaltdel_burstaction" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="check CtrlAltDelBurstAction is set to none" test_ref="oval:ssg-test_disable_ctrlaltdel_burstaction:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-disable_ctrlaltdel_reboot:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Ctrl-Alt-Del Reboot Activation</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>By default, the system will reboot when the
-      Ctrl-Alt-Del key sequence is pressed.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82493-8" source="CCE"/>
-            <oval-def:reference ref_id="disable_ctrlaltdel_reboot" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Disable Ctrl-Alt-Del systemd softlink exists" test_ref="oval:ssg-test_disable_ctrlaltdel_exists:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_disable_interactive_boot:def:1" version="4">
-          <oval-def:metadata>
-            <oval-def:title>Verify that Interactive Boot is Disabled</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The ability for users to perform interactive startups should
-      be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82551-3" source="CCE"/>
-            <oval-def:reference ref_id="grub2_disable_interactive_boot" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux:tst:1" comment="Check systemd.confirm_spawn=(1|yes|true|on) not in GRUB_CMDLINE_LINUX"/>
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux_default:tst:1" comment="Check systemd.confirm_spawn=(1|yes|true|on) not in GRUB_CMDLINE_LINUX_DEFAULT"/>
-              <oval-def:extend_definition definition_ref="oval:ssg-bootloader_disable_recovery_set_to_true:def:1" comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-require_singleuser_auth:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Require Authentication for Single User Mode</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The requirement for a password to boot into single-user mode
-      should be configured correctly.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82550-5" source="CCE"/>
-            <oval-def:reference ref_id="require_singleuser_auth" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Conditions are satisfied" test_ref="oval:ssg-test_require_rescue_service:tst:1"/>
-            <oval-def:criterion test_ref="oval:ssg-test_require_rescue_service_runlevel1:tst:1"/>
-            <oval-def:criterion test_ref="oval:ssg-test_no_custom_runlevel1_target:tst:1" negate="true"/>
-            <oval-def:criterion test_ref="oval:ssg-test_no_custom_rescue_service:tst:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-configure_bashrc_exec_tmux:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Support session locking with tmux</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if tmux is configured to exec at the end of bashrc.</oval-def:description>
-            <oval-def:reference ref_id="configure_bashrc_exec_tmux" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Check exec tmux configured at the end of bashrc" operator="AND">
-            <oval-def:criterion comment="check tmux is configured to exec on the last line of /etc/bashrc" test_ref="oval:ssg-test_configure_bashrc_exec_tmux:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-configure_tmux_lock_after_time:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure tmux to lock session after inactivity</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if tmux is configured to lock sessions after period of inactivity.</oval-def:description>
-            <oval-def:reference ref_id="configure_tmux_lock_after_time" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Configure tmux to lock session after inactivity" operator="AND">
-            <oval-def:criterion comment="check lock-after-time is set to 900 in /etc/tmux.conf" test_ref="oval:ssg-test_configure_tmux_lock_after_time:tst:1"/>
-            <oval-def:extend_definition comment="Check /etc/tmux.conf is readable by others" definition_ref="oval:ssg-tmux_conf_readable_by_others:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-configure_tmux_lock_command:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure the tmux Lock Command</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if the vlock command is configured to be used as a locking mechanism in tmux.</oval-def:description>
-            <oval-def:reference ref_id="configure_tmux_lock_command" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Configure the tmux Lock Command" operator="AND">
-            <oval-def:criterion comment="check lock-command is set to vlock in /etc/tmux.conf" test_ref="oval:ssg-test_configure_tmux_lock_command:tst:1"/>
-            <oval-def:extend_definition comment="Check /etc/tmux.conf is readable by others" definition_ref="oval:ssg-tmux_conf_readable_by_others:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-no_tmux_in_shells:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Prevent user from disabling the screen lock</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that tmux is not listed in /etc/shells</oval-def:description>
-            <oval-def:reference ref_id="no_tmux_in_shells" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Check that tmux is not listed in /etc/shells" operator="AND">
-            <oval-def:criterion comment="check that tmux is not listed in /etc/shells" test_ref="oval:ssg-test_no_tmux_in_shells:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-account_disable_post_pw_expiration:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Set Account Expiration Following Inactivity</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The accounts should be configured to expire automatically following password expiration.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82695-8" source="CCE"/>
-            <oval-def:reference ref_id="account_disable_post_pw_expiration" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="the value INACTIVE parameter should be set appropriately in /etc/default/useradd">
-            <oval-def:criterion test_ref="oval:ssg-test_etc_default_useradd_inactive:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-account_unique_name:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure All Accounts on the System Have Unique Names</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>All accounts on the system should have unique names for proper accountability.</oval-def:description>
-            <oval-def:reference ref_id="account_unique_name" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="There should not exist duplicate user name entries in /etc/passwd">
-            <oval-def:criterion test_ref="oval:ssg-test_etc_passwd_no_duplicate_user_names:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_maximum_age_login_defs:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Set Password Maximum Age</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The maximum password age policy should meet minimum requirements.</oval-def:description>
-            <oval-def:reference ref_id="accounts_maximum_age_login_defs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="The value PASS_MAX_DAYS should be set appropriately in /etc/login.defs">
-            <oval-def:criterion test_ref="oval:ssg-test_pass_max_days:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_minimum_age_login_defs:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Set Password Minimum Age</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The minimum password age policy should be set appropriately.</oval-def:description>
-            <oval-def:reference ref_id="accounts_minimum_age_login_defs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs">
-            <oval-def:criterion test_ref="oval:ssg-test_pass_min_days:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_password_minlen_login_defs:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Set Password Minimum Length in login.defs</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The password minimum length should be set appropriately.</oval-def:description>
-            <oval-def:reference ref_id="accounts_password_minlen_login_defs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_pass_min_len:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_password_warn_age_login_defs:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Set Password Warning Age</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The password expiration warning age should be set appropriately.</oval-def:description>
-            <oval-def:reference ref_id="accounts_password_warn_age_login_defs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_pass_warn_age:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_password_all_shadowed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify All Account Password Hashes are Shadowed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>All password hashes should be shadowed.</oval-def:description>
-            <oval-def:reference ref_id="accounts_password_all_shadowed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="password hashes are shadowed" test_ref="oval:ssg-test_accounts_password_all_shadowed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-gid_passwd_group_same:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>All GIDs referenced in /etc/passwd must be defined in /etc/group</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>All GIDs referenced in /etc/passwd must be defined in /etc/group.</oval-def:description>
-            <oval-def:reference ref_id="gid_passwd_group_same" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_gid_passwd_group_same:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-no_empty_passwords:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Prevent Login to Accounts With Empty Password</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The file /etc/pam.d/system-auth should not contain the nullok option</oval-def:description>
-            <oval-def:reference ref_id="CCE-82553-9" source="CCE"/>
-            <oval-def:reference ref_id="no_empty_passwords" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="make sure the nullok option is not used in /etc/pam.d/system-auth" test_ref="oval:ssg-test_no_empty_passwords:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-no_empty_passwords_etc_shadow:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure There Are No Accounts With Blank or Null Passwords</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The file /etc/shadow shows that there aren't empty passwords</oval-def:description>
-            <oval-def:reference ref_id="no_empty_passwords_etc_shadow" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="make sure there aren't blank or null passwords in /etc/shadow" test_ref="oval:ssg-test_no_empty_passwords_etc_shadow:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-no_legacy_plus_entries_etc_group:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure there are no legacy + NIS entries in /etc/group</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>No lines starting with + are in /etc/group</oval-def:description>
-            <oval-def:reference ref_id="no_legacy_plus_entries_etc_group" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="no lines starting with + are in /etc/group">
-            <oval-def:criterion test_ref="oval:ssg-test_no_legacy_plus_entries_etc_group:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-no_legacy_plus_entries_etc_passwd:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure there are no legacy + NIS entries in /etc/passwd</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>No lines starting with + are in /etc/passwd</oval-def:description>
-            <oval-def:reference ref_id="no_legacy_plus_entries_etc_passwd" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="no lines starting with + are in /etc/passwd">
-            <oval-def:criterion test_ref="oval:ssg-test_no_legacy_plus_entries_etc_passwd:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-no_legacy_plus_entries_etc_shadow:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure there are no legacy + NIS entries in /etc/shadow</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>No lines starting with + are in /etc/shadow</oval-def:description>
-            <oval-def:reference ref_id="no_legacy_plus_entries_etc_shadow" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="no lines starting with + are in /etc/shadow">
-            <oval-def:criterion test_ref="oval:ssg-test_no_legacy_plus_entries_etc_shadow:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-no_netrc_files:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify No netrc Files Exist</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The .netrc files contain login information used to auto-login into FTP servers and reside in the user's home directory. Any .netrc files should be removed.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82667-7" source="CCE"/>
-            <oval-def:reference ref_id="no_netrc_files" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_no_netrc_files_home:tst:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_no_uid_except_zero:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Only Root Has UID 0</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Only the root account should be assigned a user id of 0.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82699-0" source="CCE"/>
-            <oval-def:reference ref_id="accounts_no_uid_except_zero" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="tests that there are no accounts with UID 0 except root in the /etc/passwd file" test_ref="oval:ssg-test_accounts_no_uid_except_root:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_root_gid_zero:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Root Has A Primary GID 0</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The root account should have primary group of 0</oval-def:description>
-            <oval-def:reference ref_id="accounts_root_gid_zero" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="tests that the root account's gid is equal to 0" test_ref="oval:ssg-test_accounts_root_gid_zero:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-no_direct_root_logins:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Direct root Logins Not Allowed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Preventing direct root logins help ensure accountability for actions
-      taken on the system using the root account.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82698-2" source="CCE"/>
-            <oval-def:reference ref_id="no_direct_root_logins" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="serial ports /etc/securetty" test_ref="oval:ssg-test_no_direct_root_logins:tst:1"/>
-            <oval-def:criterion comment="serial ports /etc/securetty" test_ref="oval:ssg-test_etc_securetty_exists:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-no_shelllogin_for_systemaccounts:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Ensure that System Accounts Do Not Run a Shell Upon Login</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The root account is the only system account that should have
-      a login shell.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82697-4" source="CCE"/>
-            <oval-def:reference ref_id="no_shelllogin_for_systemaccounts" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Test SYS_UID_MIN not defined in /etc/login.defs" test_ref="oval:ssg-test_sys_uid_min_not_defined:tst:1"/>
-              <oval-def:criterion comment="Test SYS_UID_MAX not defined in /etc/login.defs" test_ref="oval:ssg-test_sys_uid_max_not_defined:tst:1"/>
-              <oval-def:criterion comment="Test shell defined for UID from &lt;0, UID_MIN -1&gt;" test_ref="oval:ssg-test_shell_defined_default_uid_range:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Test SYS_UID_MIN defined in /etc/login.defs" test_ref="oval:ssg-test_sys_uid_min_not_defined:tst:1" negate="true"/>
-              <oval-def:criterion comment="Test SYS_UID_MAX defined in /etc/login.defs" test_ref="oval:ssg-test_sys_uid_max_not_defined:tst:1" negate="true"/>
-              <oval-def:criterion comment="Test shell defined for reserved system UIDs" test_ref="oval:ssg-test_shell_defined_reserved_uid_range:tst:1"/>
-              <oval-def:criterion comment="Test shell defined for dynamically allocated system UIDs" test_ref="oval:ssg-test_shell_defined_dynalloc_uid_range:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-restrict_serial_port_logins:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Restrict Serial Port Root Logins</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Preventing direct root login to serial port interfaces helps
-      ensure accountability for actions taken on the system using the root
-      account.</oval-def:description>
-            <oval-def:reference ref_id="restrict_serial_port_logins" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="serial ports /etc/securetty" test_ref="oval:ssg-test_serial_ports_etc_securetty:tst:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-securetty_root_login_console_only:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Restrict Virtual Console Root Logins</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Preventing direct root login to virtual console devices
-      helps ensure accountability for actions taken on the system using the
-      root account.</oval-def:description>
-            <oval-def:reference ref_id="securetty_root_login_console_only" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="virtual consoles /etc/securetty" test_ref="oval:ssg-test_virtual_consoles_etc_securetty:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_logon_fail_delay:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure the Logon Failure Delay is Set Correctly in login.defs</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The delay between failed authentication attempts should be
-      set for all users specified in /etc/login.defs</oval-def:description>
-            <oval-def:reference ref_id="accounts_logon_fail_delay" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_accounts_logon_fail_delay:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_max_concurrent_login_sessions:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Limit the Number of Concurrent Login Sessions Allowed Per User</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The maximum number of concurrent login sessions per user should meet
-      minimum requirements.</oval-def:description>
-            <oval-def:reference ref_id="accounts_max_concurrent_login_sessions" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf" test_ref="oval:ssg-test_limitsd_maxlogins:tst:1"/>
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="the value maxlogins should not be set at all in /etc/security/limits.d/*.conf" test_ref="oval:ssg-test_limitsd_maxlogins_exists:tst:1" negate="true"/>
-              <oval-def:criterion comment="the value maxlogins should be set appropriately in /etc/security/limits.conf" test_ref="oval:ssg-test_maxlogins:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_polyinstantiated_tmp:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure Polyinstantiation of /tmp Directories</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description/>
-            <oval-def:reference ref_id="accounts_polyinstantiated_tmp" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND" comment="Check Polyinstantiation of /tmp Directories">
-            <oval-def:criterion comment="Check that /tmp/tmp-inst exists and has mode 000" test_ref="oval:ssg-test_tmp_inst:tst:1"/>
-            <oval-def:criterion comment="Check configuration of /tmp in /etc/security/namespace.conf file" test_ref="oval:ssg-test_tmp_in_namespace_conf:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_polyinstantiated_var_tmp:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure Polyinstantiation of /var/tmp Directories</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description/>
-            <oval-def:reference ref_id="accounts_polyinstantiated_var_tmp" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND" comment="Check Polyinstantiation of /tmp Directories">
-            <oval-def:criterion comment="Check that /var/tmp/tmp-inst exists and has mode 000" test_ref="oval:ssg-test_var_tmp_tmp_inst:tst:1"/>
-            <oval-def:criterion comment="Check configuration of /var/tmp in /etc/security/namespace.conf file" test_ref="oval:ssg-test_var_tmp_in_namespace_conf:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_tmout:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Set Interactive Session Timeout</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks interactive shell timeout</oval-def:description>
-            <oval-def:reference ref_id="accounts_tmout" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="TMOUT value in /etc/profile &lt;= var_accounts_tmout" test_ref="oval:ssg-test_etc_profile_tmout:tst:1"/>
-            <oval-def:criterion comment="TMOUT value in /etc/profile.d/*.sh &lt;= var_accounts_tmout" test_ref="oval:ssg-test_etc_profiled_tmout:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_home_dirs:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure that User Home Directories are not Group-Writable or World-Readable</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure that User Home Directories are not Group-Writable or World-Readable</oval-def:description>
-            <oval-def:reference ref_id="file_permissions_home_dirs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="home directories" test_ref="oval:ssg-test_file_permissions_home_dirs:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_root_path_dirs_no_write:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Ensure that Root's Path Does Not Include World or Group-Writable Directories</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check each directory in root's path and make use it does
-      not grant write permission to group and other</oval-def:description>
-            <oval-def:reference ref_id="accounts_root_path_dirs_no_write" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Check that write permission to group and other in root's path is denied">
-            <oval-def:criterion comment="Check for write permission to group and other in root's path" test_ref="oval:ssg-test_accounts_root_path_dirs_no_group_other_write:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-root_path_no_dot:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Ensure that Root's Path Does Not Include Relative Paths or Null Directories</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The environment variable PATH should be set correctly for
-      the root user.</oval-def:description>
-            <oval-def:reference ref_id="root_path_no_dot" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="environment variable PATH contains dangerous path" operator="AND">
-            <oval-def:criterion comment="environment variable PATH starts with : or ." test_ref="oval:ssg-test_env_var_begins:tst:1"/>
-            <oval-def:criterion comment="environment variable PATH contains : twice in a row" test_ref="oval:ssg-test_env_var_contains_doublecolon:tst:1"/>
-            <oval-def:criterion comment="environment variable PATH contains . twice in a row" test_ref="oval:ssg-test_env_var_contains_doubleperiod:tst:1"/>
-            <oval-def:criterion comment="environment variable PATH ends with : or ." test_ref="oval:ssg-test_env_var_ends:tst:1"/>
-            <oval-def:criterion comment="environment variable PATH doesn't begin with a /" test_ref="oval:ssg-test_env_var_begins_slash:tst:1"/>
-            <oval-def:criterion comment="environment variable PATH doesn't contain relative paths" test_ref="oval:ssg-test_env_var_contains_relative_path:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_umask_etc_bashrc:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Ensure the Default Bash Umask is Set Correctly</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The default umask for users of the bash shell</oval-def:description>
-            <oval-def:reference ref_id="CCE-84260-9" source="CCE"/>
-            <oval-def:reference ref_id="accounts_umask_etc_bashrc" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Get value of var_accounts_user_umask variable as octal number" definition_ref="oval:ssg-var_accounts_user_umask_as_number:def:1"/>
-            <oval-def:criterion test_ref="oval:ssg-tst_accounts_umask_etc_bashrc:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_umask_etc_csh_cshrc:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Ensure the Default C Shell Umask is Set Correctly</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The default umask for users of the csh shell</oval-def:description>
-            <oval-def:reference ref_id="CCE-84261-7" source="CCE"/>
-            <oval-def:reference ref_id="accounts_umask_etc_csh_cshrc" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Get value of var_accounts_user_umask variable as octal number" definition_ref="oval:ssg-var_accounts_user_umask_as_number:def:1"/>
-            <oval-def:criterion test_ref="oval:ssg-tst_accounts_umask_etc_csh_cshrc:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_umask_etc_login_defs:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Ensure the Default Umask is Set Correctly in login.defs</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The default umask for all users specified in /etc/login.defs</oval-def:description>
-            <oval-def:reference ref_id="accounts_umask_etc_login_defs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Get value of var_accounts_user_umask variable as octal number" definition_ref="oval:ssg-var_accounts_user_umask_as_number:def:1"/>
-            <oval-def:criterion test_ref="oval:ssg-tst_accounts_umask_etc_login_defs:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_umask_etc_profile:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Ensure the Default Umask is Set Correctly in /etc/profile</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The default umask for all users should be set correctly</oval-def:description>
-            <oval-def:reference ref_id="CCE-84262-5" source="CCE"/>
-            <oval-def:reference ref_id="accounts_umask_etc_profile" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Get value of var_accounts_user_umask variable as octal number" definition_ref="oval:ssg-var_accounts_user_umask_as_number:def:1"/>
-            <oval-def:criterion test_ref="oval:ssg-tst_accounts_umask_etc_profile:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_enable_syscall_auditing:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable Syscall Auditing</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Syscall auditing should not be disabled.</oval-def:description>
-            <oval-def:reference ref_id="audit_rules_enable_syscall_auditing" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="check that no audit rule exists in /etc/audit/rules.d/*.rules that disables all syscall auditing" test_ref="oval:ssg-test_enable_syscall_audit_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="check that no audit rule exists in /etc/audit/audit.rules that disables all syscall auditing" test_ref="oval:ssg-test_enable_syscall_audit_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_immutable:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Make the auditd Configuration Immutable</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Force a reboot to change audit rules is enabled</oval-def:description>
-            <oval-def:reference ref_id="CCE-82668-5" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_immutable" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules configuration locked" test_ref="oval:ssg-test_ari_locked_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl configuration locked" test_ref="oval:ssg-test_ari_locked_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_mac_modification:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Mandatory Access Controls</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules that detect changes to the system's mandatory access controls (SELinux) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82586-9" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_mac_modification" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit selinux changes augenrules" test_ref="oval:ssg-test_armm_selinux_watch_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit selinux changes auditctl" test_ref="oval:ssg-test_armm_selinux_watch_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_networkconfig_modification:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Network Environment</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The network environment should not be modified by anything other than
-      administrator action. Any change to network parameters should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82588-5" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_networkconfig_modification" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit /etc/issue augenrules" test_ref="oval:ssg-test_arnm_etc_issue_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit /etc/issue.net augenrules" test_ref="oval:ssg-test_arnm_etc_issue_net_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit /etc/hosts augenrules" test_ref="oval:ssg-test_arnm_etc_hosts_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit /etc/sysconfig/network augenrules" test_ref="oval:ssg-test_arnm_etc_sysconfig_network_augenrules:tst:1"/>
-              <oval-def:extend_definition comment="audit augenrules sethostname" definition_ref="oval:ssg-audit_rules_networkconfig_modification_hostname:def:1"/>
-              <oval-def:extend_definition comment="audit augenrules setdomainname" definition_ref="oval:ssg-audit_rules_networkconfig_modification_domainname:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit /etc/issue auditctl" test_ref="oval:ssg-test_arnm_etc_issue_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit /etc/issue.net auditctl" test_ref="oval:ssg-test_arnm_etc_issue_net_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit /etc/hosts auditctl" test_ref="oval:ssg-test_arnm_etc_hosts_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit /etc/sysconfig/network auditctl" test_ref="oval:ssg-test_arnm_etc_sysconfig_network_auditctl:tst:1"/>
-              <oval-def:extend_definition comment="audit augenrules sethostname" definition_ref="oval:ssg-audit_rules_networkconfig_modification_hostname:def:1"/>
-              <oval-def:extend_definition comment="audit augenrules setdomainname" definition_ref="oval:ssg-audit_rules_networkconfig_modification_domainname:def:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_session_events:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Attempts to Alter Process and Session Initiation Information</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules should capture information about session initiation.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82612-3" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_session_events" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules utmp" test_ref="oval:ssg-test_arse_utmp_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules btmp" test_ref="oval:ssg-test_arse_btmp_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules wtmp" test_ref="oval:ssg-test_arse_wtmp_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl utmp" test_ref="oval:ssg-test_arse_utmp_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl btmp" test_ref="oval:ssg-test_arse_btmp_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl wtmp" test_ref="oval:ssg-test_arse_wtmp_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_sysadmin_actions:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects System Administrator Actions</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit actions taken by system administrators on the system.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82613-1" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_sysadmin_actions" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules sudoers" test_ref="oval:ssg-test_audit_rules_sysadmin_actions_sudoers_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules sudoers_d" test_ref="oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl sudoers" test_ref="oval:ssg-test_audit_rules_sysadmin_actions_sudoers_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl sudoers_d" test_ref="oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_usergroup_modification:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify User/Group Information</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules should detect modification to system files that hold information about users and groups.</oval-def:description>
-            <oval-def:reference ref_id="audit_rules_usergroup_modification" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit /etc/group" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_group_augen:tst:1"/>
-              <oval-def:criterion comment="audit /etc/passwd" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_passwd_augen:tst:1"/>
-              <oval-def:criterion comment="audit /etc/gshadow" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_gshadow_augen:tst:1"/>
-              <oval-def:criterion comment="audit /etc/shadow" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_shadow_augen:tst:1"/>
-              <oval-def:criterion comment="audit /etc/security/opasswd" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_security_opasswd_augen:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit /etc/group" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_group_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit /etc/passwd" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_passwd_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit /etc/gshadow" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_gshadow_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit /etc/shadow" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_shadow_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit /etc/security/opasswd" test_ref="oval:ssg-test_audit_rules_usergroup_modification_etc_security_opasswd_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-directory_access_var_log_audit:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Access Events to Audit Log Directory</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the read events to /var/log/audit</oval-def:description>
-            <oval-def:reference ref_id="CCE-82712-1" source="CCE"/>
-            <oval-def:reference ref_id="directory_access_var_log_audit" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit rule to record read access events to /var/log/audit" test_ref="oval:ssg-test_directory_acccess_var_log_audit_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit rule to record read access events to /var/log/audit" test_ref="oval:ssg-test_directory_acccess_var_log_audit_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-directory_permissions_var_log_audit:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>System Audit Logs Must Have Mode 0750 or Less Permissive</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks for correct permissions for audit logs.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82692-5" source="CCE"/>
-            <oval-def:reference ref_id="directory_permissions_var_log_audit" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND" comment="log_file set">
-              <oval-def:extend_definition comment="log_file set in auditd.conf" definition_ref="oval:ssg-auditd_conf_log_file_not_set:def:1" negate="true"/>
-              <oval-def:criteria operator="AND" comment="log_group in auditd.conf is not root">
-                <oval-def:extend_definition comment="log_group in auditd.conf is not root" definition_ref="oval:ssg-auditd_conf_log_group_not_root:def:1"/>
-                <oval-def:criterion test_ref="oval:ssg-test_dir_permissions_audit_log-non_root:tst:1" negate="true"/>
-              </oval-def:criteria>
-              <oval-def:criterion test_ref="oval:ssg-test_dir_permissions_audit_log:tst:1" negate="true"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_dir_permissions_var_log_audit:tst:1" negate="true"/>
-            <oval-def:criteria operator="AND" comment="log_group in auditd.conf is not root">
-              <oval-def:extend_definition comment="log_group in auditd.conf is not root" definition_ref="oval:ssg-auditd_conf_log_group_not_root:def:1"/>
-              <oval-def:criterion test_ref="oval:ssg-test_dir_permissions_var_log_audit-non_root:tst:1" negate="true"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_ownership_var_log_audit:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>System Audit Logs Must Be Owned By Root</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks that all /var/log/audit files and directories are owned by the root user and group.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82691-7" source="CCE"/>
-            <oval-def:reference ref_id="file_ownership_var_log_audit" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND" comment="directories are root owned">
-              <oval-def:criterion test_ref="oval:ssg-test_ownership_var_log_audit_files:tst:1"/>
-              <oval-def:criterion test_ref="oval:ssg-test_ownership_var_log_audit_directories:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND" comment="log_group in auditd.conf is not root">
-              <oval-def:extend_definition comment="log_group in auditd.conf is not root" definition_ref="oval:ssg-auditd_conf_log_group_not_root:def:1"/>
-              <oval-def:criterion test_ref="oval:ssg-test_ownership_var_log_audit_files-non_root:tst:1"/>
-              <oval-def:criterion test_ref="oval:ssg-test_ownership_var_log_audit_directories-non_root:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_var_log_audit:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>System Audit Logs Must Have Mode 0640 or Less Permissive</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks for correct permissions for all audit log files.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82690-9" source="CCE"/>
-            <oval-def:reference ref_id="file_permissions_var_log_audit" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND" comment="log_file set">
-              <oval-def:extend_definition comment="log_file set in auditd.conf" definition_ref="oval:ssg-auditd_conf_log_file_not_set:def:1" negate="true"/>
-              <oval-def:criteria operator="AND" comment="log_group in auditd.conf is not root">
-                <oval-def:extend_definition comment="log_group in auditd.conf is not root" definition_ref="oval:ssg-auditd_conf_log_group_not_root:def:1"/>
-                <oval-def:criterion test_ref="oval:ssg-test_file_permissions_audit_log-non_root:tst:1" negate="true"/>
-              </oval-def:criteria>
-              <oval-def:criterion test_ref="oval:ssg-test_file_permissions_audit_log:tst:1" negate="true"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND" comment="log_group in auditd.conf is not root">
-              <oval-def:extend_definition comment="log_group in auditd.conf is not root" definition_ref="oval:ssg-auditd_conf_log_group_not_root:def:1"/>
-              <oval-def:criterion test_ref="oval:ssg-test_file_permissions_var_log_audit-non_root:tst:1" negate="true"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_file_permissions_var_log_audit:tst:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_umount:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Discretionary Access Controls - umount</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The changing of file permissions and attributes should be audited.</oval-def:description>
-            <oval-def:reference ref_id="audit_rules_dac_modification_umount" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit umount" test_ref="oval:ssg-test_32bit_ardm_umount_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit umount" test_ref="oval:ssg-test_32bit_ardm_umount_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_file_deletion_events:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects File Deletion Events by User</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit files deletion events.</oval-def:description>
-            <oval-def:reference ref_id="audit_rules_file_deletion_events" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="audit rmdir" definition_ref="oval:ssg-audit_rules_file_deletion_events_rmdir:def:1"/>
-            <oval-def:extend_definition comment="audit unlink" definition_ref="oval:ssg-audit_rules_file_deletion_events_unlink:def:1"/>
-            <oval-def:extend_definition comment="audit unlinkat" definition_ref="oval:ssg-audit_rules_file_deletion_events_unlinkat:def:1"/>
-            <oval-def:extend_definition comment="audit rename" definition_ref="oval:ssg-audit_rules_file_deletion_events_rename:def:1"/>
-            <oval-def:extend_definition comment="audit renameat" definition_ref="oval:ssg-audit_rules_file_deletion_events_renameat:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="audit creat" definition_ref="oval:ssg-audit_rules_unsuccessful_file_modification_creat:def:1"/>
-            <oval-def:extend_definition comment="audit ftruncate" definition_ref="oval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1"/>
-            <oval-def:extend_definition comment="audit openat" definition_ref="oval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1"/>
-            <oval-def:extend_definition comment="audit open_by_handle_at" definition_ref="oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at:def:1"/>
-            <oval-def:extend_definition comment="audit open" definition_ref="oval:ssg-audit_rules_unsuccessful_file_modification_open:def:1"/>
-            <oval-def:extend_definition comment="audit truncate" definition_ref="oval:ssg-audit_rules_unsuccessful_file_modification_truncate:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_kernel_module_loading:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on Kernel Module Loading and Unloading</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The audit rules should be configured to log information about kernel module loading and unloading.</oval-def:description>
-            <oval-def:reference ref_id="audit_rules_kernel_module_loading" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="audit init_module" definition_ref="oval:ssg-audit_rules_kernel_module_loading_init:def:1"/>
-            <oval-def:extend_definition comment="audit delete_module" definition_ref="oval:ssg-audit_rules_kernel_module_loading_delete:def:1"/>
-            <oval-def:extend_definition comment="audit finit_module" definition_ref="oval:ssg-audit_rules_kernel_module_loading_finit:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_kernel_module_loading_delete:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on Kernel Module Unloading - delete_module</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The audit rules should be configured to log information about kernel module loading and unloading.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82580-2" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_kernel_module_loading_delete" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit delete_module" test_ref="oval:ssg-test_32bit_ardm_delete_module_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit delete_module" test_ref="oval:ssg-test_64bit_ardm_delete_module_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit delete_module" test_ref="oval:ssg-test_32bit_ardm_delete_module_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit delete_module" test_ref="oval:ssg-test_64bit_ardm_delete_module_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_kernel_module_loading_finit:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The audit rules should be configured to log information about kernel module loading and unloading.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82581-0" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_kernel_module_loading_finit" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit finit_module" test_ref="oval:ssg-test_32bit_ardm_finit_module_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit finit_module" test_ref="oval:ssg-test_64bit_ardm_finit_module_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit finit_module" test_ref="oval:ssg-test_32bit_ardm_finit_module_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit finit_module" test_ref="oval:ssg-test_64bit_ardm_finit_module_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_kernel_module_loading_init:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on Kernel Module Loading - init_module</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The audit rules should be configured to log information about kernel module loading and unloading.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82582-8" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_kernel_module_loading_init" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit init_module" test_ref="oval:ssg-test_32bit_ardm_init_module_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit init_module" test_ref="oval:ssg-test_64bit_ardm_init_module_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit init_module" test_ref="oval:ssg-test_32bit_ardm_init_module_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit init_module" test_ref="oval:ssg-test_64bit_ardm_init_module_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_login_events:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Record Attempts to Alter Logon and Logout Events</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules should be configured to log successful and unsuccessful login and logout events.</oval-def:description>
-            <oval-def:reference ref_id="audit_rules_login_events" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="audit tallylog" definition_ref="oval:ssg-audit_rules_login_events_tallylog:def:1"/>
-            <oval-def:extend_definition comment="audit faillock" definition_ref="oval:ssg-audit_rules_login_events_faillock:def:1"/>
-            <oval-def:extend_definition comment="audit lastlog" definition_ref="oval:ssg-audit_rules_login_events_lastlog:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of privileged commands are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82589-3" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules suid sgid" test_ref="oval:ssg-test_arpc_suid_sgid_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules binaries count matches rules count" test_ref="oval:ssg-test_arpc_bin_count_equals_rules_count_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl suid sgid" test_ref="oval:ssg-test_arpc_suid_sgid_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl binaries count matches rules count" test_ref="oval:ssg-test_arpc_bin_count_equals_rules_count_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_time_adjtimex:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record attempts to alter time through adjtimex</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Record attempts to alter time through adjtimex.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82614-9" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_time_adjtimex" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit adjtimex" test_ref="oval:ssg-test_32bit_art_adjtimex_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit adjtimex" test_ref="oval:ssg-test_64bit_art_adjtimex_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit adjtimex" test_ref="oval:ssg-test_32bit_art_adjtimex_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit adjtimex" test_ref="oval:ssg-test_64bit_art_adjtimex_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_time_clock_settime:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Record Attempts to Alter Time Through clock_settime</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Record attempts to alter time through clock_settime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82615-6" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_time_clock_settime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit clock_settime" test_ref="oval:ssg-test_32bit_art_clock_settime_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit clock_settime" test_ref="oval:ssg-test_64bit_art_clock_settime_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit clock_settime" test_ref="oval:ssg-test_32bit_art_clock_settime_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit clock_settime" test_ref="oval:ssg-test_64bit_art_clock_settime_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_time_settimeofday:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record attempts to alter time through settimeofday</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Record attempts to alter time through settimeofday.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82616-4" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_time_settimeofday" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit settimeofday" test_ref="oval:ssg-test_32bit_art_settimeofday_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit settimeofday" test_ref="oval:ssg-test_64bit_art_settimeofday_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit settimeofday" test_ref="oval:ssg-test_32bit_art_settimeofday_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit settimeofday" test_ref="oval:ssg-test_64bit_art_settimeofday_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_time_stime:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Attempts to Alter Time Through stime</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Record attempts to alter time through stime. Note that on
-      64-bit architectures the stime system call is not defined in the audit
-      system calls lookup table.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82617-2" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_time_stime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria comment="32-bit or 64-bit system" operator="OR">
-              <oval-def:extend_definition comment="32-bit system" definition_ref="oval:ssg-system_info_architecture_x86:def:1"/>
-              <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="audit augenrules or audit auditctl" operator="OR">
-              <oval-def:criteria comment="audit augenrules stime" operator="AND">
-                <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-                <oval-def:criterion comment="audit augenrules 32-bit stime" test_ref="oval:ssg-test_32bit_art_stime_augenrules:tst:1"/>
-              </oval-def:criteria>
-              <oval-def:criteria comment="audit auditctl stime" operator="AND">
-                <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-                <oval-def:criterion comment="audit auditctl 32-bit stime" test_ref="oval:ssg-test_32bit_art_stime_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_time_watch_localtime:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Attempts to Alter the localtime File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Record attempts to alter time through /etc/localtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82618-0" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_time_watch_localtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit /etc/localtime watch augenrules" test_ref="oval:ssg-test_artw_etc_localtime_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit /etc/localtime watch auditctl" test_ref="oval:ssg-test_artw_etc_localtime_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_audispd_configure_remote_server:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure audispd Plugin To Send Logs To Remote Server</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>remote_server setting in /etc/audit/audisp-remote.conf is set to a certain IP address or hostname</oval-def:description>
-            <oval-def:reference ref_id="auditd_audispd_configure_remote_server" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="remote_server setting in audisp-remote.conf" test_ref="oval:ssg-test_auditd_audispd_configure_remote_server:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_audispd_disk_full_action:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure audispd's Plugin disk_full_action When Disk Is Full</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>remote_server setting in /etc/audit/audisp-remote.conf is set to a certain IP address or hostname</oval-def:description>
-            <oval-def:reference ref_id="auditd_audispd_disk_full_action" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="remote_server setting in audisp-remote.conf" test_ref="oval:ssg-test_auditd_audispd_disk_full_action:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_audispd_encrypt_sent_records:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Encrypt Audit Records Sent With audispd Plugin</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>enable_krb5 setting in /etc/audit/audisp-remote.conf is set to 'yes'</oval-def:description>
-            <oval-def:reference ref_id="auditd_audispd_encrypt_sent_records" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="setting in audisp-remote.conf" test_ref="oval:ssg-test_auditd_audispd_encrypt_sent_records:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_audispd_network_failure_action:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure audispd's Plugin network_failure_action On Network Failure</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>remote_server setting in /etc/audit/audisp-remote.conf is set to a certain IP address or hostname</oval-def:description>
-            <oval-def:reference ref_id="auditd_audispd_network_failure_action" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="remote_server setting in audisp-remote.conf" test_ref="oval:ssg-test_auditd_audispd_network_failure_action:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_audispd_syslog_plugin_activated:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditd to use audispd's syslog plugin</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>active setting in /etc/audit/plugins.d/syslog.conf is set to 'yes'</oval-def:description>
-            <oval-def:reference ref_id="auditd_audispd_syslog_plugin_activated" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="active setting in syslog.conf" test_ref="oval:ssg-test_auditd_audispd_syslog_plugin_activated:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_data_disk_error_action:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditd Disk Error Action on Disk Error</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>disk_error_action setting in /etc/audit/auditd.conf is set to a certain action</oval-def:description>
-            <oval-def:reference ref_id="CCE-82679-2" source="CCE"/>
-            <oval-def:reference ref_id="auditd_data_disk_error_action" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="disk_error_action setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_disk_error_action:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_data_disk_error_action_stig:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditd Disk Error Action on Disk Error</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>disk_error_action setting in /etc/audit/auditd.conf is set to SYSLOG, SINGLE or HALT</oval-def:description>
-            <oval-def:reference ref_id="auditd_data_disk_error_action_stig" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="disk_error_action setting in auditd.conf is set to SYSLOG" test_ref="oval:ssg-test_auditd_data_disk_error_action_stig_syslog:tst:1"/>
-            <oval-def:criterion comment="disk_error_action setting in auditd.conf is set to SINGLE" test_ref="oval:ssg-test_auditd_data_disk_error_action_stig_single:tst:1"/>
-            <oval-def:criterion comment="disk_error_action setting in auditd.conf is set to HALT" test_ref="oval:ssg-test_auditd_data_disk_error_action_stig_halt:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_data_disk_full_action:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditd Disk Full Action when Disk Space Is Full</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>disk_full_action setting in /etc/audit/auditd.conf is set to a certain action</oval-def:description>
-            <oval-def:reference ref_id="CCE-82676-8" source="CCE"/>
-            <oval-def:reference ref_id="auditd_data_disk_full_action" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="disk_full_action setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_disk_full_action:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_data_disk_full_action_stig:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditd Disk Full Action when Disk Space Is Full</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>disk_full_action setting in /etc/audit/auditd.conf is set to SYSLOG, SINGLE or HALT</oval-def:description>
-            <oval-def:reference ref_id="auditd_data_disk_full_action_stig" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="disk_full_action setting in auditd.conf is set to SYSLOG" test_ref="oval:ssg-test_auditd_data_disk_full_action_stig_syslog:tst:1"/>
-            <oval-def:criterion comment="disk_full_action setting in auditd.conf is set to SINGLE" test_ref="oval:ssg-test_auditd_data_disk_full_action_stig_single:tst:1"/>
-            <oval-def:criterion comment="disk_full_action setting in auditd.conf is set to HALT" test_ref="oval:ssg-test_auditd_data_disk_full_action_stig_halt:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_data_retention_action_mail_acct:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditd mail_acct Action on Low Disk Space</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>action_mail_acct setting in /etc/audit/auditd.conf is set to a certain account</oval-def:description>
-            <oval-def:reference ref_id="CCE-82675-0" source="CCE"/>
-            <oval-def:reference ref_id="auditd_data_retention_action_mail_acct" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="action_mail_acct setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_retention_action_mail_acct:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_data_retention_admin_space_left_action:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditd admin_space_left Action on Low Disk Space</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>admin_space_left_action setting in /etc/audit/auditd.conf is set to a certain action</oval-def:description>
-            <oval-def:reference ref_id="CCE-82677-6" source="CCE"/>
-            <oval-def:reference ref_id="auditd_data_retention_admin_space_left_action" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="admin_space_left_action setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_retention_admin_space_left_action:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_data_retention_flush:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditd flush priority</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The setting for flush in /etc/audit/auditd.conf</oval-def:description>
-            <oval-def:reference ref_id="CCE-82508-3" source="CCE"/>
-            <oval-def:reference ref_id="auditd_data_retention_flush" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="flush setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_retention_flush:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_data_retention_max_log_file:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditd Max Log File Size</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>max_log_file setting in /etc/audit/auditd.conf is set to at least a certain value</oval-def:description>
-            <oval-def:reference ref_id="CCE-82694-1" source="CCE"/>
-            <oval-def:reference ref_id="auditd_data_retention_max_log_file" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="max_log_file setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_retention_max_log_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_data_retention_max_log_file_action:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action</oval-def:description>
-            <oval-def:reference ref_id="CCE-82680-0" source="CCE"/>
-            <oval-def:reference ref_id="auditd_data_retention_max_log_file_action" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="max_log_file_action setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_retention_max_log_file_action:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_data_retention_max_log_file_action_stig:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>max_log_file_action setting in /etc/audit/auditd.conf is set to a certain action</oval-def:description>
-            <oval-def:reference ref_id="auditd_data_retention_max_log_file_action_stig" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="max_log_file_action setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_retention_max_log_file_action_stig_syslog:tst:1"/>
-            <oval-def:criterion comment="max_log_file_action setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_retention_max_log_file_action_stig_keep_logs:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_data_retention_num_logs:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditd Number of Logs Retained</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>num_logs setting in /etc/audit/auditd.conf is set to at least a certain value</oval-def:description>
-            <oval-def:reference ref_id="CCE-82693-3" source="CCE"/>
-            <oval-def:reference ref_id="auditd_data_retention_num_logs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="num_logs setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_retention_num_logs:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_data_retention_space_left:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditd space_left on Low Disk Space</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>space_left setting in /etc/audit/auditd.conf is set to at least a certain value</oval-def:description>
-            <oval-def:reference ref_id="CCE-82681-8" source="CCE"/>
-            <oval-def:reference ref_id="auditd_data_retention_space_left" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="space_left setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_retention_space_left:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_data_retention_space_left_action:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditd space_left Action on Low Disk Space</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>space_left_action setting in /etc/audit/auditd.conf is set to a certain action</oval-def:description>
-            <oval-def:reference ref_id="CCE-82678-4" source="CCE"/>
-            <oval-def:reference ref_id="auditd_data_retention_space_left_action" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="space_left_action setting in auditd.conf" test_ref="oval:ssg-test_auditd_data_retention_space_left_action:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_overflow_action:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'overflow_action' is configured with value '(syslog|single|halt)' in /etc/audit/auditd.conf</oval-def:description>
-            <oval-def:reference ref_id="auditd_overflow_action" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="The respective application or service is configured correctly" operator="OR">
-            <oval-def:criterion comment="Check the overflow_action in /etc/audit/auditd.conf" test_ref="oval:ssg-test_auditd_overflow_action:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_for_ospp:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure audit according to OSPP requirements</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Compare configure audit rules against the recommended pre-configured files.</oval-def:description>
-            <oval-def:reference ref_id="audit_rules_for_ospp" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="check 10-base-config.rules file" test_ref="oval:ssg-test_compare_10-base-config_old:tst:1"/>
-            <oval-def:criterion comment="check 11-loginuid.rules file" test_ref="oval:ssg-test_compare_11-loginuid_old:tst:1"/>
-            <oval-def:criterion comment="check 30-ospp-v42.rules file" test_ref="oval:ssg-test_compare_30-ospp-v42_old:tst:1"/>
-            <oval-def:criterion comment="check 43-module-load.rules file" test_ref="oval:ssg-test_compare_43-module-load_old:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_disable_recovery:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Recovery Booting</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Recovery mode should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="grub2_disable_recovery" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition definition_ref="oval:ssg-bootloader_disable_recovery_set_to_true:def:1" comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_uefi_admin_username:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Set the UEFI Boot Loader Admin Username to a Non-Default Value</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The grub2 boot loader superuser should have a username that is hard to guess.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83540-5" source="CCE"/>
-            <oval-def:reference ref_id="grub2_uefi_admin_username" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="Superuser is defined in /boot/grub2/grub.cfg and it             isn't root, admin, administrator nor equal to any system username" test_ref="oval:ssg-test_bootloader_uefi_superuser_differ_from_other_users:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_uefi_password:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Set the UEFI Boot Loader Password</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The UEFI grub2 boot loader should have password protection enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82552-1" source="CCE"/>
-            <oval-def:reference ref_id="grub2_uefi_password" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="make sure a password is defined in /boot/grub2/user.cfg" test_ref="oval:ssg-test_grub2_uefi_password_usercfg:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-zipl_bls_entries_only:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure all zIPL boot entries are BLS compliant</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if /etc/zipl.conf configures any boot entry</oval-def:description>
-            <oval-def:reference ref_id="zipl_bls_entries_only" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_zipl_bls_entries_only:tst:1" comment="Test presence of image configuration in /etc/zipl.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-zipl_bootmap_is_up_to_date:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure zIPL bootmap is up to date</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if /boot/bootmap is up to date</oval-def:description>
-            <oval-def:reference ref_id="zipl_bootmap_is_up_to_date" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_zipl_bootmap_is_up_to_date:tst:1" comment="Compare mtime of /boot/bootmap against /etc/zipl.conf and /boot/loader/entries/*.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-zipl_systemd_debug-shell_argument_absent:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure debug-shell service is not enabled in zIPL</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure systemd.debug-shell option is not configured in the 'options' line in /boot/loader/entries/*.conf. Make sure that newly installed kernels won't have this option, it should not be configured in /etc/kernel/cmdline.</oval-def:description>
-            <oval-def:reference ref_id="zipl_systemd_debug-shell_argument_absent" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Check if argument systemd.debug-shell for Linux kernel is not present in /boot/loader/entries/.*.conf" test_ref="oval:ssg-test_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf:tst:1" negate="true"/>
-            <oval-def:criterion comment="Check if argument systemd.debug-shell for Linux kernel is not present in /etc/kernel/cmdline" test_ref="oval:ssg-test_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline:tst:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure Rsyslog Authenticates Off-Loaded Audit Records</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Rsyslogd must authenticate remote system its sending logs to.</oval-def:description>
-            <oval-def:reference ref_id="rsyslog_encrypt_offload_actionsendstreamdriverauthmode" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Check if $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.conf" test_ref="oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode:tst:1"/>
-              <oval-def:criterion comment="Check if $ActionSendStreamDriverAuthMode x509/name is set in files in /etc/rsyslog.d" test_ref="oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_dir:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure Rsyslog Encrypts Off-Loaded Audit Records</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Rsyslogd must encrypt the off-loading of logs off of the system.</oval-def:description>
-            <oval-def:reference ref_id="rsyslog_encrypt_offload_actionsendstreamdrivermode" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Check if $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.conf" test_ref="oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog:tst:1"/>
-              <oval-def:criterion comment="Check if $ActionSendStreamDriverMode 1 is set in files in /etc/rsyslog.d" test_ref="oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_dir:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure Rsyslog Encrypts Off-Loaded Audit Records</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Rsyslogd must encrypt the off-loading of logs off of the system.</oval-def:description>
-            <oval-def:reference ref_id="rsyslog_encrypt_offload_defaultnetstreamdriver" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Check if $DefaultNetstreamDriver gtls is set in /etc/rsyslog.conf" test_ref="oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog:tst:1"/>
-              <oval-def:criterion comment="Check if $DefaultNetstreamDriver gtls is set in files in /etc/rsyslog.d" test_ref="oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_dir:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-rsyslog_files_groupownership:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure Log Files Are Owned By Appropriate Group</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>All syslog log files should be owned by the appropriate group.</oval-def:description>
-            <oval-def:reference ref_id="rsyslog_files_groupownership" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Check if all system log files are owned by the appropriate group" test_ref="oval:ssg-test_rsyslog_files_groupownership:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-rsyslog_files_ownership:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure Log Files Are Owned By Appropriate User</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>All syslog log files should be owned by the appropriate user.</oval-def:description>
-            <oval-def:reference ref_id="rsyslog_files_ownership" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check if all system log files are owned by appropriate user" test_ref="oval:ssg-test_rsyslog_files_ownership:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-rsyslog_files_permissions:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure System Log Files Have Correct Permissions</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>File permissions for all syslog log files should be set correctly.</oval-def:description>
-            <oval-def:reference ref_id="rsyslog_files_permissions" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Check permissions of all system log files" test_ref="oval:ssg-test_rsyslog_files_permissions:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-ensure_logrotate_activated:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure Logrotate Runs Periodically</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>
-      The frequency of automatic log files rotation performed by the logrotate utility should be configured to run daily
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-82689-1" source="CCE"/>
-            <oval-def:reference ref_id="ensure_logrotate_activated" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="/etc/logrotate.conf contains daily setting and /etc/cron.daily/logrotate file exists" operator="AND">
-            <oval-def:criterion comment="Check if daily is set in /etc/logrotate.conf" test_ref="oval:ssg-test_logrotate_conf_daily_setting:tst:1"/>
-            <oval-def:criterion comment="check that there is no weekly/monthly/yearly keyword in logrotate.conf" test_ref="oval:ssg-test_logrotate_conf_no_other_keyword:tst:1"/>
-            <oval-def:criterion comment="Check if /etc/cron.daily/logrotate file exists (and calls logrotate)" test_ref="oval:ssg-test_cron_daily_logrotate_existence:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-rsyslog_remote_loghost:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure Logs Sent To Remote Host</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Syslog logs should be sent to a remote loghost</oval-def:description>
-            <oval-def:reference ref_id="rsyslog_remote_loghost" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="Remote logging set within /etc/rsyslog.conf" test_ref="oval:ssg-test_remote_rsyslog_conf:tst:1"/>
-            <oval-def:criterion comment="Remote logging set within /etc/rsyslog.d" test_ref="oval:ssg-test_remote_rsyslog_d:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-network_nmcli_permissions:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Prevent non-Privileged Users from Modifying Network Interfaces using nmcli</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>polkit is properly configured to prevent non-privileged users from changing networking settings</oval-def:description>
-            <oval-def:reference ref_id="CCE-82696-6" source="CCE"/>
-            <oval-def:reference ref_id="network_nmcli_permissions" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_network_nmcli_permissions:tst:1" comment="check for properly configured .pkla file"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_ipv6_option_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable IPv6 Networking Support Automatic Loading</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The disable option will allow the IPv6 module to be inserted, but prevent address assignment and activation of the network stack.</oval-def:description>
-            <oval-def:reference ref_id="kernel_module_ipv6_option_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernel_module_ipv6_option_disabled:tst:1" comment="ipv6 disabled any modprobe conf file"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-wireless_disable_interfaces:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Deactivate Wireless Network Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>All wireless interfaces should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82660-2" source="CCE"/>
-            <oval-def:reference ref_id="wireless_disable_interfaces" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="check if wifi interfaces are disabled" test_ref="oval:ssg-test_wireless_disable_interfaces:tst:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-dir_perms_world_writable_sticky_bits:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify that All World-Writable Directories Have Sticky Bits Set</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The sticky bit should be set for all world-writable directories.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82753-5" source="CCE"/>
-            <oval-def:reference ref_id="dir_perms_world_writable_sticky_bits" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="all local world writable directories have sticky bit set" test_ref="oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_systemmap:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify that local System.map file (if exists) is readable only by root</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>
-        Checks that /boot/System.map-* are only readable by root.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_systemmap" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_permissions_systemmap_files:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_unauthorized_world_writable:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure No World-Writable Files Exist</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The world-write permission should be disabled for all files.</oval-def:description>
-            <oval-def:reference ref_id="file_permissions_unauthorized_world_writable" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_file_permissions_unauthorized_world_write:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_ownership_binary_dirs:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Verify that System Executables Have Root Ownership</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>
-        Checks that /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin,
-        /usr/local/sbin, /usr/libexec, and objects therein, are owned by root.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_ownership_binary_dirs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_ownership_binary_directories:tst:1"/>
-            <oval-def:criterion test_ref="oval:ssg-test_ownership_binary_files:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_binary_dirs:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Verify that System Executables Have Restrictive Permissions</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>
-        Checks that binary files under /bin, /sbin, /usr/bin, /usr/sbin,
-        /usr/local/bin, /usr/local/sbin, and /usr/libexec are not group-writable or world-writable.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_binary_dirs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_perms_binary_files:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_nousb_argument:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Support for USB via Bootloader Configuration</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'GRUB_CMDLINE_LINUX' is configured with value 'nousb' in /etc/default/grub</oval-def:description>
-            <oval-def:reference ref_id="CCE-82661-0" source="CCE"/>
-            <oval-def:reference ref_id="grub2_nousb_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="grub is configured correctly" operator="OR">
-            <oval-def:criterion comment="Check the GRUB_CMDLINE_LINUX in /etc/default/grub" test_ref="oval:ssg-test_grub2_nousb_argument:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_nodev_nonroot_local_partitions:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Add nodev Option to Non-Root Local Partitions</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The nodev mount option prevents files from being interpreted
-      as character or block devices. Legitimate character and block devices
-      should exist in the /dev directory on the root partition or within chroot
-      jails built for system services. All other locations should not allow
-      character and block devices.</oval-def:description>
-            <oval-def:reference ref_id="mount_option_nodev_nonroot_local_partitions" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="nodev on local filesystems" test_ref="oval:ssg-test_nodev_nonroot_local_partitions:tst:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-coredump_disable_backtraces:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable core dump backtraces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'ProcessSizeMax' is configured with value '0 in section 'Coredump' in /etc/systemd/coredump.conf</oval-def:description>
-            <oval-def:reference ref_id="CCE-82529-9" source="CCE"/>
-            <oval-def:reference ref_id="coredump_disable_backtraces" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="systemd-coredump is configured correctly" operator="OR">
-            <oval-def:criterion comment="Check the ProcessSizeMax in /etc/systemd/coredump.conf" test_ref="oval:ssg-test_coredump_disable_backtraces:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-coredump_disable_storage:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable storing core dump</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'Storage' is configured with value 'none in section 'Coredump' in /etc/systemd/coredump.conf</oval-def:description>
-            <oval-def:reference ref_id="CCE-82528-1" source="CCE"/>
-            <oval-def:reference ref_id="coredump_disable_storage" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="systemd-coredump is configured correctly" operator="OR">
-            <oval-def:criterion comment="Check the Storage in /etc/systemd/coredump.conf" test_ref="oval:ssg-test_coredump_disable_storage:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-disable_users_coredumps:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Core Dumps for All Users</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Core dumps for all users should be disabled</oval-def:description>
-            <oval-def:reference ref_id="CCE-82526-5" source="CCE"/>
-            <oval-def:reference ref_id="disable_users_coredumps" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="Are core dumps disabled in /etc/security/limits.d/*" test_ref="oval:ssg-test_core_dumps_limits_d:tst:1"/>
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Are core dumps configured in /etc/security/limits.d/*" test_ref="oval:ssg-test_core_dumps_limits_d_exists:tst:1" negate="true"/>
-              <oval-def:criterion comment="Are core dumps disabled in /etc/security/limits.conf" test_ref="oval:ssg-test_core_dumps_limitsconf:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_enable_selinux:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure SELinux Not Disabled in /etc/default/grub</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>
-        Check if selinux=0 OR enforcing=0 within the GRUB2 configuration files, fail if found.
-      </oval-def:description>
-            <oval-def:reference ref_id="CCE-82666-9" source="CCE"/>
-            <oval-def:reference ref_id="grub2_enable_selinux" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="check value selinux|enforcing=0 in /etc/default/grub, fail if found" test_ref="oval:ssg-test_selinux_default_grub:tst:1"/>
-            <oval-def:criterion comment="check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found" test_ref="oval:ssg-test_selinux_grub2_cfg:tst:1"/>
-            <oval-def:criterion comment="check value selinux|enforcing=0 in /etc/grub.d, fail if found" test_ref="oval:ssg-test_selinux_grub_dir:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-selinux_confinement_of_daemons:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure No Daemons are Unconfined by SELinux</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>All pids in /proc should be assigned an SELinux security context other than 'unconfined_service_t'.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82688-3" source="CCE"/>
-            <oval-def:reference ref_id="selinux_confinement_of_daemons" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="no unconfined_service_t in /proc" test_ref="oval:ssg-test_selinux_confinement_of_daemons:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-selinux_policytype:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure SELinux Policy</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The SELinux policy should be set appropriately.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82532-3" source="CCE"/>
-            <oval-def:reference ref_id="selinux_policytype" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_selinux_policy:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-selinux_state:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure SELinux State is Enforcing</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The SELinux state should be enforcing the local policy.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82531-5" source="CCE"/>
-            <oval-def:reference ref_id="selinux_state" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="enforce is disabled" test_ref="oval:ssg-test_etc_selinux_config:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-prefer_64bit_os:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Prefer to use a 64-bit Operating System when supported</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if the system supports a 64-bit Operating System</oval-def:description>
-            <oval-def:reference ref_id="prefer_64bit_os" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Either the OS is 64-bit, or the CPU doesn't support 64-bit (it is 32 or 16 bit)" operator="OR">
-            <oval-def:criterion comment="Check if OS is 64-bit" test_ref="oval:ssg-test_proc_sys_kernel_osrelease_64_bit:tst:1"/>
-            <oval-def:criterion comment="Check if CPU is not 64-bit" test_ref="oval:ssg-test_proc_cpuinfo_64_bit:tst:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-gnome_gdm_disable_xdmcp:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable XDMCP in GDM</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'Enable' is configured with value 'false in section 'xdmcp' in /etc/gdm/custom.conf</oval-def:description>
-            <oval-def:reference ref_id="gnome_gdm_disable_xdmcp" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="gdm is configured correctly and configuration file exists" operator="AND">
-            <oval-def:criteria comment="gdm is configured correctly" operator="OR">
-              <oval-def:criterion comment="Check the Enable in /etc/gdm/custom.conf" test_ref="oval:ssg-test_gnome_gdm_disable_xdmcp:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="test if configuration file /etc/gdm/custom.conf exists for gnome_gdm_disable_xdmcp" test_ref="oval:ssg-test_gnome_gdm_disable_xdmcp_config_file_exists:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-disable_prelink:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Prelinking</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The prelinking feature can interfere with the operation of
-      checksum integrity tools (e.g. AIDE), mitigates the protection provided
-      by ASLR, and requires additional CPU cycles by software upgrades.
-      </oval-def:description>
-            <oval-def:reference ref_id="disable_prelink" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR" comment="Conditions for prelinking disabled are satisfied">
-            <oval-def:extend_definition comment="prelink RPM package not installed" definition_ref="oval:ssg-package_prelink_removed:def:1"/>
-            <oval-def:criterion comment="Prelinking is disabled" test_ref="oval:ssg-test_prelinking_disabled:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-installed_OS_is_FIPS_certified:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>The Installed Operating System Is FIPS 140-2 Certified</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>
-          The operating system installed on the system is a certified operating system that meets FIPS 140-2 requirements.
-      </oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_FIPS_certified" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Installed operating system is a certified operating system" operator="OR">
-            <oval-def:extend_definition comment="Installed OS is RHEL7" definition_ref="oval:ssg-installed_OS_is_rhel7:def:1"/>
-            <oval-def:extend_definition comment="Installed OS is RHEL8" definition_ref="oval:ssg-installed_OS_is_rhel8:def:1"/>
-            <oval-def:extend_definition comment="Installed OS is RHCOS4" definition_ref="oval:ssg-installed_OS_is_rhcos4:def:1"/>
-            <oval-def:extend_definition comment="Installed OS is OL7" definition_ref="oval:ssg-installed_OS_is_ol7_family:def:1"/>
-            <oval-def:extend_definition comment="Installed OS is SLE12" definition_ref="oval:ssg-installed_OS_is_sle12:def:1"/>
-            <oval-def:extend_definition comment="Installed OS is SLE15" definition_ref="oval:ssg-installed_OS_is_sle15:def:1"/>
-            <oval-def:extend_definition comment="Installed OS is Ubuntu 16.04" definition_ref="oval:ssg-installed_OS_is_ubuntu1604:def:1"/>
-            <oval-def:extend_definition comment="Installed OS is Ubuntu 18.04" definition_ref="oval:ssg-installed_OS_is_ubuntu1804:def:1"/>
-            <oval-def:extend_definition comment="Installed OS is Ubuntu 20.04" definition_ref="oval:ssg-installed_OS_is_ubuntu2004:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-configure_bind_crypto_policy:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure BIND to use System Crypto Policy</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>BIND should be configured to use the system-wide crypto policy setting.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82544-8" source="CCE"/>
-            <oval-def:reference ref_id="configure_bind_crypto_policy" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="Check if package bind is not installed" definition_ref="oval:ssg-package_bind_removed:def:1"/>
-            <oval-def:criterion test_ref="oval:ssg-test_configure_bind_crypto_policy:tst:1" comment="Check that the configuration includes the policy config file."/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-configure_crypto_policy:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure System Cryptography Policy</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure crypto policy is correctly configured in /etc/crypto-policies/config, and the policy is current.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82541-4" source="CCE"/>
-            <oval-def:reference ref_id="configure_crypto_policy" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="check for crypto policy correctly configured in /etc/crypto-policy/config" test_ref="oval:ssg-test_configure_crypto_policy:tst:1"/>
-            <oval-def:criterion comment="check for crypto policy correctly configured in /etc/crypto-policy/state/current" test_ref="oval:ssg-test_configure_crypto_policy_current:tst:1"/>
-            <oval-def:criterion comment="Check if update-crypto-policies has been run after config update" test_ref="oval:ssg-test_crypto_policies_updated:tst:1"/>
-            <oval-def:criterion comment="Check if /etc/crypto-policies/back-ends/nss.config exists" test_ref="oval:ssg-test_crypto_policy_nss_config:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-configure_kerberos_crypto_policy:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Configure Kerberos to use System Crypto Policy</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Kerberos should be configured to use the system-wide crypto policy setting.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82547-1" source="CCE"/>
-            <oval-def:reference ref_id="configure_kerberos_crypto_policy" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR" comment="The config file is always a symlink to the backend, but the backend itself may be either a file, or a symlink. For this reason, we need two tests, if one passes, the other one is expected to either fail, or error.">
-            <oval-def:criterion comment="kerberos crypto-policy configuration links to same file as kerberos crypto-policy backend" test_ref="oval:ssg-test_configure_kerberos_crypto_policy_symlink:tst:1"/>
-            <oval-def:criterion comment="kerberos crypto-policy configuration links to the crypto-policy backend file" test_ref="oval:ssg-test_configure_kerberos_crypto_policy_nosymlink:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-configure_libreswan_crypto_policy:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure Libreswan to use System Crypto Policy</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Libreswan should be configured to use the system-wide crypto policy setting.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82546-3" source="CCE"/>
-            <oval-def:reference ref_id="configure_libreswan_crypto_policy" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="Check if package libreswan is not installed" definition_ref="oval:ssg-package_libreswan_installed:def:1" negate="true"/>
-            <oval-def:criterion test_ref="oval:ssg-test_configure_libreswan_crypto_policy:tst:1" comment="Check that the libreswan configuration includes the crypto policy config file"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-configure_openssl_crypto_policy:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure OpenSSL library to use System Crypto Policy</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>OpenSSL should be configured to use the system-wide crypto policy setting.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82545-5" source="CCE"/>
-            <oval-def:reference ref_id="configure_openssl_crypto_policy" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_configure_openssl_crypto_policy:tst:1" comment="Check that the configuration mandates usage of system-wide crypto policies."/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-configure_ssh_crypto_policy:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure SSH to use System Crypto Policy</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>SSH should be configured to use the system-wide crypto policy setting.</oval-def:description>
-            <oval-def:reference ref_id="configure_ssh_crypto_policy" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_configure_ssh_crypto_policy:tst:1" comment="Check that the SSH configuration mandates usage of system-wide crypto policies."/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-harden_openssl_crypto_policy:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Harden OpenSSL Crypto Policy</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'Ciphersuites' is configured with value 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' in /etc/crypto-policies/back-ends/opensslcnf.config</oval-def:description>
-            <oval-def:reference ref_id="CCE-84285-6" source="CCE"/>
-            <oval-def:reference ref_id="harden_openssl_crypto_policy" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="The respective application or service is configured correctly" operator="OR">
-            <oval-def:criterion comment="Check the Ciphersuites in /etc/crypto-policies/back-ends/opensslcnf.config" test_ref="oval:ssg-test_harden_openssl_crypto_policy:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-harden_ssh_client_crypto_policy:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Harden SSH client Crypto Policy</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure the ssh client ciphers are configured correctly in /etc/ssh/ssh_config.d/02-ospp.conf</oval-def:description>
-            <oval-def:reference ref_id="CCE-82543-0" source="CCE"/>
-            <oval-def:reference ref_id="harden_ssh_client_crypto_policy" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="SSH client is configured correctly" operator="AND">
-            <oval-def:criterion comment="Check the Match in /etc/ssh/ssh_config.d/02-ospp.conf" test_ref="oval:ssg-test_harden_ssh_client_crypto_policy_Match:tst:1"/>
-            <oval-def:criterion comment="Check the RekeyLimit in /etc/ssh/ssh_config.d/02-ospp.conf" test_ref="oval:ssg-test_harden_ssh_client_crypto_policy_RekeyLimit:tst:1"/>
-            <oval-def:criterion comment="Check the GSSAPIAuthentication in /etc/ssh/ssh_config.d/02-ospp.conf" test_ref="oval:ssg-test_harden_ssh_client_crypto_policy_GSSAPIAuthentication:tst:1"/>
-            <oval-def:criterion comment="Check the Ciphers in /etc/ssh/ssh_config.d/02-ospp.conf" test_ref="oval:ssg-test_harden_ssh_client_crypto_policy_Ciphers:tst:1"/>
-            <oval-def:criterion comment="Check the PubkeyAcceptedKeyTypes in /etc/ssh/ssh_config.d/02-ospp.conf" test_ref="oval:ssg-test_harden_ssh_client_crypto_policy_PubkeyAcceptedKeyTypes:tst:1"/>
-            <oval-def:criterion comment="Check the MACs in /etc/ssh/ssh_config.d/02-ospp.conf" test_ref="oval:ssg-test_harden_ssh_client_crypto_policy_MACs:tst:1"/>
-            <oval-def:criterion comment="Check the KexAlgorithms in /etc/ssh/ssh_config.d/02-ospp.conf" test_ref="oval:ssg-test_harden_ssh_client_crypto_policy_KexAlgorithms:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-harden_sshd_crypto_policy:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Harden SSHD Crypto Policy</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'CRYPTO_POLICY' is configured with value ''-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256'' in /etc/crypto-policies/back-ends/opensshserver.config</oval-def:description>
-            <oval-def:reference ref_id="CCE-82542-2" source="CCE"/>
-            <oval-def:reference ref_id="harden_sshd_crypto_policy" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the CRYPTO_POLICY in /etc/crypto-policies/back-ends/opensshserver.config" test_ref="oval:ssg-test_harden_sshd_crypto_policy:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-install_mcafee_antivirus:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install McAfee Virus Scanning Software</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>McAfee Antivirus software should be installed.</oval-def:description>
-            <oval-def:reference ref_id="install_mcafee_antivirus" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Antivirus is not being used or conditions are met" operator="AND">
-            <oval-def:extend_definition comment="McAfee Runtime Libraries and Agent" definition_ref="oval:ssg-install_mcafee_cma_rt:def:1"/>
-            <oval-def:criterion comment="Linuxshield AntiVirus package is installed" test_ref="oval:ssg-test_linuxshield_install_antivirus:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-install_mcafee_cma_rt:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install the McAfee Runtime Libraries and Linux Agent</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Install the McAfee Runtime Libraries (MFErt) and Linux Agent (MFEcma).</oval-def:description>
-            <oval-def:reference ref_id="install_mcafee_cma_rt" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="McAfee runtime library package installed" test_ref="oval:ssg-test_mcafee_runtime_installed:tst:1"/>
-            <oval-def:criterion comment="McAfee management agent package installed" test_ref="oval:ssg-test_mcafee_management_agent:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-install_mcafee_hbss_accm:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install the Asset Configuration Compliance Module (ACCM)</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Install the Asset Configuration Compliance Module (ACCM).</oval-def:description>
-            <oval-def:reference ref_id="install_mcafee_hbss_accm" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="McAfee ACCM is installed" test_ref="oval:ssg-test_mcafee_accm_exists:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-install_mcafee_hbss_pa:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install the Policy Auditor (PA) Module</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Install the Policy Auditor (PA) Module.</oval-def:description>
-            <oval-def:reference ref_id="install_mcafee_hbss_pa" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="McAfee Policy Auditor is installed" test_ref="oval:ssg-test_mcafee_auditengine_exists:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-enable_dracut_fips_module:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable Dracut FIPS Module</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>fips module should be enabled in Dracut configuration</oval-def:description>
-            <oval-def:reference ref_id="CCE-82548-9" source="CCE"/>
-            <oval-def:reference ref_id="enable_dracut_fips_module" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="dracut fips module is enabled" test_ref="oval:ssg-test_enable_dracut_fips_module:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-enable_fips_mode:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable FIPS Mode</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if FIPS mode is enabled on the system</oval-def:description>
-            <oval-def:reference ref_id="CCE-82540-6" source="CCE"/>
-            <oval-def:reference ref_id="enable_fips_mode" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="check /etc/system-fips exists" definition_ref="oval:ssg-etc_system_fips_exists:def:1"/>
-            <oval-def:extend_definition comment="check sysctl crypto.fips_enabled = 1" definition_ref="oval:ssg-proc_sys_crypto_fips_enabled:def:1"/>
-            <oval-def:extend_definition comment="system cryptography policy is configured" definition_ref="oval:ssg-configure_crypto_policy:def:1"/>
-            <oval-def:criterion comment="check if system crypto policy selection in var_system_crypto_policy in the profile is set to FIPS" test_ref="oval:ssg-test_system_crypto_policy_value:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-etc_system_fips_exists:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure '/etc/system-fips' exists</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check /etc/system-fips exists</oval-def:description>
-            <oval-def:reference ref_id="etc_system_fips_exists" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_etc_system_fips:tst:1" comment="/etc/system-fips exists"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_enable_fips_mode:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable FIPS Mode in GRUB2</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure fips=1 is configured in the kernel line in /etc/default/grub.</oval-def:description>
-            <oval-def:reference ref_id="grub2_enable_fips_mode" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is FIPS certified" definition_ref="oval:ssg-installed_OS_is_FIPS_certified:def:1"/>
-            <oval-def:extend_definition comment="prelink disabled" definition_ref="oval:ssg-disable_prelink:def:1"/>
-            <oval-def:extend_definition comment="package dracut-fips installed" definition_ref="oval:ssg-package_dracut-fips_installed:def:1"/>
-            <oval-def:extend_definition comment="package dracut-fips-aesni installed" definition_ref="oval:ssg-package_dracut-fips-aesni_installed:def:1"/>
-            <oval-def:extend_definition comment="check /etc/system-fips exists" definition_ref="oval:ssg-etc_system_fips_exists:def:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion test_ref="oval:ssg-test_grub2_enable_fips_mode:tst:1" comment="check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX"/>
-              <oval-def:criteria operator="AND">
-                <oval-def:extend_definition definition_ref="oval:ssg-grub2_default_exists:def:1" comment="check for GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub"/>
-                <oval-def:criterion test_ref="oval:ssg-test_grub2_enable_fips_mode_default:tst:1" comment="check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT"/>
-                <oval-def:criterion test_ref="oval:ssg-test_grub2_enable_fips_mode:tst:1" comment="check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_dracut-fips-aesni_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install the dracut-fips-aesni Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package dracut-fips-aesni should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_dracut-fips-aesni_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="System does not support AES instruction set" test_ref="oval:ssg-test_processor_aes_instruction:tst:1"/>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="Installed OS is FIPS certified" definition_ref="oval:ssg-installed_OS_is_FIPS_certified:def:1"/>
-              <oval-def:criterion comment="package dracut-fips-aesni is installed" test_ref="oval:ssg-test_package_dracut-fips-aesni_installed:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_dracut-fips_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install the dracut-fips Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package dracut-fips should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_dracut-fips_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Installed OS is FIPS certified" definition_ref="oval:ssg-installed_OS_is_FIPS_certified:def:1"/>
-            <oval-def:criterion comment="package dracut-fips is installed" test_ref="oval:ssg-test_package_dracut-fips_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-proc_sys_crypto_fips_enabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Set kernel parameter 'crypto.fips_enabled' to 1</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'crypto.fips_enabled' parameter should be set to '1' in system runtime.</oval-def:description>
-            <oval-def:reference ref_id="proc_sys_crypto_fips_enabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter crypto.fips_enabled set to 1" test_ref="oval:ssg-test_proc_sys_crypto_fips_enabled:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-aide_build_database:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Build and Test AIDE Database</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The aide database must be initialized.</oval-def:description>
-            <oval-def:reference ref_id="aide_build_database" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Aide is installed" definition_ref="oval:ssg-package_aide_installed:def:1"/>
-            <oval-def:criterion test_ref="oval:ssg-test_aide_build_new_database_absolute_path:tst:1"/>
-            <oval-def:criterion test_ref="oval:ssg-test_aide_operational_database_absolute_path:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-rpm_verify_ownership:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Verify and Correct Ownership with RPM</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Verify ownership of installed packages
-      by comparing the installed files with information about the
-      files taken from the package metadata stored in the RPM
-      database.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82686-7" source="CCE"/>
-            <oval-def:reference ref_id="rpm_verify_ownership" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_verify_all_rpms_user_ownership:tst:1" comment="user ownership of all files matches local rpm database"/>
-            <oval-def:criterion test_ref="oval:ssg-test_verify_all_rpms_group_ownership:tst:1" comment="group ownership of all files matches local rpm database"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-rpm_verify_permissions:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Verify and Correct File Permissions with RPM</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Verify the permissions of installed packages
-      by comparing the installed files with information about the
-      files taken from the package metadata stored in the RPM
-      database.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82687-5" source="CCE"/>
-            <oval-def:reference ref_id="rpm_verify_permissions" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_verify_all_rpms_mode:tst:1" comment="mode of all files matches local rpm database"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sudo_remove_no_authenticate:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks sudo usage without authentication</oval-def:description>
-            <oval-def:reference ref_id="sudo_remove_no_authenticate" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="!authenticate does not exist in /etc/sudoers" test_ref="oval:ssg-test_no_authenticate_etc_sudoers:tst:1"/>
-            <oval-def:criterion comment="!authenticate does not exist in /etc/sudoers.d" test_ref="oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sudo_remove_nopasswd:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks sudo usage without password</oval-def:description>
-            <oval-def:reference ref_id="sudo_remove_nopasswd" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="NOPASSWD is not configured in /etc/sudoers" test_ref="oval:ssg-test_nopasswd_etc_sudoers:tst:1"/>
-            <oval-def:criterion comment="NOPASSWD is not configured in /etc/sudoers.d" test_ref="oval:ssg-test_nopasswd_etc_sudoers_d:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sudo_require_authentication:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks sudo usage without password</oval-def:description>
-            <oval-def:reference ref_id="sudo_require_authentication" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition definition_ref="oval:ssg-sudo_remove_no_authenticate:def:1"/>
-            <oval-def:extend_definition definition_ref="oval:ssg-sudo_remove_nopasswd:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sudo_vdsm_nopasswd:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Only the VDSM User Can Use sudo NOPASSWD</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks sudo usage for the vdsm user without a password</oval-def:description>
-            <oval-def:reference ref_id="sudo_vdsm_nopasswd" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="NOPASSWD only exists for vdsm user in /etc/sudoers" test_ref="oval:ssg-test_vdsm_nopasswd_etc_sudoers:tst:1"/>
-            <oval-def:criterion comment="NOPASSWD only exists for vdsm user in /etc/sudoers.d" test_ref="oval:ssg-test_vdsm_nopasswd_etc_sudoers_d:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sudoers_explicit_command_args:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Explicit arguments in sudo specifications</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that sudoers doesn't contain commands without arguments specified</oval-def:description>
-            <oval-def:reference ref_id="sudoers_explicit_command_args" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Make sure that no commands are without arguments" test_ref="oval:ssg-test_sudoers_explicit_command_args:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sudoers_no_command_negation:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Don't define allowed commands in sudoers by means of exclusion</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that sudoers doesn't contain command negations</oval-def:description>
-            <oval-def:reference ref_id="sudoers_no_command_negation" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Make sure that no command in user spec contains negation" test_ref="oval:ssg-test_sudoers_no_command_negation:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sudoers_no_root_target:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Don't target root user in the sudoers file</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that sudoers doesn't allow users to run commands as root</oval-def:description>
-            <oval-def:reference ref_id="sudoers_no_root_target" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Make sure that no user spec in sudoers has a runas spec that includes root or ALL" test_ref="oval:ssg-test_no_root_or_ALL_in_runas_spec:tst:1"/>
-            <oval-def:criterion comment="Make sure that all user specs in sudoers feature a runas spec" test_ref="oval:ssg-test_no_user_spec_rules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-ensure_redhat_gpgkey_installed:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Ensure Red Hat GPG Key Installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The Red Hat release and auxiliary key packages are required to be installed.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82754-3" source="CCE"/>
-            <oval-def:reference ref_id="ensure_redhat_gpgkey_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Vendor GPG keys" operator="OR">
-            <oval-def:criteria comment="Red Hat Vendor Keys" operator="AND">
-              <oval-def:criteria comment="Red Hat Installed" operator="OR">
-                <oval-def:extend_definition comment="rhcos4 installed" definition_ref="oval:ssg-installed_OS_is_rhcos4:def:1"/>
-              </oval-def:criteria>
-              <oval-def:criterion comment="package gpg-pubkey-fd431d51-4ae0493b is installed" test_ref="oval:ssg-test_package_gpgkey-fd431d51-4ae0493b_installed:tst:1"/>
-              <oval-def:criteria comment="Auxiliary Red Hat Key Installed" operator="OR">
-                <oval-def:criterion comment="package gpg-pubkey-- is installed" test_ref="oval:ssg-test_package_gpgkey--_installed:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_access_failed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditing of unsuccessful file accesses</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Inspect the contents of /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules</oval-def:description>
-            <oval-def:reference ref_id="audit_access_failed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check contents of file" test_ref="oval:ssg-audit_access_failed_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_failed_rules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_access_success:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditing of successful file accesses</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Inspect the contents of /etc/audit/rules.d/30-ospp-v42-3-access-success.rules</oval-def:description>
-            <oval-def:reference ref_id="audit_access_success" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check contents of file" test_ref="oval:ssg-audit_access_success_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_success_rules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_basic_configuration:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure basic parameters of Audit system</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Inspect the contents of /etc/audit/rules.d/10-base-config.rules</oval-def:description>
-            <oval-def:reference ref_id="audit_basic_configuration" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check contents of file" test_ref="oval:ssg-audit_basic_configuration_test_whole_file_contents_tc_audit_rules_d_10_base_config_rules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_create_failed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditing of unsuccessful file creations</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Inspect the contents of /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules</oval-def:description>
-            <oval-def:reference ref_id="audit_create_failed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check contents of file" test_ref="oval:ssg-audit_create_failed_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_1_create_failed_rules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_create_success:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditing of successful file creations</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Inspect the contents of /etc/audit/rules.d/30-ospp-v42-1-create-success.rules</oval-def:description>
-            <oval-def:reference ref_id="audit_create_success" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check contents of file" test_ref="oval:ssg-audit_create_success_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_1_create_success_rules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_delete_failed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditing of unsuccessful file deletions</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Inspect the contents of /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules</oval-def:description>
-            <oval-def:reference ref_id="audit_delete_failed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check contents of file" test_ref="oval:ssg-audit_delete_failed_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_4_delete_failed_rules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_delete_success:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditing of successful file deletions</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Inspect the contents of /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules</oval-def:description>
-            <oval-def:reference ref_id="audit_delete_success" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check contents of file" test_ref="oval:ssg-audit_delete_success_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_4_delete_success_rules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_immutable_login_uids:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure immutable Audit login UIDs</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Inspect the contents of /etc/audit/rules.d/11-loginuid.rules</oval-def:description>
-            <oval-def:reference ref_id="audit_immutable_login_uids" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check contents of file" test_ref="oval:ssg-audit_immutable_login_uids_test_whole_file_contents_tc_audit_rules_d_11_loginuid_rules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_modify_failed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditing of unsuccessful file modifications</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Inspect the contents of /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules</oval-def:description>
-            <oval-def:reference ref_id="audit_modify_failed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check contents of file" test_ref="oval:ssg-audit_modify_failed_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_2_modify_failed_rules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_modify_success:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditing of successful file modifications</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Inspect the contents of /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules</oval-def:description>
-            <oval-def:reference ref_id="audit_modify_success" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check contents of file" test_ref="oval:ssg-audit_modify_success_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_2_modify_success_rules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_module_load:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditing of loading and unloading of kernel modules</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Inspect the contents of /etc/audit/rules.d/43-module-load.rules</oval-def:description>
-            <oval-def:reference ref_id="audit_module_load" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check contents of file" test_ref="oval:ssg-audit_module_load_test_whole_file_contents_tc_audit_rules_d_43_module_load_rules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_ospp_general:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Perform general configuration of Audit for OSPP</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Inspect the contents of /etc/audit/rules.d/30-ospp-v42.rules</oval-def:description>
-            <oval-def:reference ref_id="audit_ospp_general" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check contents of file" test_ref="oval:ssg-audit_ospp_general_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_rules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_owner_change_failed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditing of unsuccessful ownership changes</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Inspect the contents of /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules</oval-def:description>
-            <oval-def:reference ref_id="audit_owner_change_failed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check contents of file" test_ref="oval:ssg-audit_owner_change_failed_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_6_owner_change_failed_rules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_owner_change_success:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditing of successful ownership changes</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Inspect the contents of /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules</oval-def:description>
-            <oval-def:reference ref_id="audit_owner_change_success" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check contents of file" test_ref="oval:ssg-audit_owner_change_success_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_6_owner_change_success_rules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_perm_change_failed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditing of unsuccessful permission changes</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Inspect the contents of /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules</oval-def:description>
-            <oval-def:reference ref_id="audit_perm_change_failed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check contents of file" test_ref="oval:ssg-audit_perm_change_failed_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_5_perm_change_failed_rules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_perm_change_success:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure auditing of successful permission changes</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Inspect the contents of /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules</oval-def:description>
-            <oval-def:reference ref_id="audit_perm_change_success" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check contents of file" test_ref="oval:ssg-audit_perm_change_success_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_5_perm_change_success_rules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_privileged_commands_init:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - init</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of init is enabled.</oval-def:description>
-            <oval-def:reference ref_id="audit_privileged_commands_init" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules init" test_ref="oval:ssg-test_audit_privileged_commands_init_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl init" test_ref="oval:ssg-test_audit_privileged_commands_init_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_privileged_commands_poweroff:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - poweroff</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of poweroff is enabled.</oval-def:description>
-            <oval-def:reference ref_id="audit_privileged_commands_poweroff" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules poweroff" test_ref="oval:ssg-test_audit_privileged_commands_poweroff_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl poweroff" test_ref="oval:ssg-test_audit_privileged_commands_poweroff_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_privileged_commands_reboot:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - reboot</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of reboot is enabled.</oval-def:description>
-            <oval-def:reference ref_id="audit_privileged_commands_reboot" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules reboot" test_ref="oval:ssg-test_audit_privileged_commands_reboot_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl reboot" test_ref="oval:ssg-test_audit_privileged_commands_reboot_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_privileged_commands_shutdown:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - shutdown</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of shutdown is enabled.</oval-def:description>
-            <oval-def:reference ref_id="audit_privileged_commands_shutdown" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules shutdown" test_ref="oval:ssg-test_audit_privileged_commands_shutdown_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl shutdown" test_ref="oval:ssg-test_audit_privileged_commands_shutdown_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_chmod:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Discretionary Access Controls - chmod</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The changing of file permissions and attributes should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82556-2" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_dac_modification_chmod" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit chmod" test_ref="oval:ssg-test_32bit_ardm_chmod_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit chmod" test_ref="oval:ssg-test_64bit_ardm_chmod_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit chmod" test_ref="oval:ssg-test_32bit_ardm_chmod_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit chmod" test_ref="oval:ssg-test_64bit_ardm_chmod_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_chown:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Discretionary Access Controls - chown</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The changing of file permissions and attributes should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82557-0" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_dac_modification_chown" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit chown" test_ref="oval:ssg-test_32bit_ardm_chown_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit chown" test_ref="oval:ssg-test_64bit_ardm_chown_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit chown" test_ref="oval:ssg-test_32bit_ardm_chown_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit chown" test_ref="oval:ssg-test_64bit_ardm_chown_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_fchmod:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Discretionary Access Controls - fchmod</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The changing of file permissions and attributes should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82558-8" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_dac_modification_fchmod" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit fchmod" test_ref="oval:ssg-test_32bit_ardm_fchmod_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit fchmod" test_ref="oval:ssg-test_64bit_ardm_fchmod_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit fchmod" test_ref="oval:ssg-test_32bit_ardm_fchmod_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit fchmod" test_ref="oval:ssg-test_64bit_ardm_fchmod_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_fchmodat:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Discretionary Access Controls - fchmodat</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The changing of file permissions and attributes should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82559-6" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_dac_modification_fchmodat" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit fchmodat" test_ref="oval:ssg-test_32bit_ardm_fchmodat_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit fchmodat" test_ref="oval:ssg-test_64bit_ardm_fchmodat_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit fchmodat" test_ref="oval:ssg-test_32bit_ardm_fchmodat_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit fchmodat" test_ref="oval:ssg-test_64bit_ardm_fchmodat_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_fchown:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Discretionary Access Controls - fchown</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The changing of file permissions and attributes should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82560-4" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_dac_modification_fchown" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit fchown" test_ref="oval:ssg-test_32bit_ardm_fchown_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit fchown" test_ref="oval:ssg-test_64bit_ardm_fchown_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit fchown" test_ref="oval:ssg-test_32bit_ardm_fchown_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit fchown" test_ref="oval:ssg-test_64bit_ardm_fchown_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_fchownat:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Discretionary Access Controls - fchownat</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The changing of file permissions and attributes should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82561-2" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_dac_modification_fchownat" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit fchownat" test_ref="oval:ssg-test_32bit_ardm_fchownat_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit fchownat" test_ref="oval:ssg-test_64bit_ardm_fchownat_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit fchownat" test_ref="oval:ssg-test_32bit_ardm_fchownat_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit fchownat" test_ref="oval:ssg-test_64bit_ardm_fchownat_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_fremovexattr:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The changing of file permissions and attributes should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82562-0" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_dac_modification_fremovexattr" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit fremovexattr" test_ref="oval:ssg-test_32bit_ardm_fremovexattr_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit fremovexattr" test_ref="oval:ssg-test_64bit_ardm_fremovexattr_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit fremovexattr" test_ref="oval:ssg-test_32bit_ardm_fremovexattr_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit fremovexattr" test_ref="oval:ssg-test_64bit_ardm_fremovexattr_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_fsetxattr:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Discretionary Access Controls - fsetxattr</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The changing of file permissions and attributes should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82563-8" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_dac_modification_fsetxattr" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit fsetxattr" test_ref="oval:ssg-test_32bit_ardm_fsetxattr_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit fsetxattr" test_ref="oval:ssg-test_64bit_ardm_fsetxattr_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit fsetxattr" test_ref="oval:ssg-test_32bit_ardm_fsetxattr_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit fsetxattr" test_ref="oval:ssg-test_64bit_ardm_fsetxattr_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_lchown:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Discretionary Access Controls - lchown</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The changing of file permissions and attributes should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82564-6" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_dac_modification_lchown" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit lchown" test_ref="oval:ssg-test_32bit_ardm_lchown_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit lchown" test_ref="oval:ssg-test_64bit_ardm_lchown_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit lchown" test_ref="oval:ssg-test_32bit_ardm_lchown_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit lchown" test_ref="oval:ssg-test_64bit_ardm_lchown_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_lremovexattr:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The changing of file permissions and attributes should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82565-3" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_dac_modification_lremovexattr" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit lremovexattr" test_ref="oval:ssg-test_32bit_ardm_lremovexattr_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit lremovexattr" test_ref="oval:ssg-test_64bit_ardm_lremovexattr_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit lremovexattr" test_ref="oval:ssg-test_32bit_ardm_lremovexattr_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit lremovexattr" test_ref="oval:ssg-test_64bit_ardm_lremovexattr_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_lsetxattr:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The changing of file permissions and attributes should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82566-1" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_dac_modification_lsetxattr" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit lsetxattr" test_ref="oval:ssg-test_32bit_ardm_lsetxattr_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit lsetxattr" test_ref="oval:ssg-test_64bit_ardm_lsetxattr_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit lsetxattr" test_ref="oval:ssg-test_32bit_ardm_lsetxattr_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit lsetxattr" test_ref="oval:ssg-test_64bit_ardm_lsetxattr_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_removexattr:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Discretionary Access Controls - removexattr</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The changing of file permissions and attributes should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82567-9" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_dac_modification_removexattr" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit removexattr" test_ref="oval:ssg-test_32bit_ardm_removexattr_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit removexattr" test_ref="oval:ssg-test_64bit_ardm_removexattr_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit removexattr" test_ref="oval:ssg-test_32bit_ardm_removexattr_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit removexattr" test_ref="oval:ssg-test_64bit_ardm_removexattr_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_setxattr:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The changing of file permissions and attributes should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82568-7" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_dac_modification_setxattr" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit setxattr" test_ref="oval:ssg-test_32bit_ardm_setxattr_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit setxattr" test_ref="oval:ssg-test_64bit_ardm_setxattr_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit setxattr" test_ref="oval:ssg-test_32bit_ardm_setxattr_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit setxattr" test_ref="oval:ssg-test_64bit_ardm_setxattr_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_dac_modification_umount2:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Discretionary Access Controls - umount2</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The changing of file permissions and attributes should be audited.</oval-def:description>
-            <oval-def:reference ref_id="audit_rules_dac_modification_umount2" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit umount2" test_ref="oval:ssg-test_32bit_ardm_umount2_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit umount2" test_ref="oval:ssg-test_64bit_ardm_umount2_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit umount2" test_ref="oval:ssg-test_32bit_ardm_umount2_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit umount2" test_ref="oval:ssg-test_64bit_ardm_umount2_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_etc_group_open:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify User/Group Information via open syscall - /etc/group</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the write events to /etc/group</oval-def:description>
-            <oval-def:reference ref_id="CCE-82700-6" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_etc_group_open" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/group" test_ref="oval:ssg-test_audit_rules_tc_group_open_32bit_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/group" test_ref="oval:ssg-test_audit_rules_tc_group_open_64bit_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/group" test_ref="oval:ssg-test_audit_rules_tc_group_open_32bit_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/group" test_ref="oval:ssg-test_audit_rules_tc_group_open_64bit_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_etc_group_open_by_handle_at:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the write events to /etc/group</oval-def:description>
-            <oval-def:reference ref_id="CCE-82702-2" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_etc_group_open_by_handle_at" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/group" test_ref="oval:ssg-test_audit_rules_tc_group_open_by_handle_at_32bit_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/group" test_ref="oval:ssg-test_audit_rules_tc_group_open_by_handle_at_64bit_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/group" test_ref="oval:ssg-test_audit_rules_tc_group_open_by_handle_at_32bit_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/group" test_ref="oval:ssg-test_audit_rules_tc_group_open_by_handle_at_64bit_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_etc_group_openat:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify User/Group Information via openat syscall - /etc/group</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the write events to /etc/group</oval-def:description>
-            <oval-def:reference ref_id="CCE-82701-4" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_etc_group_openat" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/group" test_ref="oval:ssg-test_audit_rules_tc_group_openat_32bit_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/group" test_ref="oval:ssg-test_audit_rules_tc_group_openat_64bit_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/group" test_ref="oval:ssg-test_audit_rules_tc_group_openat_32bit_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/group" test_ref="oval:ssg-test_audit_rules_tc_group_openat_64bit_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_etc_gshadow_open:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify User/Group Information via open syscall - /etc/gshadow</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the write events to /etc/gshadow</oval-def:description>
-            <oval-def:reference ref_id="CCE-82703-0" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_etc_gshadow_open" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/gshadow" test_ref="oval:ssg-test_audit_rules_tc_gshadow_open_32bit_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/gshadow" test_ref="oval:ssg-test_audit_rules_tc_gshadow_open_64bit_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/gshadow" test_ref="oval:ssg-test_audit_rules_tc_gshadow_open_32bit_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/gshadow" test_ref="oval:ssg-test_audit_rules_tc_gshadow_open_64bit_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_etc_gshadow_open_by_handle_at:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the write events to /etc/gshadow</oval-def:description>
-            <oval-def:reference ref_id="CCE-82705-5" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_etc_gshadow_open_by_handle_at" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/gshadow" test_ref="oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_32bit_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/gshadow" test_ref="oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_64bit_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/gshadow" test_ref="oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_32bit_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/gshadow" test_ref="oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_64bit_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_etc_gshadow_openat:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify User/Group Information via openat syscall - /etc/gshadow</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the write events to /etc/gshadow</oval-def:description>
-            <oval-def:reference ref_id="CCE-82704-8" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_etc_gshadow_openat" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/gshadow" test_ref="oval:ssg-test_audit_rules_tc_gshadow_openat_32bit_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/gshadow" test_ref="oval:ssg-test_audit_rules_tc_gshadow_openat_64bit_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/gshadow" test_ref="oval:ssg-test_audit_rules_tc_gshadow_openat_32bit_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/gshadow" test_ref="oval:ssg-test_audit_rules_tc_gshadow_openat_64bit_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_etc_passwd_open:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify User/Group Information via open syscall - /etc/passwd</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the write events to /etc/passwd</oval-def:description>
-            <oval-def:reference ref_id="CCE-82706-3" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_etc_passwd_open" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/passwd" test_ref="oval:ssg-test_audit_rules_tc_passwd_open_32bit_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/passwd" test_ref="oval:ssg-test_audit_rules_tc_passwd_open_64bit_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/passwd" test_ref="oval:ssg-test_audit_rules_tc_passwd_open_32bit_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/passwd" test_ref="oval:ssg-test_audit_rules_tc_passwd_open_64bit_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_etc_passwd_open_by_handle_at:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the write events to /etc/passwd</oval-def:description>
-            <oval-def:reference ref_id="CCE-82708-9" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_etc_passwd_open_by_handle_at" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/passwd" test_ref="oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_32bit_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/passwd" test_ref="oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_64bit_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/passwd" test_ref="oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_32bit_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/passwd" test_ref="oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_64bit_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_etc_passwd_openat:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify User/Group Information via openat syscall - /etc/passwd</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the write events to /etc/passwd</oval-def:description>
-            <oval-def:reference ref_id="CCE-82707-1" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_etc_passwd_openat" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/passwd" test_ref="oval:ssg-test_audit_rules_tc_passwd_openat_32bit_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/passwd" test_ref="oval:ssg-test_audit_rules_tc_passwd_openat_64bit_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/passwd" test_ref="oval:ssg-test_audit_rules_tc_passwd_openat_32bit_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/passwd" test_ref="oval:ssg-test_audit_rules_tc_passwd_openat_64bit_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_etc_shadow_open:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify User/Group Information via open syscall - /etc/shadow</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the write events to /etc/shadow</oval-def:description>
-            <oval-def:reference ref_id="CCE-82709-7" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_etc_shadow_open" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/shadow" test_ref="oval:ssg-test_audit_rules_tc_shadow_open_32bit_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/shadow" test_ref="oval:ssg-test_audit_rules_tc_shadow_open_64bit_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/shadow" test_ref="oval:ssg-test_audit_rules_tc_shadow_open_32bit_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/shadow" test_ref="oval:ssg-test_audit_rules_tc_shadow_open_64bit_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_etc_shadow_open_by_handle_at:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the write events to /etc/shadow</oval-def:description>
-            <oval-def:reference ref_id="CCE-82711-3" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_etc_shadow_open_by_handle_at" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/shadow" test_ref="oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_32bit_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/shadow" test_ref="oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_64bit_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/shadow" test_ref="oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_32bit_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/shadow" test_ref="oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_64bit_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_etc_shadow_openat:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify User/Group Information via openat syscall - /etc/shadow</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the write events to /etc/shadow</oval-def:description>
-            <oval-def:reference ref_id="CCE-82710-5" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_etc_shadow_openat" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/shadow" test_ref="oval:ssg-test_audit_rules_tc_shadow_openat_32bit_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/shadow" test_ref="oval:ssg-test_audit_rules_tc_shadow_openat_64bit_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit rule to record write events to /etc/shadow" test_ref="oval:ssg-test_audit_rules_tc_shadow_openat_32bit_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit rule to record write events to /etc/shadow" test_ref="oval:ssg-test_audit_rules_tc_shadow_openat_64bit_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_execution_chcon:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Any Attempts to Run chcon</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of chcon is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82569-5" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_execution_chcon" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules chcon" test_ref="oval:ssg-test_audit_rules_execution_chcon_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl chcon" test_ref="oval:ssg-test_audit_rules_execution_chcon_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_execution_restorecon:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Any Attempts to Run restorecon</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of restorecon is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82570-3" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_execution_restorecon" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules restorecon" test_ref="oval:ssg-test_audit_rules_execution_restorecon_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl restorecon" test_ref="oval:ssg-test_audit_rules_execution_restorecon_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_execution_semanage:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Any Attempts to Run semanage</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of semanage is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82571-1" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_execution_semanage" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules semanage" test_ref="oval:ssg-test_audit_rules_execution_semanage_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl semanage" test_ref="oval:ssg-test_audit_rules_execution_semanage_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_execution_setfiles:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Any Attempts to Run setfiles</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of setfiles is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82572-9" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_execution_setfiles" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules setfiles" test_ref="oval:ssg-test_audit_rules_execution_setfiles_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl setfiles" test_ref="oval:ssg-test_audit_rules_execution_setfiles_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_execution_setsebool:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Any Attempts to Run setsebool</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of setsebool is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82573-7" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_execution_setsebool" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules setsebool" test_ref="oval:ssg-test_audit_rules_execution_setsebool_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl setsebool" test_ref="oval:ssg-test_audit_rules_execution_setsebool_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_execution_seunshare:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Any Attempts to Run seunshare</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of seunshare is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82574-5" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_execution_seunshare" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules seunshare" test_ref="oval:ssg-test_audit_rules_execution_seunshare_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl seunshare" test_ref="oval:ssg-test_audit_rules_execution_seunshare_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_file_deletion_events_rename:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects File Deletion Events by User - rename</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The deletion of files should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82575-2" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_file_deletion_events_rename" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit rename" test_ref="oval:ssg-test_32bit_ardm_rename_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit rename" test_ref="oval:ssg-test_64bit_ardm_rename_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit rename" test_ref="oval:ssg-test_32bit_ardm_rename_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit rename" test_ref="oval:ssg-test_64bit_ardm_rename_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_file_deletion_events_renameat:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects File Deletion Events by User - renameat</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The deletion of files should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82576-0" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_file_deletion_events_renameat" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit renameat" test_ref="oval:ssg-test_32bit_ardm_renameat_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit renameat" test_ref="oval:ssg-test_64bit_ardm_renameat_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit renameat" test_ref="oval:ssg-test_32bit_ardm_renameat_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit renameat" test_ref="oval:ssg-test_64bit_ardm_renameat_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_file_deletion_events_rmdir:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects File Deletion Events by User - rmdir</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The deletion of files should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82577-8" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_file_deletion_events_rmdir" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit rmdir" test_ref="oval:ssg-test_32bit_ardm_rmdir_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit rmdir" test_ref="oval:ssg-test_64bit_ardm_rmdir_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit rmdir" test_ref="oval:ssg-test_32bit_ardm_rmdir_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit rmdir" test_ref="oval:ssg-test_64bit_ardm_rmdir_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_file_deletion_events_unlink:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects File Deletion Events by User - unlink</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The deletion of files should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82578-6" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_file_deletion_events_unlink" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit unlink" test_ref="oval:ssg-test_32bit_ardm_unlink_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit unlink" test_ref="oval:ssg-test_64bit_ardm_unlink_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit unlink" test_ref="oval:ssg-test_32bit_ardm_unlink_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit unlink" test_ref="oval:ssg-test_64bit_ardm_unlink_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_file_deletion_events_unlinkat:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects File Deletion Events by User - unlinkat</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The deletion of files should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82579-4" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_file_deletion_events_unlinkat" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit unlinkat" test_ref="oval:ssg-test_32bit_ardm_unlinkat_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit unlinkat" test_ref="oval:ssg-test_64bit_ardm_unlinkat_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit unlinkat" test_ref="oval:ssg-test_32bit_ardm_unlinkat_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit unlinkat" test_ref="oval:ssg-test_64bit_ardm_unlinkat_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_login_events_faillock:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Record Attempts to Alter Logon and Logout Events - faillock</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules should be configured to log successful and unsuccessful login and logout events.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82583-6" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_login_events_faillock" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules faillock" test_ref="oval:ssg-test_arle_faillock_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl faillock" test_ref="oval:ssg-test_arle_faillock_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_login_events_lastlog:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Record Attempts to Alter Logon and Logout Events - lastlog</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules should be configured to log successful and unsuccessful login and logout events.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82584-4" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_login_events_lastlog" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules lastlog" test_ref="oval:ssg-test_arle_lastlog_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl lastlog" test_ref="oval:ssg-test_arle_lastlog_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_login_events_tallylog:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Record Attempts to Alter Logon and Logout Events - tallylog</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules should be configured to log successful and unsuccessful login and logout events.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82585-1" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_login_events_tallylog" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules tallylog" test_ref="oval:ssg-test_arle_tallylog_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl tallylog" test_ref="oval:ssg-test_arle_tallylog_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_media_export:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on Exporting to Media (successful)</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The changing of file permissions and attributes should be audited.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82587-7" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_media_export" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit mount" test_ref="oval:ssg-test_32bit_ardm_mount_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit mount" test_ref="oval:ssg-test_64bit_ardm_mount_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit mount" test_ref="oval:ssg-test_32bit_ardm_mount_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit mount" test_ref="oval:ssg-test_64bit_ardm_mount_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_at:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - at</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of at is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82590-1" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_at" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules at" test_ref="oval:ssg-test_audit_rules_privileged_commands_at_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl at" test_ref="oval:ssg-test_audit_rules_privileged_commands_at_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_chage:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of chage is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82591-9" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_chage" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules chage" test_ref="oval:ssg-test_audit_rules_privileged_commands_chage_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl chage" test_ref="oval:ssg-test_audit_rules_privileged_commands_chage_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_chsh:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - chsh</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of chsh is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82592-7" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_chsh" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules chsh" test_ref="oval:ssg-test_audit_rules_privileged_commands_chsh_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl chsh" test_ref="oval:ssg-test_audit_rules_privileged_commands_chsh_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_crontab:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - crontab</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of crontab is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82593-5" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_crontab" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules crontab" test_ref="oval:ssg-test_audit_rules_privileged_commands_crontab_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl crontab" test_ref="oval:ssg-test_audit_rules_privileged_commands_crontab_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_gpasswd:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of gpasswd is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82594-3" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_gpasswd" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules gpasswd" test_ref="oval:ssg-test_audit_rules_privileged_commands_gpasswd_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl gpasswd" test_ref="oval:ssg-test_audit_rules_privileged_commands_gpasswd_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_mount:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - mount</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of mount is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82595-0" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_mount" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules mount" test_ref="oval:ssg-test_audit_rules_privileged_commands_mount_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl mount" test_ref="oval:ssg-test_audit_rules_privileged_commands_mount_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_newgidmap:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of newgidmap is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82596-8" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_newgidmap" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules newgidmap" test_ref="oval:ssg-test_audit_rules_privileged_commands_newgidmap_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl newgidmap" test_ref="oval:ssg-test_audit_rules_privileged_commands_newgidmap_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_newgrp:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - newgrp</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of newgrp is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82597-6" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_newgrp" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules newgrp" test_ref="oval:ssg-test_audit_rules_privileged_commands_newgrp_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl newgrp" test_ref="oval:ssg-test_audit_rules_privileged_commands_newgrp_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_newuidmap:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of newuidmap is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82598-4" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_newuidmap" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules newuidmap" test_ref="oval:ssg-test_audit_rules_privileged_commands_newuidmap_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl newuidmap" test_ref="oval:ssg-test_audit_rules_privileged_commands_newuidmap_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_pam_timestamp_check:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of pam_timestamp_check is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82599-2" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_pam_timestamp_check" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules pam_timestamp_check" test_ref="oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl pam_timestamp_check" test_ref="oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_passwd:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - passwd</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of passwd is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82600-8" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_passwd" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules passwd" test_ref="oval:ssg-test_audit_rules_privileged_commands_passwd_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl passwd" test_ref="oval:ssg-test_audit_rules_privileged_commands_passwd_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_postdrop:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - postdrop</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of postdrop is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82601-6" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_postdrop" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules postdrop" test_ref="oval:ssg-test_audit_rules_privileged_commands_postdrop_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl postdrop" test_ref="oval:ssg-test_audit_rules_privileged_commands_postdrop_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_postqueue:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - postqueue</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of postqueue is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82602-4" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_postqueue" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules postqueue" test_ref="oval:ssg-test_audit_rules_privileged_commands_postqueue_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl postqueue" test_ref="oval:ssg-test_audit_rules_privileged_commands_postqueue_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_pt_chown:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of pt_chown is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82603-2" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_pt_chown" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules pt_chown" test_ref="oval:ssg-test_audit_rules_privileged_commands_pt_chown_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl pt_chown" test_ref="oval:ssg-test_audit_rules_privileged_commands_pt_chown_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_ssh_keysign:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of ssh_keysign is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82604-0" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_ssh_keysign" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules ssh_keysign" test_ref="oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl ssh_keysign" test_ref="oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_su:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - su</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of su is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82605-7" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_su" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules su" test_ref="oval:ssg-test_audit_rules_privileged_commands_su_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl su" test_ref="oval:ssg-test_audit_rules_privileged_commands_su_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_sudo:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - sudo</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of sudo is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82606-5" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_sudo" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules sudo" test_ref="oval:ssg-test_audit_rules_privileged_commands_sudo_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl sudo" test_ref="oval:ssg-test_audit_rules_privileged_commands_sudo_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_sudoedit:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of sudoedit is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82607-3" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_sudoedit" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules sudoedit" test_ref="oval:ssg-test_audit_rules_privileged_commands_sudoedit_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl sudoedit" test_ref="oval:ssg-test_audit_rules_privileged_commands_sudoedit_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_umount:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - umount</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of umount is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82608-1" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_umount" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules umount" test_ref="oval:ssg-test_audit_rules_privileged_commands_umount_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl umount" test_ref="oval:ssg-test_audit_rules_privileged_commands_umount_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_unix_chkpwd:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of unix_chkpwd is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82609-9" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_unix_chkpwd" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules unix_chkpwd" test_ref="oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl unix_chkpwd" test_ref="oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_userhelper:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - userhelper</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of userhelper is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82610-7" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_userhelper" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules userhelper" test_ref="oval:ssg-test_audit_rules_privileged_commands_userhelper_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl userhelper" test_ref="oval:ssg-test_audit_rules_privileged_commands_userhelper_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_privileged_commands_usernetctl:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the use of usernetctl is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82611-5" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_privileged_commands_usernetctl" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules usernetctl" test_ref="oval:ssg-test_audit_rules_privileged_commands_usernetctl_augenrules:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl usernetctl" test_ref="oval:ssg-test_audit_rules_privileged_commands_usernetctl_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_chmod:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Permission Changes to Files - chmod</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82619-8" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_chmod" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_chmod_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_chmod_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_chmod_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_chmod_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_chmod_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_chmod_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_chmod_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_chmod_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_chown:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Ownership Changes to Files - chown</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82620-6" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_chown" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_chown_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_chown_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_chown_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_chown_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_chown_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_chown_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_chown_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_chown_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_creat:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Access Attempts to Files - creat</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82621-4" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_creat" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_creat_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_creat_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_creat_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_creat_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_creat_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_creat_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_creat_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_creat_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_fchmod:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Permission Changes to Files - fchmod</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82622-2" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_fchmod" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_fchmod_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_fchmod_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_fchmod_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_fchmod_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_fchmod_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_fchmod_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_fchmod_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_fchmod_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_fchmodat:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Permission Changes to Files - fchmodat</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82624-8" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_fchmodat" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_fchmodat_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_fchmodat_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_fchmodat_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_fchmodat_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_fchmodat_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_fchmodat_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_fchmodat_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_fchmodat_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_fchown:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Ownership Changes to Files - fchown</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82625-5" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_fchown" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_fchown_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_fchown_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_fchown_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_fchown_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_fchown_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_fchown_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_fchown_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_fchown_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_fchownat:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Ownership Changes to Files - fchownat</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82626-3" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_fchownat" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_fchownat_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_fchownat_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_fchownat_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_fchownat_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_fchownat_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_fchownat_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_fchownat_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_fchownat_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_fremovexattr:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Permission Changes to Files - fremovexattr</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82627-1" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_fremovexattr" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_fremovexattr_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_fremovexattr_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_fremovexattr_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_fremovexattr_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_fremovexattr_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_fremovexattr_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_fremovexattr_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_fremovexattr_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_fsetxattr:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Permission Changes to Files - fsetxattr</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82628-9" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_fsetxattr" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_fsetxattr_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_fsetxattr_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_fsetxattr_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_fsetxattr_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_fsetxattr_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_fsetxattr_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_fsetxattr_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_fsetxattr_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_ftruncate:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Access Attempts to Files - ftruncate</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82629-7" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_ftruncate" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_ftruncate_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_ftruncate_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_ftruncate_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_ftruncate_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_ftruncate_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_ftruncate_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_ftruncate_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_ftruncate_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_lchown:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Ownership Changes to Files - lchown</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82630-5" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_lchown" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_lchown_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_lchown_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_lchown_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_lchown_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_lchown_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_lchown_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_lchown_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_lchown_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_lremovexattr:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Permission Changes to Files - lremovexattr</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82631-3" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_lremovexattr" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_lremovexattr_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_lremovexattr_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_lremovexattr_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_lremovexattr_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_lremovexattr_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_lremovexattr_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_lremovexattr_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_lremovexattr_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_lsetxattr:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Permission Changes to Files - lsetxattr</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82632-1" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_lsetxattr" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_lsetxattr_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_lsetxattr_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_lsetxattr_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_lsetxattr_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_lsetxattr_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_lsetxattr_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_lsetxattr_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_lsetxattr_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_open:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Access Attempts to Files - open</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82633-9" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_open" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_open_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_open_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_open_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_open_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_open_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_open_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_open_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_open_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Access Attempts to Files - open_by_handle_at</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82640-4" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_open_by_handle_at" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the unsuccessful use of open_by_handle_at O_CREAT is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82641-2" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="Verify audit rule open_by_handle_at 32bit a2&amp;0100 eacces augenrules exists" test_ref="oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_augenrules:tst:1"/>
-              <oval-def:criterion comment="Verify audit rule open_by_handle_at 32bit a2&amp;0100 eperm augenrules exists" test_ref="oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="Verify audit rule open_by_handle_at 64bit a2&amp;0100 eacces augenrules exists" test_ref="oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_augenrules:tst:1"/>
-                  <oval-def:criterion comment="Verify audit rule open_by_handle_at 64bit a2&amp;0100 eperm augenrules exists" test_ref="oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="Verify audit rule open_by_handle_at 32bit a2&amp;0100 eacces auditctl exists" test_ref="oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_auditctl:tst:1"/>
-              <oval-def:criterion comment="Verify audit rule open_by_handle_at 32bit a2&amp;0100 eperm auditctl exists" test_ref="oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="Verify audit rule open_by_handle_at 64bit a2&amp;0100 eacces auditctl exists" test_ref="oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_auditctl:tst:1"/>
-                  <oval-def:criterion comment="Verify audit rule open_by_handle_at 64bit a2&amp;0100 eperm auditctl exists" test_ref="oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the unsuccessful use of open_by_handle_at O_TRUNC is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82642-0" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="Verify audit rule open_by_handle_at 32bit a2&amp;01003 eacces augenrules exists" test_ref="oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_augenrules:tst:1"/>
-              <oval-def:criterion comment="Verify audit rule open_by_handle_at 32bit a2&amp;01003 eperm augenrules exists" test_ref="oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="Verify audit rule open_by_handle_at 64bit a2&amp;01003 eacces augenrules exists" test_ref="oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_augenrules:tst:1"/>
-                  <oval-def:criterion comment="Verify audit rule open_by_handle_at 64bit a2&amp;01003 eperm augenrules exists" test_ref="oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="Verify audit rule open_by_handle_at 32bit a2&amp;01003 eacces auditctl exists" test_ref="oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_auditctl:tst:1"/>
-              <oval-def:criterion comment="Verify audit rule open_by_handle_at 32bit a2&amp;01003 eperm auditctl exists" test_ref="oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="Verify audit rule open_by_handle_at 64bit a2&amp;01003 eacces auditctl exists" test_ref="oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_auditctl:tst:1"/>
-                  <oval-def:criterion comment="Verify audit rule open_by_handle_at 64bit a2&amp;01003 eperm auditctl exists" test_ref="oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the unsuccessful use of open_by_handle_at is configured in the proper rule order.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82643-8" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit" test_ref="oval:ssg-test_arufm_open_by_handle_at_order_32bit_eacces_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit" test_ref="oval:ssg-test_arufm_open_by_handle_at_order_32bit_eperm_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit" test_ref="oval:ssg-test_arufm_open_by_handle_at_order_64bit_eacces_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit" test_ref="oval:ssg-test_arufm_open_by_handle_at_order_64bit_eperm_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit" test_ref="oval:ssg-test_arufm_open_by_handle_at_order_32bit_eacces_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit" test_ref="oval:ssg-test_arufm_open_by_handle_at_order_32bit_eperm_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 32-bit" test_ref="oval:ssg-test_arufm_open_by_handle_at_order_64bit_eacces_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 32-bit" test_ref="oval:ssg-test_arufm_open_by_handle_at_order_64bit_eperm_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_open_o_creat:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Creation Attempts to Files - open O_CREAT</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the unsuccessful use of open O_CREAT is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82644-6" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_open_o_creat" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="Verify audit rule open 32bit a1&amp;0100 eacces augenrules exists" test_ref="oval:ssg-test_arufm_open_o_creat_32bit_a20100_eacces_augenrules:tst:1"/>
-              <oval-def:criterion comment="Verify audit rule open 32bit a1&amp;0100 eperm augenrules exists" test_ref="oval:ssg-test_arufm_open_o_creat_32bit_a20100_eperm_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="Verify audit rule open 64bit a1&amp;0100 eacces augenrules exists" test_ref="oval:ssg-test_arufm_open_o_creat_64bit_a20100_eacces_augenrules:tst:1"/>
-                  <oval-def:criterion comment="Verify audit rule open 64bit a1&amp;0100 eperm augenrules exists" test_ref="oval:ssg-test_arufm_open_o_creat_64bit_a20100_eperm_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="Verify audit rule open 32bit a1&amp;0100 eacces auditctl exists" test_ref="oval:ssg-test_arufm_open_o_creat_32bit_a20100_eacces_auditctl:tst:1"/>
-              <oval-def:criterion comment="Verify audit rule open 32bit a1&amp;0100 eperm auditctl exists" test_ref="oval:ssg-test_arufm_open_o_creat_32bit_a20100_eperm_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="Verify audit rule open 64bit a1&amp;0100 eacces auditctl exists" test_ref="oval:ssg-test_arufm_open_o_creat_64bit_a20100_eacces_auditctl:tst:1"/>
-                  <oval-def:criterion comment="Verify audit rule open 64bit a1&amp;0100 eperm auditctl exists" test_ref="oval:ssg-test_arufm_open_o_creat_64bit_a20100_eperm_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the unsuccessful use of open O_TRUNC is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82645-3" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_open_o_trunc_write" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="Verify audit rule open 32bit a1&amp;01003 eacces augenrules exists" test_ref="oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eacces_augenrules:tst:1"/>
-              <oval-def:criterion comment="Verify audit rule open 32bit a1&amp;01003 eperm augenrules exists" test_ref="oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eperm_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="Verify audit rule open 64bit a1&amp;01003 eacces augenrules exists" test_ref="oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eacces_augenrules:tst:1"/>
-                  <oval-def:criterion comment="Verify audit rule open 64bit a1&amp;01003 eperm augenrules exists" test_ref="oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eperm_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="Verify audit rule open 32bit a1&amp;01003 eacces auditctl exists" test_ref="oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eacces_auditctl:tst:1"/>
-              <oval-def:criterion comment="Verify audit rule open 32bit a1&amp;01003 eperm auditctl exists" test_ref="oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eperm_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="Verify audit rule open 64bit a1&amp;01003 eacces auditctl exists" test_ref="oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eacces_auditctl:tst:1"/>
-                  <oval-def:criterion comment="Verify audit rule open 64bit a1&amp;01003 eperm auditctl exists" test_ref="oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eperm_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_open_rule_order:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the unsuccessful use of open is configured in the proper rule order.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82646-1" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_open_rule_order" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit" test_ref="oval:ssg-test_arufm_open_order_32bit_eacces_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit" test_ref="oval:ssg-test_arufm_open_order_32bit_eperm_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit" test_ref="oval:ssg-test_arufm_open_order_64bit_eacces_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit" test_ref="oval:ssg-test_arufm_open_order_64bit_eperm_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit" test_ref="oval:ssg-test_arufm_open_order_32bit_eacces_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit" test_ref="oval:ssg-test_arufm_open_order_32bit_eperm_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 32-bit" test_ref="oval:ssg-test_arufm_open_order_64bit_eacces_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 32-bit" test_ref="oval:ssg-test_arufm_open_order_64bit_eperm_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_openat:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Access Attempts to Files - openat</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82634-7" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_openat" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_openat_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_openat_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_openat_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_openat_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_openat_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_openat_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_openat_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_openat_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Creation Attempts to Files - openat O_CREAT</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the unsuccessful use of openat O_CREAT is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82635-4" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_openat_o_creat" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="Verify audit rule openat 32bit a2&amp;0100 eacces augenrules exists" test_ref="oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eacces_augenrules:tst:1"/>
-              <oval-def:criterion comment="Verify audit rule openat 32bit a2&amp;0100 eperm augenrules exists" test_ref="oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eperm_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="Verify audit rule openat 64bit a2&amp;0100 eacces augenrules exists" test_ref="oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eacces_augenrules:tst:1"/>
-                  <oval-def:criterion comment="Verify audit rule openat 64bit a2&amp;0100 eperm augenrules exists" test_ref="oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eperm_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="Verify audit rule openat 32bit a2&amp;0100 eacces auditctl exists" test_ref="oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eacces_auditctl:tst:1"/>
-              <oval-def:criterion comment="Verify audit rule openat 32bit a2&amp;0100 eperm auditctl exists" test_ref="oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eperm_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="Verify audit rule openat 64bit a2&amp;0100 eacces auditctl exists" test_ref="oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eacces_auditctl:tst:1"/>
-                  <oval-def:criterion comment="Verify audit rule openat 64bit a2&amp;0100 eperm auditctl exists" test_ref="oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eperm_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the unsuccessful use of openat O_TRUNC is enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82636-2" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_openat_o_trunc_write" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="Verify audit rule openat 32bit a2&amp;01003 eacces augenrules exists" test_ref="oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eacces_augenrules:tst:1"/>
-              <oval-def:criterion comment="Verify audit rule openat 32bit a2&amp;01003 eperm augenrules exists" test_ref="oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eperm_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="Verify audit rule openat 64bit a2&amp;01003 eacces augenrules exists" test_ref="oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eacces_augenrules:tst:1"/>
-                  <oval-def:criterion comment="Verify audit rule openat 64bit a2&amp;01003 eperm augenrules exists" test_ref="oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eperm_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="Verify audit rule openat 32bit a2&amp;01003 eacces auditctl exists" test_ref="oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eacces_auditctl:tst:1"/>
-              <oval-def:criterion comment="Verify audit rule openat 32bit a2&amp;01003 eperm auditctl exists" test_ref="oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eperm_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="Verify audit rule openat 64bit a2&amp;01003 eacces auditctl exists" test_ref="oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eacces_auditctl:tst:1"/>
-                  <oval-def:criterion comment="Verify audit rule openat 64bit a2&amp;01003 eperm auditctl exists" test_ref="oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eperm_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the information on the unsuccessful use of openat is configured in the proper rule order.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82639-6" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_openat_rule_order" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit" test_ref="oval:ssg-test_arufm_openat_order_32bit_eacces_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit" test_ref="oval:ssg-test_arufm_openat_order_32bit_eperm_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit" test_ref="oval:ssg-test_arufm_openat_order_64bit_eacces_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit" test_ref="oval:ssg-test_arufm_openat_order_64bit_eperm_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit" test_ref="oval:ssg-test_arufm_openat_order_32bit_eacces_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit" test_ref="oval:ssg-test_arufm_openat_order_32bit_eperm_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 32-bit" test_ref="oval:ssg-test_arufm_openat_order_64bit_eacces_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 32-bit" test_ref="oval:ssg-test_arufm_openat_order_64bit_eperm_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_removexattr:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Permission Changes to Files - removexattr</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82647-9" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_removexattr" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_removexattr_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_removexattr_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_removexattr_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_removexattr_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_removexattr_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_removexattr_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_removexattr_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_removexattr_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_rename:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Delete Attempts to Files - rename</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82648-7" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_rename" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_rename_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_rename_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_rename_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_rename_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_rename_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_rename_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_rename_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_rename_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_renameat:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Delete Attempts to Files - renameat</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82649-5" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_renameat" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_renameat_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_renameat_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_renameat_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_renameat_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_renameat_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_renameat_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_renameat_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_renameat_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_setxattr:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Permission Changes to Files - setxattr</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82650-3" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_setxattr" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_setxattr_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_setxattr_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_setxattr_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_setxattr_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_setxattr_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_setxattr_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_setxattr_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_setxattr_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_truncate:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Access Attempts to Files - truncate</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82651-1" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_truncate" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_truncate_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_truncate_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_truncate_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_truncate_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_truncate_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_truncate_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_truncate_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_truncate_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_unlink:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Delete Attempts to Files - unlink</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82652-9" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_unlink" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_unlink_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_unlink_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_unlink_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_unlink_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_unlink_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_unlink_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_unlink_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_unlink_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_unsuccessful_file_modification_unlinkat:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Unsuccessful Delete Attempts to Files - unlinkat</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit rules about the unauthorized access attempts to files (unsuccessful) are enabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82653-7" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_unsuccessful_file_modification_unlinkat" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_unlinkat_augenrules:tst:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_unlinkat_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit augenrules 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_unlinkat_augenrules:tst:1"/>
-                  <oval-def:criterion comment="audit augenrules 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_unlinkat_augenrules:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eacces" test_ref="oval:ssg-test_32bit_arufm_eacces_unlinkat_auditctl:tst:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit file eperm" test_ref="oval:ssg-test_32bit_arufm_eperm_unlinkat_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit_system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criteria operator="AND">
-                  <oval-def:criterion comment="audit auditctl 64-bit file eacces" test_ref="oval:ssg-test_64bit_arufm_eacces_unlinkat_auditctl:tst:1"/>
-                  <oval-def:criterion comment="audit auditctl 64-bit file eperm" test_ref="oval:ssg-test_64bit_arufm_eperm_unlinkat_auditctl:tst:1"/>
-                </oval-def:criteria>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_usergroup_modification_group:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify User/Group Information - /etc/group</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit user/group modification.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82654-5" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_usergroup_modification_group" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit group" test_ref="oval:ssg-test_audit_rules_usergroup_modification_group_augen:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit group" test_ref="oval:ssg-test_audit_rules_usergroup_modification_group_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_usergroup_modification_gshadow:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify User/Group Information - /etc/gshadow</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit user/group modification.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82655-2" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_usergroup_modification_gshadow" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit gshadow" test_ref="oval:ssg-test_audit_rules_usergroup_modification_gshadow_augen:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit gshadow" test_ref="oval:ssg-test_audit_rules_usergroup_modification_gshadow_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_usergroup_modification_opasswd:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify User/Group Information - /etc/security/opasswd</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit user/group modification.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82656-0" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_usergroup_modification_opasswd" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit opasswd" test_ref="oval:ssg-test_audit_rules_usergroup_modification_opasswd_augen:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit opasswd" test_ref="oval:ssg-test_audit_rules_usergroup_modification_opasswd_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_usergroup_modification_passwd:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify User/Group Information - /etc/passwd</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit user/group modification.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82657-8" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_usergroup_modification_passwd" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit passwd" test_ref="oval:ssg-test_audit_rules_usergroup_modification_passwd_augen:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit passwd" test_ref="oval:ssg-test_audit_rules_usergroup_modification_passwd_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_usergroup_modification_shadow:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify User/Group Information - /etc/shadow</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Audit user/group modification.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82658-6" source="CCE"/>
-            <oval-def:reference ref_id="audit_rules_usergroup_modification_shadow" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit shadow" test_ref="oval:ssg-test_audit_rules_usergroup_modification_shadow_augen:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit shadow" test_ref="oval:ssg-test_audit_rules_usergroup_modification_shadow_auditctl:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_freq:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Set number of records to cause an explicit flush to audit logs</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'freq' is configured with value '50' in /etc/audit/auditd.conf</oval-def:description>
-            <oval-def:reference ref_id="CCE-82512-5" source="CCE"/>
-            <oval-def:reference ref_id="auditd_freq" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="auditd is configured correctly" operator="OR">
-            <oval-def:criterion comment="Check the freq in /etc/audit/auditd.conf" test_ref="oval:ssg-test_auditd_freq:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_local_events:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Include Local Events in Audit Logs</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'local_events' is configured with value 'yes' in /etc/audit/auditd.conf</oval-def:description>
-            <oval-def:reference ref_id="CCE-82509-1" source="CCE"/>
-            <oval-def:reference ref_id="auditd_local_events" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="auditd is configured correctly" operator="OR">
-            <oval-def:criterion comment="Check the local_events in /etc/audit/auditd.conf" test_ref="oval:ssg-test_auditd_local_events:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_log_format:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Resolve information before writing to audit logs</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'log_format' is configured with value 'ENRICHED' in /etc/audit/auditd.conf</oval-def:description>
-            <oval-def:reference ref_id="CCE-82511-7" source="CCE"/>
-            <oval-def:reference ref_id="auditd_log_format" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="auditd is configured correctly" operator="OR">
-            <oval-def:criterion comment="Check the log_format in /etc/audit/auditd.conf" test_ref="oval:ssg-test_auditd_log_format:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_name_format:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Set hostname as computer node name in audit logs</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'name_format' is configured with value 'hostname' in /etc/audit/auditd.conf</oval-def:description>
-            <oval-def:reference ref_id="CCE-82513-3" source="CCE"/>
-            <oval-def:reference ref_id="auditd_name_format" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="auditd is configured correctly" operator="OR">
-            <oval-def:criterion comment="Check the name_format in /etc/audit/auditd.conf" test_ref="oval:ssg-test_auditd_name_format:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_write_logs:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Write Audit Logs to the Disk</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'write_logs' is configured with value 'yes' in /etc/audit/auditd.conf</oval-def:description>
-            <oval-def:reference ref_id="CCE-82510-9" source="CCE"/>
-            <oval-def:reference ref_id="auditd_write_logs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="auditd is configured correctly" operator="OR">
-            <oval-def:criterion comment="Check the write_logs in /etc/audit/auditd.conf" test_ref="oval:ssg-test_auditd_write_logs:tst:1"/>
-            <oval-def:criterion comment="Check the absence of write_logs in /etc/audit/auditd.conf" test_ref="oval:ssg-test_auditd_write_logs_default_not_overriden:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-coreos_audit_backlog_limit_kernel_argument:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Extend Audit Backlog Limit for the Audit Daemon</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure audit_backlog_limit=8192 argument is present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82671-9" source="CCE"/>
-            <oval-def:reference ref_id="coreos_audit_backlog_limit_kernel_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="Pass if there are no files matching pattern '/boot/loader/entries/ostree-2-.*.conf' exist in the system" test_ref="oval:ssg-test_coreos_audit_backlog_limit_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1"/>
-                <oval-def:criterion comment="Check if argument audit_backlog_limit=8192 for Linux kernel is present in /boot/loader/entries/ostree-1-.*.conf" test_ref="oval:ssg-test_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_ostree_1_conf:tst:1"/>
-              </oval-def:criteria>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="Check if argument audit_backlog_limit=8192 for Linux kernel is present in /boot/loader/entries/ostree-2-.*.conf" test_ref="oval:ssg-test_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_ostree_2_conf:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check if argument audit_backlog_limit=8192 for Linux kernel is present in /proc/cmdline" test_ref="oval:ssg-test_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_proc_cmdline:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-coreos_audit_option:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure audit=1 argument is present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82670-1" source="CCE"/>
-            <oval-def:reference ref_id="coreos_audit_option" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="Pass if there are no files matching pattern '/boot/loader/entries/ostree-2-.*.conf' exist in the system" test_ref="oval:ssg-test_coreos_audit_option_file_boot_loader_entries_ostree_2_conf_absent:tst:1"/>
-                <oval-def:criterion comment="Check if argument audit=1 for Linux kernel is present in /boot/loader/entries/ostree-1-.*.conf" test_ref="oval:ssg-test_coreos_audit_option_audit_1_argument_in_boot_loader_entries_ostree_1_conf:tst:1"/>
-              </oval-def:criteria>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="Check if argument audit=1 for Linux kernel is present in /boot/loader/entries/ostree-2-.*.conf" test_ref="oval:ssg-test_coreos_audit_option_audit_1_argument_in_boot_loader_entries_ostree_2_conf:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check if argument audit=1 for Linux kernel is present in /proc/cmdline" test_ref="oval:ssg-test_coreos_audit_option_audit_1_argument_in_proc_cmdline:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-coreos_disable_interactive_boot:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Verify that Interactive Boot is Disabled</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure systemd.confirm_spawn=(?:1|yes|true|on) argument is not present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83548-8" source="CCE"/>
-            <oval-def:reference ref_id="coreos_disable_interactive_boot" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="Pass if there are no files matching pattern '/boot/loader/entries/ostree-2-.*.conf' exist in the system" test_ref="oval:ssg-test_coreos_disable_interactive_boot_file_boot_loader_entries_ostree_2_conf_absent:tst:1"/>
-                <oval-def:criterion comment="Check if argument systemd.confirm_spawn=(?:1|yes|true|on) for Linux kernel is not present in /boot/loader/entries/ostree-1-.*.conf" test_ref="oval:ssg-test_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_boot_loader_entries_ostree_1_conf:tst:1" negate="true"/>
-              </oval-def:criteria>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="Check if argument systemd.confirm_spawn=(?:1|yes|true|on) for Linux kernel is not present in /boot/loader/entries/ostree-2-.*.conf" test_ref="oval:ssg-test_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_boot_loader_entries_ostree_2_conf:tst:1" negate="true"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check if argument systemd.confirm_spawn=(?:1|yes|true|on) for Linux kernel is not present in /proc/cmdline" test_ref="oval:ssg-test_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_proc_cmdline:tst:1" negate="true"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-coreos_enable_selinux_kernel_argument:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Ensure SELinux Not Disabled in the kernel arguments</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure selinux=0 argument is not present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83899-5" source="CCE"/>
-            <oval-def:reference ref_id="coreos_enable_selinux_kernel_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="Pass if there are no files matching pattern '/boot/loader/entries/ostree-2-.*.conf' exist in the system" test_ref="oval:ssg-test_coreos_enable_selinux_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1"/>
-                <oval-def:criterion comment="Check if argument selinux=0 for Linux kernel is not present in /boot/loader/entries/ostree-1-.*.conf" test_ref="oval:ssg-test_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_boot_loader_entries_ostree_1_conf:tst:1" negate="true"/>
-              </oval-def:criteria>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="Check if argument selinux=0 for Linux kernel is not present in /boot/loader/entries/ostree-2-.*.conf" test_ref="oval:ssg-test_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_boot_loader_entries_ostree_2_conf:tst:1" negate="true"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check if argument selinux=0 for Linux kernel is not present in /proc/cmdline" test_ref="oval:ssg-test_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_proc_cmdline:tst:1" negate="true"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-coreos_nousb_kernel_argument:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Support for USB via Bootloader Configuration</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure nousb argument is present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline.</oval-def:description>
-            <oval-def:reference ref_id="CCE-83443-2" source="CCE"/>
-            <oval-def:reference ref_id="coreos_nousb_kernel_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="Pass if there are no files matching pattern '/boot/loader/entries/ostree-2-.*.conf' exist in the system" test_ref="oval:ssg-test_coreos_nousb_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1"/>
-                <oval-def:criterion comment="Check if argument nousb for Linux kernel is present in /boot/loader/entries/ostree-1-.*.conf" test_ref="oval:ssg-test_coreos_nousb_kernel_argument_nousb_argument_in_boot_loader_entries_ostree_1_conf:tst:1"/>
-              </oval-def:criteria>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="Check if argument nousb for Linux kernel is present in /boot/loader/entries/ostree-2-.*.conf" test_ref="oval:ssg-test_coreos_nousb_kernel_argument_nousb_argument_in_boot_loader_entries_ostree_2_conf:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check if argument nousb for Linux kernel is present in /proc/cmdline" test_ref="oval:ssg-test_coreos_nousb_kernel_argument_nousb_argument_in_proc_cmdline:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-coreos_page_poison_kernel_argument:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Enable page allocator poisoning</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure page_poison=1 argument is present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82673-5" source="CCE"/>
-            <oval-def:reference ref_id="coreos_page_poison_kernel_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="Pass if there are no files matching pattern '/boot/loader/entries/ostree-2-.*.conf' exist in the system" test_ref="oval:ssg-test_coreos_page_poison_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1"/>
-                <oval-def:criterion comment="Check if argument page_poison=1 for Linux kernel is present in /boot/loader/entries/ostree-1-.*.conf" test_ref="oval:ssg-test_coreos_page_poison_kernel_argument_page_poison_1_argument_in_boot_loader_entries_ostree_1_conf:tst:1"/>
-              </oval-def:criteria>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="Check if argument page_poison=1 for Linux kernel is present in /boot/loader/entries/ostree-2-.*.conf" test_ref="oval:ssg-test_coreos_page_poison_kernel_argument_page_poison_1_argument_in_boot_loader_entries_ostree_2_conf:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check if argument page_poison=1 for Linux kernel is present in /proc/cmdline" test_ref="oval:ssg-test_coreos_page_poison_kernel_argument_page_poison_1_argument_in_proc_cmdline:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-coreos_pti_kernel_argument:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Page-Table Isolation (KPTI)</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure pti=on argument is present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82497-9" source="CCE"/>
-            <oval-def:reference ref_id="coreos_pti_kernel_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="Pass if there are no files matching pattern '/boot/loader/entries/ostree-2-.*.conf' exist in the system" test_ref="oval:ssg-test_coreos_pti_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1"/>
-                <oval-def:criterion comment="Check if argument pti=on for Linux kernel is present in /boot/loader/entries/ostree-1-.*.conf" test_ref="oval:ssg-test_coreos_pti_kernel_argument_pti_on_argument_in_boot_loader_entries_ostree_1_conf:tst:1"/>
-              </oval-def:criteria>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="Check if argument pti=on for Linux kernel is present in /boot/loader/entries/ostree-2-.*.conf" test_ref="oval:ssg-test_coreos_pti_kernel_argument_pti_on_argument_in_boot_loader_entries_ostree_2_conf:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check if argument pti=on for Linux kernel is present in /proc/cmdline" test_ref="oval:ssg-test_coreos_pti_kernel_argument_pti_on_argument_in_proc_cmdline:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-coreos_slub_debug_kernel_argument:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Enable SLUB/SLAB allocator poisoning</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure slub_debug=P argument is present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82672-7" source="CCE"/>
-            <oval-def:reference ref_id="coreos_slub_debug_kernel_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="Pass if there are no files matching pattern '/boot/loader/entries/ostree-2-.*.conf' exist in the system" test_ref="oval:ssg-test_coreos_slub_debug_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1"/>
-                <oval-def:criterion comment="Check if argument slub_debug=P for Linux kernel is present in /boot/loader/entries/ostree-1-.*.conf" test_ref="oval:ssg-test_coreos_slub_debug_kernel_argument_slub_debug_P_argument_in_boot_loader_entries_ostree_1_conf:tst:1"/>
-              </oval-def:criteria>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="Check if argument slub_debug=P for Linux kernel is present in /boot/loader/entries/ostree-2-.*.conf" test_ref="oval:ssg-test_coreos_slub_debug_kernel_argument_slub_debug_P_argument_in_boot_loader_entries_ostree_2_conf:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check if argument slub_debug=P for Linux kernel is present in /proc/cmdline" test_ref="oval:ssg-test_coreos_slub_debug_kernel_argument_slub_debug_P_argument_in_proc_cmdline:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-coreos_vsyscall_kernel_argument:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Disable vsyscalls</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure vsyscall=none argument is present in the 'options' line of /boot/loader/entries/ostree-2-*.conf (or ostree-1-*.conf if there is no ostree-2-*.conf as ostree has only two enries at the most, with *-2-*.conf entry always being the most recent). Also, ensure that kernel is currently running with this argument by checking /proc/cmdline.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82674-3" source="CCE"/>
-            <oval-def:reference ref_id="coreos_vsyscall_kernel_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="Pass if there are no files matching pattern '/boot/loader/entries/ostree-2-.*.conf' exist in the system" test_ref="oval:ssg-test_coreos_vsyscall_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1"/>
-                <oval-def:criterion comment="Check if argument vsyscall=none for Linux kernel is present in /boot/loader/entries/ostree-1-.*.conf" test_ref="oval:ssg-test_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_boot_loader_entries_ostree_1_conf:tst:1"/>
-              </oval-def:criteria>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion comment="Check if argument vsyscall=none for Linux kernel is present in /boot/loader/entries/ostree-2-.*.conf" test_ref="oval:ssg-test_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_boot_loader_entries_ostree_2_conf:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check if argument vsyscall=none for Linux kernel is present in /proc/cmdline" test_ref="oval:ssg-test_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_proc_cmdline:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-dir_ownership_binary_dirs:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify that System Executable Have Root Ownership</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /bin/, /sbin/, /usr/bin/, /usr/sbin/, /usr/local/bin/, /usr/local/sbin/ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="dir_ownership_binary_dirs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /bin/" test_ref="oval:ssg-test_file_ownerdir_ownership_binary_dirs_0:tst:1"/>
-            <oval-def:criterion comment="Check file ownership of /sbin/" test_ref="oval:ssg-test_file_ownerdir_ownership_binary_dirs_1:tst:1"/>
-            <oval-def:criterion comment="Check file ownership of /usr/bin/" test_ref="oval:ssg-test_file_ownerdir_ownership_binary_dirs_2:tst:1"/>
-            <oval-def:criterion comment="Check file ownership of /usr/sbin/" test_ref="oval:ssg-test_file_ownerdir_ownership_binary_dirs_3:tst:1"/>
-            <oval-def:criterion comment="Check file ownership of /usr/local/bin/" test_ref="oval:ssg-test_file_ownerdir_ownership_binary_dirs_4:tst:1"/>
-            <oval-def:criterion comment="Check file ownership of /usr/local/sbin/" test_ref="oval:ssg-test_file_ownerdir_ownership_binary_dirs_5:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-dir_ownership_library_dirs:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify that Shared Library Directories Have Root Ownership</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /lib/, /lib64/, /usr/lib/, /usr/lib64/ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="dir_ownership_library_dirs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /lib/" test_ref="oval:ssg-test_file_ownerdir_ownership_library_dirs_0:tst:1"/>
-            <oval-def:criterion comment="Check file ownership of /lib64/" test_ref="oval:ssg-test_file_ownerdir_ownership_library_dirs_1:tst:1"/>
-            <oval-def:criterion comment="Check file ownership of /usr/lib/" test_ref="oval:ssg-test_file_ownerdir_ownership_library_dirs_2:tst:1"/>
-            <oval-def:criterion comment="Check file ownership of /usr/lib64/" test_ref="oval:ssg-test_file_ownerdir_ownership_library_dirs_3:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-dir_permissions_binary_dirs:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify that System Executable Directories Have Restrictive Permissions</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /bin/, /sbin/, /usr/bin/, /usr/sbin/, /usr/local/bin/, /usr/local/sbin/ has mode 0755.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="dir_permissions_binary_dirs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /bin/" test_ref="oval:ssg-test_file_permissionsdir_permissions_binary_dirs_0:tst:1"/>
-            <oval-def:criterion comment="Check file mode of /sbin/" test_ref="oval:ssg-test_file_permissionsdir_permissions_binary_dirs_1:tst:1"/>
-            <oval-def:criterion comment="Check file mode of /usr/bin/" test_ref="oval:ssg-test_file_permissionsdir_permissions_binary_dirs_2:tst:1"/>
-            <oval-def:criterion comment="Check file mode of /usr/sbin/" test_ref="oval:ssg-test_file_permissionsdir_permissions_binary_dirs_3:tst:1"/>
-            <oval-def:criterion comment="Check file mode of /usr/local/bin/" test_ref="oval:ssg-test_file_permissionsdir_permissions_binary_dirs_4:tst:1"/>
-            <oval-def:criterion comment="Check file mode of /usr/local/sbin/" test_ref="oval:ssg-test_file_permissionsdir_permissions_binary_dirs_5:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-dir_permissions_library_dirs:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify that Shared Library Directories Have Restrictive Permissions</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /lib/, /lib64/, /usr/lib/, /usr/lib64/ has mode 7755.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="dir_permissions_library_dirs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /lib/" test_ref="oval:ssg-test_file_permissionsdir_permissions_library_dirs_0:tst:1"/>
-            <oval-def:criterion comment="Check file mode of /lib64/" test_ref="oval:ssg-test_file_permissionsdir_permissions_library_dirs_1:tst:1"/>
-            <oval-def:criterion comment="Check file mode of /usr/lib/" test_ref="oval:ssg-test_file_permissionsdir_permissions_library_dirs_2:tst:1"/>
-            <oval-def:criterion comment="Check file mode of /usr/lib64/" test_ref="oval:ssg-test_file_permissionsdir_permissions_library_dirs_3:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-disable_host_auth:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Host-Based Authentication</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'HostbasedAuthentication' is configured with value 'no' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="disable_host_auth" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the HostbasedAuthentication in /etc/ssh/sshd_config" test_ref="oval:ssg-test_disable_host_auth:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_backup_etc_group:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns Backup group File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/group- is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_groupowner_backup_etc_group" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/group-" test_ref="oval:ssg-test_file_groupowner_backup_etc_group_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_backup_etc_gshadow:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns Backup gshadow File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/gshadow- is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_groupowner_backup_etc_gshadow" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/gshadow-" test_ref="oval:ssg-test_file_groupowner_backup_etc_gshadow_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_backup_etc_passwd:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns Backup passwd File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/passwd- is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_groupowner_backup_etc_passwd" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/passwd-" test_ref="oval:ssg-test_file_groupowner_backup_etc_passwd_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_backup_etc_shadow:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns Backup shadow File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/shadow- is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_groupowner_backup_etc_shadow" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/shadow-" test_ref="oval:ssg-test_file_groupowner_backup_etc_shadow_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_etc_group:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns group File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/group is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_groupowner_etc_group" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/group" test_ref="oval:ssg-test_file_groupowner_etc_group_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_etc_gshadow:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns gshadow File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/gshadow is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_groupowner_etc_gshadow" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/gshadow" test_ref="oval:ssg-test_file_groupowner_etc_gshadow_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_etc_issue:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Group Ownership of System Login Banner</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/issue is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_groupowner_etc_issue" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/issue" test_ref="oval:ssg-test_file_groupowner_etc_issue_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_etc_passwd:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns passwd File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/passwd is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_groupowner_etc_passwd" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/passwd" test_ref="oval:ssg-test_file_groupowner_etc_passwd_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_etc_shadow:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns shadow File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/shadow is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_groupowner_etc_shadow" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/shadow" test_ref="oval:ssg-test_file_groupowner_etc_shadow_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_sshd_config:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns SSH Server config file</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/ssh/sshd_config is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_groupowner_sshd_config" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/ssh/sshd_config" test_ref="oval:ssg-test_file_groupowner_sshd_config_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_var_log:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns /var/log Directory</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/log/ is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_groupowner_var_log" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /var/log/" test_ref="oval:ssg-test_file_groupowner_var_log_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_var_log_messages:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns /var/log/messages File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/log/messages is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_groupowner_var_log_messages" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /var/log/messages" test_ref="oval:ssg-test_file_groupowner_var_log_messages_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupowner_var_log_syslog:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns /var/log/syslog File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/log/syslog is group owned by 4.</oval-def:description>
-            <oval-def:reference ref_id="file_groupowner_var_log_syslog" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /var/log/syslog" test_ref="oval:ssg-test_file_groupowner_var_log_syslog_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_groupownership_audit_configuration:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Audit Configuration Files Must Be Owned By Group root</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/audit/, /etc/audit/rules.d/ is group owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_groupownership_audit_configuration" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file group ownership of /etc/audit/" test_ref="oval:ssg-test_file_groupownership_audit_configuration_0:tst:1"/>
-            <oval-def:criterion comment="Check file group ownership of /etc/audit/rules.d/" test_ref="oval:ssg-test_file_groupownership_audit_configuration_1:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_backup_etc_group:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns Backup group File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/group- is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_owner_backup_etc_group" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/group-" test_ref="oval:ssg-test_file_owner_backup_etc_group_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_backup_etc_gshadow:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns Backup gshadow File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/gshadow- is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_owner_backup_etc_gshadow" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/gshadow-" test_ref="oval:ssg-test_file_owner_backup_etc_gshadow_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_backup_etc_passwd:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns Backup passwd File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/passwd- is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_owner_backup_etc_passwd" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/passwd-" test_ref="oval:ssg-test_file_owner_backup_etc_passwd_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_backup_etc_shadow:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Group Who Owns Backup shadow File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/shadow- is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_owner_backup_etc_shadow" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/shadow-" test_ref="oval:ssg-test_file_owner_backup_etc_shadow_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_etc_group:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns group File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/group is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_owner_etc_group" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/group" test_ref="oval:ssg-test_file_owner_etc_group_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_etc_gshadow:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns gshadow File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/gshadow is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_owner_etc_gshadow" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/gshadow" test_ref="oval:ssg-test_file_owner_etc_gshadow_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_etc_issue:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify ownership of System Login Banner</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/issue is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_owner_etc_issue" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/issue" test_ref="oval:ssg-test_file_owner_etc_issue_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_etc_passwd:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns passwd File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/passwd is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_owner_etc_passwd" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/passwd" test_ref="oval:ssg-test_file_owner_etc_passwd_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_etc_shadow:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns shadow File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/shadow is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_owner_etc_shadow" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/shadow" test_ref="oval:ssg-test_file_owner_etc_shadow_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_sshd_config:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Owner on SSH Server config file</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/ssh/sshd_config is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_owner_sshd_config" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/ssh/sshd_config" test_ref="oval:ssg-test_file_owner_sshd_config_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_var_log:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns /var/log Directory</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/log/ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_owner_var_log" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /var/log/" test_ref="oval:ssg-test_file_owner_var_log_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_var_log_messages:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns /var/log/messages File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/log/messages is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_owner_var_log_messages" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /var/log/messages" test_ref="oval:ssg-test_file_owner_var_log_messages_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_owner_var_log_syslog:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify User Who Owns /var/log/syslog File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/log/syslog is owned by 104.</oval-def:description>
-            <oval-def:reference ref_id="file_owner_var_log_syslog" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /var/log/syslog" test_ref="oval:ssg-test_file_owner_var_log_syslog_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_ownership_audit_configuration:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Audit Configuration Files Must Be Owned By Root</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/audit/, /etc/audit/rules.d/ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_ownership_audit_configuration" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /etc/audit/" test_ref="oval:ssg-test_file_ownership_audit_configuration_0:tst:1"/>
-            <oval-def:criterion comment="Check file ownership of /etc/audit/rules.d/" test_ref="oval:ssg-test_file_ownership_audit_configuration_1:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_ownership_library_dirs:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify that Shared Library Files Have Root Ownership</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /lib/, /lib64/, /usr/lib/, /usr/lib64/ is owned by 0.</oval-def:description>
-            <oval-def:reference ref_id="file_ownership_library_dirs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file ownership of /lib/" test_ref="oval:ssg-test_file_ownership_library_dirs_0:tst:1"/>
-            <oval-def:criterion comment="Check file ownership of /lib64/" test_ref="oval:ssg-test_file_ownership_library_dirs_1:tst:1"/>
-            <oval-def:criterion comment="Check file ownership of /usr/lib/" test_ref="oval:ssg-test_file_ownership_library_dirs_2:tst:1"/>
-            <oval-def:criterion comment="Check file ownership of /usr/lib64/" test_ref="oval:ssg-test_file_ownership_library_dirs_3:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_backup_etc_group:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Permissions on Backup group File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/group- has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_backup_etc_group" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/group-" test_ref="oval:ssg-test_file_permissions_backup_etc_group_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_backup_etc_gshadow:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Permissions on Backup gshadow File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/gshadow- has mode 0000.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_backup_etc_gshadow" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/gshadow-" test_ref="oval:ssg-test_file_permissions_backup_etc_gshadow_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_backup_etc_passwd:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Permissions on Backup passwd File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/passwd- has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_backup_etc_passwd" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/passwd-" test_ref="oval:ssg-test_file_permissions_backup_etc_passwd_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_backup_etc_shadow:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Permissions on Backup shadow File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/shadow- has mode 0000.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_backup_etc_shadow" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/shadow-" test_ref="oval:ssg-test_file_permissions_backup_etc_shadow_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_etc_group:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Permissions on group File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/group has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_etc_group" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/group" test_ref="oval:ssg-test_file_permissions_etc_group_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_etc_gshadow:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Permissions on gshadow File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/gshadow has mode 0000.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_etc_gshadow" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/gshadow" test_ref="oval:ssg-test_file_permissions_etc_gshadow_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_etc_issue:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify permissions on System Login Banner</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/issue has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_etc_issue" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/issue" test_ref="oval:ssg-test_file_permissions_etc_issue_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_etc_passwd:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Permissions on passwd File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/passwd has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_etc_passwd" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/passwd" test_ref="oval:ssg-test_file_permissions_etc_passwd_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_etc_shadow:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Permissions on shadow File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/shadow has mode 0000.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_etc_shadow" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/shadow" test_ref="oval:ssg-test_file_permissions_etc_shadow_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_library_dirs:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify that Shared Library Files Have Restrictive Permissions</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /lib/, /lib64/, /usr/lib/, /usr/lib64/ has mode 7755.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_library_dirs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /lib/" test_ref="oval:ssg-test_file_permissions_library_dirs_0:tst:1"/>
-            <oval-def:criterion comment="Check file mode of /lib64/" test_ref="oval:ssg-test_file_permissions_library_dirs_1:tst:1"/>
-            <oval-def:criterion comment="Check file mode of /usr/lib/" test_ref="oval:ssg-test_file_permissions_library_dirs_2:tst:1"/>
-            <oval-def:criterion comment="Check file mode of /usr/lib64/" test_ref="oval:ssg-test_file_permissions_library_dirs_3:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_sshd_config:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Permissions on SSH Server config file</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/ssh/sshd_config has mode 0600.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_sshd_config" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/ssh/sshd_config" test_ref="oval:ssg-test_file_permissions_sshd_config_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_sshd_pub_key:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Permissions on SSH Server Public *.pub Key Files</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /etc/ssh/ has mode 0644.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_sshd_pub_key" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /etc/ssh/" test_ref="oval:ssg-test_file_permissions_sshd_pub_key_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_var_log:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Permissions on /var/log Directory</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/log/ has mode 0755.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_var_log" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /var/log/" test_ref="oval:ssg-test_file_permissions_var_log_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_var_log_messages:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Permissions on /var/log/messages File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/log/messages has mode 0640.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_var_log_messages" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /var/log/messages" test_ref="oval:ssg-test_file_permissions_var_log_messages_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-file_permissions_var_log_syslog:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify Permissions on /var/log/syslog File</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>This test makes sure that /var/log/syslog has mode 0640.
-      If the target file or directory has an extended ACL, then it will fail the mode check.
-      </oval-def:description>
-            <oval-def:reference ref_id="file_permissions_var_log_syslog" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Check file mode of /var/log/syslog" test_ref="oval:ssg-test_file_permissions_var_log_syslog_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_enable_iommu_force:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>IOMMU configuration directive</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure iommu=force is configured in the kernel line in /etc/default/grub.</oval-def:description>
-            <oval-def:reference ref_id="grub2_enable_iommu_force" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion test_ref="oval:ssg-test_grub2_iommu_argument:tst:1" comment="check for iommu=force in /etc/default/grub via GRUB_CMDLINE_LINUX"/>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion test_ref="oval:ssg-test_grub2_iommu_argument_default:tst:1" comment="check for iommu=force in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT"/>
-                <oval-def:extend_definition definition_ref="oval:ssg-bootloader_disable_recovery_set_to_true:def:1" comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_ipv6_disable_argument:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Ensure IPv6 is disabled through kernel boot parameter</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure ipv6.disable=1 is configured in the kernel line in /etc/default/grub.</oval-def:description>
-            <oval-def:reference ref_id="grub2_ipv6_disable_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion test_ref="oval:ssg-test_grub2_ipv6_disable_argument:tst:1" comment="check for ipv6.disable=1 in /etc/default/grub via GRUB_CMDLINE_LINUX"/>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion test_ref="oval:ssg-test_grub2_ipv6_disable_argument_default:tst:1" comment="check for ipv6.disable=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT"/>
-                <oval-def:extend_definition definition_ref="oval:ssg-bootloader_disable_recovery_set_to_true:def:1" comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_l1tf_argument:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Configure L1 Terminal Fault mitigations</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure l1tf is configured in the kernel line in /etc/default/grub.</oval-def:description>
-            <oval-def:reference ref_id="grub2_l1tf_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion test_ref="oval:ssg-test_grub2_l1tf_argument:tst:1" comment="check for l1tf in /etc/default/grub via GRUB_CMDLINE_LINUX"/>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion test_ref="oval:ssg-test_grub2_l1tf_argument_default:tst:1" comment="check for l1tf in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT"/>
-                <oval-def:extend_definition definition_ref="oval:ssg-bootloader_disable_recovery_set_to_true:def:1" comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_mce_argument:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Force kernel panic on uncorrected MCEs</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure mce=0 is configured in the kernel line in /etc/default/grub.</oval-def:description>
-            <oval-def:reference ref_id="grub2_mce_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion test_ref="oval:ssg-test_grub2_mce_argument:tst:1" comment="check for mce=0 in /etc/default/grub via GRUB_CMDLINE_LINUX"/>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion test_ref="oval:ssg-test_grub2_mce_argument_default:tst:1" comment="check for mce=0 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT"/>
-                <oval-def:extend_definition definition_ref="oval:ssg-bootloader_disable_recovery_set_to_true:def:1" comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_nosmap_argument_absent:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Ensure SMAP is not disabled during boot</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure nosmap is not set in the kernel line in /etc/default/grub.</oval-def:description>
-            <oval-def:reference ref_id="grub2_nosmap_argument_absent" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion test_ref="oval:ssg-test_grub2_nosmap_argument_absent:tst:1" comment="check for absence of nosmap in /etc/default/grub on GRUB_CMDLINE_LINUX"/>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion test_ref="oval:ssg-test_grub2_nosmap_argument_absent_default:tst:1" comment="check for absence ofnosmap in /etc/default/grub on GRUB_CMDLINE_LINUX_DEFAULT"/>
-                <oval-def:extend_definition definition_ref="oval:ssg-bootloader_disable_recovery_set_to_true:def:1" comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_nosmep_argument_absent:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Ensure SMEP is not disabled during boot</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure nosmep is not set in the kernel line in /etc/default/grub.</oval-def:description>
-            <oval-def:reference ref_id="grub2_nosmep_argument_absent" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion test_ref="oval:ssg-test_grub2_nosmep_argument_absent:tst:1" comment="check for absence of nosmep in /etc/default/grub on GRUB_CMDLINE_LINUX"/>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion test_ref="oval:ssg-test_grub2_nosmep_argument_absent_default:tst:1" comment="check for absence ofnosmep in /etc/default/grub on GRUB_CMDLINE_LINUX_DEFAULT"/>
-                <oval-def:extend_definition definition_ref="oval:ssg-bootloader_disable_recovery_set_to_true:def:1" comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_rng_core_default_quality_argument:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Configure the confidence in TPM for entropy</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure rng_core.default_quality is configured in the kernel line in /etc/default/grub.</oval-def:description>
-            <oval-def:reference ref_id="grub2_rng_core_default_quality_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion test_ref="oval:ssg-test_grub2_rng_core_default_quality_argument:tst:1" comment="check for rng_core.default_quality in /etc/default/grub via GRUB_CMDLINE_LINUX"/>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion test_ref="oval:ssg-test_grub2_rng_core_default_quality_argument_default:tst:1" comment="check for rng_core.default_quality in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT"/>
-                <oval-def:extend_definition definition_ref="oval:ssg-bootloader_disable_recovery_set_to_true:def:1" comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_slab_nomerge_argument:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Disable merging of slabs with similar size</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure slab_nomerge=yes is configured in the kernel line in /etc/default/grub.</oval-def:description>
-            <oval-def:reference ref_id="grub2_slab_nomerge_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion test_ref="oval:ssg-test_grub2_slab_nomerge_argument:tst:1" comment="check for slab_nomerge=yes in /etc/default/grub via GRUB_CMDLINE_LINUX"/>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion test_ref="oval:ssg-test_grub2_slab_nomerge_argument_default:tst:1" comment="check for slab_nomerge=yes in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT"/>
-                <oval-def:extend_definition definition_ref="oval:ssg-bootloader_disable_recovery_set_to_true:def:1" comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_spec_store_bypass_disable_argument:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Configure Speculative Store Bypass Mitigation</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure spec_store_bypass_disable is configured in the kernel line in /etc/default/grub.</oval-def:description>
-            <oval-def:reference ref_id="grub2_spec_store_bypass_disable_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion test_ref="oval:ssg-test_grub2_spec_store_bypass_disable_argument:tst:1" comment="check for spec_store_bypass_disable in /etc/default/grub via GRUB_CMDLINE_LINUX"/>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion test_ref="oval:ssg-test_grub2_spec_store_bypass_disable_argument_default:tst:1" comment="check for spec_store_bypass_disable in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT"/>
-                <oval-def:extend_definition definition_ref="oval:ssg-bootloader_disable_recovery_set_to_true:def:1" comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_spectre_v2_argument:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Enforce Spectre v2 mitigation</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure spectre_v2=on is configured in the kernel line in /etc/default/grub.</oval-def:description>
-            <oval-def:reference ref_id="grub2_spectre_v2_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion test_ref="oval:ssg-test_grub2_spectre_v2_argument:tst:1" comment="check for spectre_v2=on in /etc/default/grub via GRUB_CMDLINE_LINUX"/>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion test_ref="oval:ssg-test_grub2_spectre_v2_argument_default:tst:1" comment="check for spectre_v2=on in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT"/>
-                <oval-def:extend_definition definition_ref="oval:ssg-bootloader_disable_recovery_set_to_true:def:1" comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_systemd_debug-shell_argument_absent:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Ensure debug-shell service is not enabled during boot</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure systemd.debug-shell is not set in the kernel line in /etc/default/grub.</oval-def:description>
-            <oval-def:reference ref_id="grub2_systemd_debug-shell_argument_absent" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion test_ref="oval:ssg-test_grub2_systemd_debug_shell_argument_absent:tst:1" comment="check for absence of systemd.debug-shell in /etc/default/grub on GRUB_CMDLINE_LINUX"/>
-              <oval-def:criteria operator="AND">
-                <oval-def:criterion test_ref="oval:ssg-test_grub2_systemd_debug_shell_argument_absent_default:tst:1" comment="check for absence ofsystemd.debug-shell in /etc/default/grub on GRUB_CMDLINE_LINUX_DEFAULT"/>
-                <oval-def:extend_definition definition_ref="oval:ssg-bootloader_disable_recovery_set_to_true:def:1" comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_acpi_custom_method:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Do not allow ACPI methods to be inserted/replaced at run time</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_ACPI_CUSTOM_METHOD should have value n</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_acpi_custom_method" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_acpi_custom_method:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_acpi_custom_method_compliant:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check absense of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_acpi_custom_method_absence:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_binfmt_misc:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable kernel support for MISC binaries</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_BINFMT_MISC should have value n</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_binfmt_misc" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_binfmt_misc:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_binfmt_misc_compliant:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check absense of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_binfmt_misc_absence:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_bug:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable support for BUG()</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_BUG should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_bug" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_bug:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_bug_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_compat_brk:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable compatibility with brk()</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_COMPAT_BRK should have value n</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_compat_brk" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_compat_brk:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_compat_brk_compliant:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check absense of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_compat_brk_absence:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_compat_vdso:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable the 32-bit vDSO</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_COMPAT_VDSO should have value n</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_compat_vdso" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_compat_vdso:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_compat_vdso_compliant:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check absense of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_compat_vdso_absence:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_debug_credentials:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable checks on credential management</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_DEBUG_CREDENTIALS should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_debug_credentials" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_debug_credentials:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_debug_credentials_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_debug_fs:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable kernel debugfs</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_DEBUG_FS should have value n</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_debug_fs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_debug_fs:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_debug_fs_compliant:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check absense of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_debug_fs_absence:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_debug_list:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable checks on linked list manipulation</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_DEBUG_LIST should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_debug_list" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_debug_list:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_debug_list_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_debug_notifiers:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable checks on notifier call chains</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_DEBUG_NOTIFIERS should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_debug_notifiers" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_debug_notifiers:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_debug_notifiers_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_debug_sg:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable checks on scatter-gather (SG) table operations</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_DEBUG_SG should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_debug_sg" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_debug_sg:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_debug_sg_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_default_mmap_min_addr:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Configure low address space to protect from user allocation</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_DEFAULT_MMAP_MIN_ADDR should have value 65536</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_default_mmap_min_addr" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_default_mmap_min_addr:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_default_mmap_min_addr_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_devkmem:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable /dev/kmem virtual device support</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_DEVKMEM should have value n</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_devkmem" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_devkmem:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_devkmem_compliant:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check absense of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_devkmem_absence:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_hibernation:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable hibernation</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_HIBERNATION should have value n</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_hibernation" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_hibernation:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_hibernation_compliant:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check absense of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_hibernation_absence:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_ia32_emulation:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable IA32 emulation</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_IA32_EMULATION should have value n</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_ia32_emulation" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_ia32_emulation:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_ia32_emulation_compliant:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check absense of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_ia32_emulation_absence:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_ipv6:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable the IPv6 protocol</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_IPV6 should have value n</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_ipv6" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_ipv6:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_ipv6_compliant:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check absense of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_ipv6_absence:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_kexec:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable kexec system call</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_KEXEC should have value n</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_kexec" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_kexec:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_kexec_compliant:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check absense of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_kexec_absence:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_legacy_ptys:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable legacy (BSD) PTY support</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_LEGACY_PTYS should have value n</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_legacy_ptys" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_legacy_ptys:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_legacy_ptys_compliant:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check absense of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_legacy_ptys_absence:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_module_sig:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable module signature verification</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_MODULE_SIG should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_module_sig" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_module_sig:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_module_sig_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_module_sig_all:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable automatic signing of all modules</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_MODULE_SIG_ALL should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_module_sig_all" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_module_sig_all:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_module_sig_all_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_module_sig_force:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Require modules to be validly signed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_MODULE_SIG_FORCE should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_module_sig_force" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_module_sig_force:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_module_sig_force_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_module_sig_hash:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Specify the hash to use when signing modules</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_MODULE_SIG_HASH should have value according to var_kernel_config_module_sig_hash</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_module_sig_hash" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_module_sig_hash:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_module_sig_hash_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_module_sig_key:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Specify module signing key to use</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_MODULE_SIG_KEY should have value according to var_kernel_config_module_sig_key</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_module_sig_key" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_module_sig_key:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_module_sig_key_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_module_sig_sha512:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Sign kernel modules with SHA-512</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_MODULE_SIG_SHA512 should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_module_sig_sha512" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_module_sig_sha512:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_module_sig_sha512_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_page_poisoning_no_sanity:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable poison without sanity check</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_PAGE_POISONING_NO_SANITY should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_page_poisoning_no_sanity" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_page_poisoning_no_sanity:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_page_poisoning_no_sanity_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_page_poisoning_zero:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Use zero for poisoning instead of debugging value</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_PAGE_POISONING_ZERO should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_page_poisoning_zero" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_page_poisoning_zero:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_page_poisoning_zero_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_page_table_isolation:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Remove the kernel mapping in user mode</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_PAGE_TABLE_ISOLATION should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_page_table_isolation" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_page_table_isolation:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_page_table_isolation_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_panic_on_oops:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Kernel panic oops</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_PANIC_ON_OOPS should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_panic_on_oops" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_panic_on_oops:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_panic_on_oops_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_panic_timeout:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Kernel panic timeout</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_PANIC_TIMEOUT should have value according to var_kernel_config_panic_timeout</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_panic_timeout" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_panic_timeout:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_panic_timeout_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_proc_kcore:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable support for /proc/kkcore</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_PROC_KCORE should have value n</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_proc_kcore" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_proc_kcore:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_proc_kcore_compliant:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check absense of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_proc_kcore_absence:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_randomize_base:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Randomize the address of the kernel image (KASLR)</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_RANDOMIZE_BASE should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_randomize_base" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_randomize_base:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_randomize_base_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_randomize_memory:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Randomize the kernel memory sections</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_RANDOMIZE_MEMORY should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_randomize_memory" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_randomize_memory:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_randomize_memory_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_retpoline:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Avoid speculative indirect branches in kernel</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_RETPOLINE should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_retpoline" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_retpoline:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_retpoline_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_seccomp:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable seccomp to safely compute untrusted bytecode</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_SECCOMP should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_seccomp" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_seccomp:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_seccomp_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_seccomp_filter:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable use of Berkeley Packet Filter with seccomp</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_SECCOMP_FILTER should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_seccomp_filter" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_seccomp_filter:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_seccomp_filter_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_security:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable different security models</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_SECURITY should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_security" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_security:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_security_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_security_dmesg_restrict:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Restrict unprivileged access to the kernel syslog</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_SECURITY_DMESG_RESTRICT should have value n</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_security_dmesg_restrict" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_security_dmesg_restrict:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_security_dmesg_restrict_compliant:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check absense of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_security_dmesg_restrict_absence:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_security_writable_hooks:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable mutable hooks</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_SECURITY_WRITABLE_HOOKS should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_security_writable_hooks" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_security_writable_hooks:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_security_writable_hooks_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_security_yama:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable Yama support</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_SECURITY_YAMA should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_security_yama" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_security_yama:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_security_yama_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_slub_debug:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable SLUB debugging support</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_SLUB_DEBUG should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_slub_debug" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_slub_debug:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_slub_debug_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_syn_cookies:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable TCP/IP syncookie support</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_SYN_COOKIES should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_syn_cookies" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_syn_cookies:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_syn_cookies_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_unmap_kernel_at_el0:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Unmap kernel when running in userspace (aka KAISER)</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_UNMAP_KERNEL_AT_EL0 should have value y</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_unmap_kernel_at_el0" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_unmap_kernel_at_el0:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_unmap_kernel_at_el0_compliant:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_config_x86_vsyscall_emulation:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable x86 vsyscall emulation</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel CONFIG_X86_VSYSCALL_EMULATION should have value n</oval-def:description>
-            <oval-def:reference ref_id="kernel_config_x86_vsyscall_emulation" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="Check presence of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_x86_vsyscall_emulation:tst:1"/>
-              <oval-def:criterion comment="Ensure all kernels have the config" test_ref="oval:ssg-test_all_kernels_config_x86_vsyscall_emulation_compliant:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check absense of build configuration of installed kernels" test_ref="oval:ssg-test_kernel_config_x86_vsyscall_emulation_absence:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_atm_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable ATM Support</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module atm should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82518-2" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_atm_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_atm_blacklisted:tst:1" comment="kernel module atm blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_atm_disabled:tst:1" comment="kernel module atm disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_atm_modprobeconf:tst:1" comment="kernel module atm disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_bluetooth_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Bluetooth Kernel Module</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module bluetooth should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82515-8" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_bluetooth_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_bluetooth_blacklisted:tst:1" comment="kernel module bluetooth blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_bluetooth_disabled:tst:1" comment="kernel module bluetooth disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_bluetooth_modprobeconf:tst:1" comment="kernel module bluetooth disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_can_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable CAN Support</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module can should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82519-0" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_can_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_can_blacklisted:tst:1" comment="kernel module can blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_can_disabled:tst:1" comment="kernel module can disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_can_modprobeconf:tst:1" comment="kernel module can disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_cfg80211_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel cfg80211 Module</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module cfg80211 should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-85932-2" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_cfg80211_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_cfg80211_blacklisted:tst:1" comment="kernel module cfg80211 blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_cfg80211_disabled:tst:1" comment="kernel module cfg80211 disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_cfg80211_modprobeconf:tst:1" comment="kernel module cfg80211 disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_cramfs_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Mounting of cramfs</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module cramfs should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82514-1" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_cramfs_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_cramfs_blacklisted:tst:1" comment="kernel module cramfs blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_cramfs_disabled:tst:1" comment="kernel module cramfs disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_cramfs_modprobeconf:tst:1" comment="kernel module cramfs disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_firewire-core_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable IEEE 1394 (FireWire) Support</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module firewire-core should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82517-4" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_firewire-core_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_firewire-core_blacklisted:tst:1" comment="kernel module firewire-core blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_firewire-core_disabled:tst:1" comment="kernel module firewire-core disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_firewire-core_modprobeconf:tst:1" comment="kernel module firewire-core disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_freevxfs_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Mounting of freevxfs</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module freevxfs should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82713-9" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_freevxfs_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_freevxfs_blacklisted:tst:1" comment="kernel module freevxfs blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_freevxfs_disabled:tst:1" comment="kernel module freevxfs disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_freevxfs_modprobeconf:tst:1" comment="kernel module freevxfs disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_hfs_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Mounting of hfs</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module hfs should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82714-7" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_hfs_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_hfs_blacklisted:tst:1" comment="kernel module hfs blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_hfs_disabled:tst:1" comment="kernel module hfs disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_hfs_modprobeconf:tst:1" comment="kernel module hfs disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_hfsplus_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Mounting of hfsplus</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module hfsplus should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82715-4" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_hfsplus_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_hfsplus_blacklisted:tst:1" comment="kernel module hfsplus blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_hfsplus_disabled:tst:1" comment="kernel module hfsplus disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_hfsplus_modprobeconf:tst:1" comment="kernel module hfsplus disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_iwlmvm_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel iwlmvm Module</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module iwlmvm should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-85933-0" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_iwlmvm_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_iwlmvm_blacklisted:tst:1" comment="kernel module iwlmvm blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_iwlmvm_disabled:tst:1" comment="kernel module iwlmvm disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_iwlmvm_modprobeconf:tst:1" comment="kernel module iwlmvm disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_iwlwifi_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel iwlwifi Module</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module iwlwifi should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-85934-8" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_iwlwifi_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_iwlwifi_blacklisted:tst:1" comment="kernel module iwlwifi blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_iwlwifi_disabled:tst:1" comment="kernel module iwlwifi disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_iwlwifi_modprobeconf:tst:1" comment="kernel module iwlwifi disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_jffs2_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Mounting of jffs2</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module jffs2 should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82716-2" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_jffs2_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_jffs2_blacklisted:tst:1" comment="kernel module jffs2 blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_jffs2_disabled:tst:1" comment="kernel module jffs2 disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_jffs2_modprobeconf:tst:1" comment="kernel module jffs2 disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_mac80211_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel mac80211 Module</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module mac80211 should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-85935-5" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_mac80211_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_mac80211_blacklisted:tst:1" comment="kernel module mac80211 blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_mac80211_disabled:tst:1" comment="kernel module mac80211 disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_mac80211_modprobeconf:tst:1" comment="kernel module mac80211 disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_rds_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable RDS Support</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module rds should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="kernel_module_rds_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_rds_blacklisted:tst:1" comment="kernel module rds blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_rds_disabled:tst:1" comment="kernel module rds disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_rds_modprobeconf:tst:1" comment="kernel module rds disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_sctp_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable SCTP Support</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module sctp should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82516-6" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_sctp_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_sctp_blacklisted:tst:1" comment="kernel module sctp blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_sctp_disabled:tst:1" comment="kernel module sctp disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_sctp_modprobeconf:tst:1" comment="kernel module sctp disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_squashfs_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Mounting of squashfs</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module squashfs should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82717-0" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_squashfs_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_squashfs_blacklisted:tst:1" comment="kernel module squashfs blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_squashfs_disabled:tst:1" comment="kernel module squashfs disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_squashfs_modprobeconf:tst:1" comment="kernel module squashfs disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_tipc_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable TIPC Support</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module tipc should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82520-8" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_tipc_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_tipc_blacklisted:tst:1" comment="kernel module tipc blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_tipc_disabled:tst:1" comment="kernel module tipc disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_tipc_modprobeconf:tst:1" comment="kernel module tipc disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_udf_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Mounting of udf</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module udf should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82718-8" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_udf_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_udf_blacklisted:tst:1" comment="kernel module udf blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_udf_disabled:tst:1" comment="kernel module udf disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_udf_modprobeconf:tst:1" comment="kernel module udf disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_usb-storage_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Modprobe Loading of USB Storage Driver</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module usb-storage should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82719-6" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_usb-storage_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_usb-storage_blacklisted:tst:1" comment="kernel module usb-storage blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_usb-storage_disabled:tst:1" comment="kernel module usb-storage disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_usb-storage_modprobeconf:tst:1" comment="kernel module usb-storage disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_uvcvideo_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable the uvcvideo module</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module uvcvideo should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="kernel_module_uvcvideo_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_uvcvideo_blacklisted:tst:1" comment="kernel module uvcvideo blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_uvcvideo_disabled:tst:1" comment="kernel module uvcvideo disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_uvcvideo_modprobeconf:tst:1" comment="kernel module uvcvideo disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-kernel_module_vfat_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Mounting of vFAT filesystems</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel module vfat should be disabled.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82720-4" source="CCE"/>
-            <oval-def:reference ref_id="kernel_module_vfat_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_vfat_blacklisted:tst:1" comment="kernel module vfat blacklisted in modprobe.d"/>
-              <oval-def:criterion test_ref="oval:ssg-test_kernmod_vfat_disabled:tst:1" comment="kernel module vfat disabled in modprobe.d"/>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_kernmod_vfat_modprobeconf:tst:1" comment="kernel module vfat disabled in /etc/modprobe.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_boot_nodev:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add nodev Option to /boot</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/boot should be mounted with mount option nodev.</oval-def:description>
-            <oval-def:reference ref_id="mount_option_boot_nodev" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="nodev on /boot" test_ref="oval:ssg-test_boot_partition_nodev_optional_yes:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_boot_nosuid:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add nosuid Option to /boot</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/boot should be mounted with mount option nosuid.</oval-def:description>
-            <oval-def:reference ref_id="mount_option_boot_nosuid" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="nosuid on /boot" test_ref="oval:ssg-test_boot_partition_nosuid_optional_yes:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_dev_shm_nodev:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add nodev Option to /dev/shm</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/dev/shm should be mounted with mount option nodev.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82867-3" source="CCE"/>
-            <oval-def:reference ref_id="mount_option_dev_shm_nodev" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="nodev on /dev/shm" test_ref="oval:ssg-test_dev_shm_partition_nodev_optional_no:tst:1"/>
-            <oval-def:criterion comment="/dev/shm does not exist" test_ref="oval:ssg-test_dev_shm_no_partition_nodev_optional_no:tst:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_dev_shm_noexec:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add noexec Option to /dev/shm</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/dev/shm should be mounted with mount option noexec.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82868-1" source="CCE"/>
-            <oval-def:reference ref_id="mount_option_dev_shm_noexec" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="noexec on /dev/shm" test_ref="oval:ssg-test_dev_shm_partition_noexec_optional_no:tst:1"/>
-            <oval-def:criterion comment="/dev/shm does not exist" test_ref="oval:ssg-test_dev_shm_no_partition_noexec_optional_no:tst:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_dev_shm_nosuid:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add nosuid Option to /dev/shm</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/dev/shm should be mounted with mount option nosuid.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82741-0" source="CCE"/>
-            <oval-def:reference ref_id="mount_option_dev_shm_nosuid" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="nosuid on /dev/shm" test_ref="oval:ssg-test_dev_shm_partition_nosuid_optional_no:tst:1"/>
-            <oval-def:criterion comment="/dev/shm does not exist" test_ref="oval:ssg-test_dev_shm_no_partition_nosuid_optional_no:tst:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_home_nodev:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add nodev Option to /home</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/home should be mounted with mount option nodev.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82740-2" source="CCE"/>
-            <oval-def:reference ref_id="mount_option_home_nodev" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="nodev on /home" test_ref="oval:ssg-test_home_partition_nodev_optional_yes:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_home_nosuid:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add nosuid Option to /home</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/home should be mounted with mount option nosuid.</oval-def:description>
-            <oval-def:reference ref_id="mount_option_home_nosuid" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="nosuid on /home" test_ref="oval:ssg-test_home_partition_nosuid_optional_yes:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_nodev_removable_partitions:def:1" version="5">
-          <oval-def:metadata>
-            <oval-def:title>Add nodev Option to Removable Media Partitions</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The nodev option should be enabled for all removable devices mounts in /etc/fstab.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82865-7" source="CCE"/>
-            <oval-def:reference ref_id="mount_option_nodev_removable_partitions" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="Check if removable partition really exists on the system" definition_ref="oval:ssg-removable_partition_doesnt_exist:def:1"/>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="Check if removable partition value represents CD/DVD drive" definition_ref="oval:ssg-var_removable_partition_is_cd_dvd_drive:def:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:criterion test_ref="oval:ssg-test_nodev_etc_fstab_cd_dvd_drive:tst:1" comment="Check if at least one from CD/DVD drive alternative names is using 'nodev' mount option in /etc/fstab"/>
-                <oval-def:extend_definition definition_ref="oval:ssg-no_cd_dvd_drive_in_etc_fstab:def:1" comment="Check if CD/DVD drive is not configured to automount in /etc/fstab"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_nodev_etc_fstab_not_cd_dvd_drive:tst:1" comment="Check if removable partition is using 'nodev' mount option in /etc/fstab"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_noexec_removable_partitions:def:1" version="5">
-          <oval-def:metadata>
-            <oval-def:title>Add noexec Option to Removable Media Partitions</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The noexec option should be enabled for all removable devices mounts in /etc/fstab.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82747-7" source="CCE"/>
-            <oval-def:reference ref_id="mount_option_noexec_removable_partitions" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="Check if removable partition really exists on the system" definition_ref="oval:ssg-removable_partition_doesnt_exist:def:1"/>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="Check if removable partition value represents CD/DVD drive" definition_ref="oval:ssg-var_removable_partition_is_cd_dvd_drive:def:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:criterion test_ref="oval:ssg-test_noexec_etc_fstab_cd_dvd_drive:tst:1" comment="Check if at least one from CD/DVD drive alternative names is using 'noexec' mount option in /etc/fstab"/>
-                <oval-def:extend_definition definition_ref="oval:ssg-no_cd_dvd_drive_in_etc_fstab:def:1" comment="Check if CD/DVD drive is not configured to automount in /etc/fstab"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_noexec_etc_fstab_not_cd_dvd_drive:tst:1" comment="Check if removable partition is using 'noexec' mount option in /etc/fstab"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_nosuid_removable_partitions:def:1" version="5">
-          <oval-def:metadata>
-            <oval-def:title>Add nosuid Option to Removable Media Partitions</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The nosuid option should be enabled for all removable devices mounts in /etc/fstab.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82745-1" source="CCE"/>
-            <oval-def:reference ref_id="mount_option_nosuid_removable_partitions" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="Check if removable partition really exists on the system" definition_ref="oval:ssg-removable_partition_doesnt_exist:def:1"/>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="Check if removable partition value represents CD/DVD drive" definition_ref="oval:ssg-var_removable_partition_is_cd_dvd_drive:def:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:criterion test_ref="oval:ssg-test_nosuid_etc_fstab_cd_dvd_drive:tst:1" comment="Check if at least one from CD/DVD drive alternative names is using 'nosuid' mount option in /etc/fstab"/>
-                <oval-def:extend_definition definition_ref="oval:ssg-no_cd_dvd_drive_in_etc_fstab:def:1" comment="Check if CD/DVD drive is not configured to automount in /etc/fstab"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_nosuid_etc_fstab_not_cd_dvd_drive:tst:1" comment="Check if removable partition is using 'nosuid' mount option in /etc/fstab"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_tmp_nodev:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add nodev Option to /tmp</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/tmp should be mounted with mount option nodev.</oval-def:description>
-            <oval-def:reference ref_id="mount_option_tmp_nodev" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="nodev on /tmp" test_ref="oval:ssg-test_tmp_partition_nodev_optional_yes:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_tmp_noexec:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add noexec Option to /tmp</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/tmp should be mounted with mount option noexec.</oval-def:description>
-            <oval-def:reference ref_id="mount_option_tmp_noexec" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="noexec on /tmp" test_ref="oval:ssg-test_tmp_partition_noexec_optional_yes:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_tmp_nosuid:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add nosuid Option to /tmp</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/tmp should be mounted with mount option nosuid.</oval-def:description>
-            <oval-def:reference ref_id="mount_option_tmp_nosuid" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="nosuid on /tmp" test_ref="oval:ssg-test_tmp_partition_nosuid_optional_yes:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_var_log_audit_nodev:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add nodev Option to /var/log/audit</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/var/log/audit should be mounted with mount option nodev.</oval-def:description>
-            <oval-def:reference ref_id="mount_option_var_log_audit_nodev" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="nodev on /var/log/audit" test_ref="oval:ssg-test_var_log_audit_partition_nodev_optional_yes:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_var_log_audit_noexec:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add noexec Option to /var/log/audit</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/var/log/audit should be mounted with mount option noexec.</oval-def:description>
-            <oval-def:reference ref_id="mount_option_var_log_audit_noexec" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="noexec on /var/log/audit" test_ref="oval:ssg-test_var_log_audit_partition_noexec_optional_yes:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_var_log_audit_nosuid:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add nosuid Option to /var/log/audit</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/var/log/audit should be mounted with mount option nosuid.</oval-def:description>
-            <oval-def:reference ref_id="mount_option_var_log_audit_nosuid" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="nosuid on /var/log/audit" test_ref="oval:ssg-test_var_log_audit_partition_nosuid_optional_yes:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_var_log_nodev:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add nodev Option to /var/log</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/var/log should be mounted with mount option nodev.</oval-def:description>
-            <oval-def:reference ref_id="mount_option_var_log_nodev" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="nodev on /var/log" test_ref="oval:ssg-test_var_log_partition_nodev_optional_yes:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_var_log_noexec:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add noexec Option to /var/log</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/var/log should be mounted with mount option noexec.</oval-def:description>
-            <oval-def:reference ref_id="mount_option_var_log_noexec" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="noexec on /var/log" test_ref="oval:ssg-test_var_log_partition_noexec_optional_yes:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_var_log_nosuid:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add nosuid Option to /var/log</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/var/log should be mounted with mount option nosuid.</oval-def:description>
-            <oval-def:reference ref_id="mount_option_var_log_nosuid" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="nosuid on /var/log" test_ref="oval:ssg-test_var_log_partition_nosuid_optional_yes:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_var_nodev:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add nodev Option to /var</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/var should be mounted with mount option nodev.</oval-def:description>
-            <oval-def:reference ref_id="mount_option_var_nodev" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="nodev on /var" test_ref="oval:ssg-test_var_partition_nodev_optional_yes:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_var_nosuid:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add nosuid Option to /var</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/var should be mounted with mount option nosuid.</oval-def:description>
-            <oval-def:reference ref_id="mount_option_var_nosuid" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="nosuid on /var" test_ref="oval:ssg-test_var_partition_nosuid_optional_yes:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_var_tmp_nodev:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add nodev Option to /var/tmp</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/var/tmp should be mounted with mount option nodev.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82735-2" source="CCE"/>
-            <oval-def:reference ref_id="mount_option_var_tmp_nodev" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="nodev on /var/tmp" test_ref="oval:ssg-test_var_tmp_partition_nodev_optional_yes:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_var_tmp_noexec:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add noexec Option to /var/tmp</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/var/tmp should be mounted with mount option noexec.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82866-5" source="CCE"/>
-            <oval-def:reference ref_id="mount_option_var_tmp_noexec" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="noexec on /var/tmp" test_ref="oval:ssg-test_var_tmp_partition_noexec_optional_yes:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-mount_option_var_tmp_nosuid:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Add nosuid Option to /var/tmp</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>/var/tmp should be mounted with mount option nosuid.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82736-0" source="CCE"/>
-            <oval-def:reference ref_id="mount_option_var_tmp_nosuid" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="nosuid on /var/tmp" test_ref="oval:ssg-test_var_tmp_partition_nosuid_optional_yes:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_GConf2_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>package_GConf2_installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package GConf2 should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_GConf2_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package GConf2 is installed" test_ref="oval:ssg-test_package_GConf2_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_MFEhiplsm_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install the Host Intrusion Prevention System (HIPS) Module</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package MFEhiplsm should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_MFEhiplsm_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package MFEhiplsm is installed" test_ref="oval:ssg-test_package_MFEhiplsm_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_aide_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install AIDE</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package aide should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_aide_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package aide is installed" test_ref="oval:ssg-test_package_aide_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_audispd-plugins_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install audispd-plugins Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package audispd-plugins should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_audispd-plugins_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package audispd-plugins is installed" test_ref="oval:ssg-test_package_audispd-plugins_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_audit-audispd-plugins_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure the default plugins for the audit dispatcher are Installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package audit-audispd-plugins should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_audit-audispd-plugins_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package audit-audispd-plugins is installed" test_ref="oval:ssg-test_package_audit-audispd-plugins_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_audit_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure the audit Subsystem is Installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package audit should be installed.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82669-3" source="CCE"/>
-            <oval-def:reference ref_id="package_audit_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package audit is installed" test_ref="oval:ssg-test_package_audit_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_avahi_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>package_avahi_installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package avahi should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_avahi_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package avahi is installed" test_ref="oval:ssg-test_package_avahi_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_bind_removed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Uninstall bind Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package bind should be removed.</oval-def:description>
-            <oval-def:reference ref_id="package_bind_removed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package bind is removed" test_ref="oval:ssg-test_package_bind_removed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_chrony_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>The Chrony package is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package chrony should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_chrony_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package chrony is installed" test_ref="oval:ssg-test_package_chrony_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_cron_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install the cron service</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package cron should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_cron_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package cron is installed" test_ref="oval:ssg-test_package_cron_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_dconf_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>package_dconf_installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package dconf should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_dconf_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package dconf is installed" test_ref="oval:ssg-test_package_dconf_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_esc_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>package_esc_installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package esc should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_esc_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package esc is installed" test_ref="oval:ssg-test_package_esc_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_fapolicyd_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install fapolicyd Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package fapolicyd should be installed.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82533-1" source="CCE"/>
-            <oval-def:reference ref_id="package_fapolicyd_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package fapolicyd is installed" test_ref="oval:ssg-test_package_fapolicyd_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_firewalld_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install firewalld Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package firewalld should be installed.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82521-6" source="CCE"/>
-            <oval-def:reference ref_id="package_firewalld_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package firewalld is installed" test_ref="oval:ssg-test_package_firewalld_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_gdm_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>package_gdm_installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package gdm should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_gdm_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package gdm is installed" test_ref="oval:ssg-test_package_gdm_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_gnutls-utils_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure gnutls-utils is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package gnutls-utils should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_gnutls-utils_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package gnutls-utils is installed" test_ref="oval:ssg-test_package_gnutls-utils_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_inetutils-telnetd_removed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Uninstall the inet-based telnet server</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package inetutils-telnetd should be removed.</oval-def:description>
-            <oval-def:reference ref_id="package_inetutils-telnetd_removed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package inetutils-telnetd is removed" test_ref="oval:ssg-test_package_inetutils-telnetd_removed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_iptables_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install iptables Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package iptables should be installed.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82522-4" source="CCE"/>
-            <oval-def:reference ref_id="package_iptables_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package iptables is installed" test_ref="oval:ssg-test_package_iptables_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_libreswan_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install libreswan Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package libreswan should be installed.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82525-7" source="CCE"/>
-            <oval-def:reference ref_id="package_libreswan_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package libreswan is installed" test_ref="oval:ssg-test_package_libreswan_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_libselinux_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install libselinux Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package libselinux should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_libselinux_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package libselinux is installed" test_ref="oval:ssg-test_package_libselinux_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_net-snmp_removed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Uninstall net-snmp Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package net-snmp should be removed.</oval-def:description>
-            <oval-def:reference ref_id="package_net-snmp_removed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package net-snmp is removed" test_ref="oval:ssg-test_package_net-snmp_removed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_nis_removed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Uninstall the nis package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package nis should be removed.</oval-def:description>
-            <oval-def:reference ref_id="package_nis_removed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package nis is removed" test_ref="oval:ssg-test_package_nis_removed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_nss-tools_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure nss-tools is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package nss-tools should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_nss-tools_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package nss-tools is installed" test_ref="oval:ssg-test_package_nss-tools_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_ntp_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install the ntp service</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package ntp should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_ntp_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package ntp is installed" test_ref="oval:ssg-test_package_ntp_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_ntpdate_removed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Uninstall the ntpdate package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package ntpdate should be removed.</oval-def:description>
-            <oval-def:reference ref_id="package_ntpdate_removed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package ntpdate is removed" test_ref="oval:ssg-test_package_ntpdate_removed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_openldap-clients_removed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure LDAP client is not installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package openldap-clients should be removed.</oval-def:description>
-            <oval-def:reference ref_id="package_openldap-clients_removed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package openldap-clients is removed" test_ref="oval:ssg-test_package_openldap-clients_removed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_openssh-server_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install the OpenSSH Server Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package openssh-server should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_openssh-server_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package openssh-server is installed" test_ref="oval:ssg-test_package_openssh-server_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_openssh-server_removed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Remove the OpenSSH Server Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package openssh-server should be removed.</oval-def:description>
-            <oval-def:reference ref_id="package_openssh-server_removed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package openssh-server is removed" test_ref="oval:ssg-test_package_openssh-server_removed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_pam_ldap_removed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>package_pam_ldap_removed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package pam_ldap should be removed.</oval-def:description>
-            <oval-def:reference ref_id="package_pam_ldap_removed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package pam_ldap is removed" test_ref="oval:ssg-test_package_pam_ldap_removed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_postfix_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>The Postfix package is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package postfix should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_postfix_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package postfix is installed" test_ref="oval:ssg-test_package_postfix_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_prelink_removed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>package_prelink_removed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package prelink should be removed.</oval-def:description>
-            <oval-def:reference ref_id="package_prelink_removed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package prelink is removed" test_ref="oval:ssg-test_package_prelink_removed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_rsyslog_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure rsyslog is Installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package rsyslog should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_rsyslog_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package rsyslog is installed" test_ref="oval:ssg-test_package_rsyslog_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_samba-common_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install the Samba Common Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package samba-common should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_samba-common_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package samba-common is installed" test_ref="oval:ssg-test_package_samba-common_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_samba-common_removed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>package_samba-common_removed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package samba-common should be removed.</oval-def:description>
-            <oval-def:reference ref_id="package_samba-common_removed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package samba-common is removed" test_ref="oval:ssg-test_package_samba-common_removed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_sendmail_removed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Uninstall Sendmail Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package sendmail should be removed.</oval-def:description>
-            <oval-def:reference ref_id="package_sendmail_removed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package sendmail is removed" test_ref="oval:ssg-test_package_sendmail_removed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_setroubleshoot-plugins_removed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Uninstall setroubleshoot-plugins Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package setroubleshoot-plugins should be removed.</oval-def:description>
-            <oval-def:reference ref_id="CCE-84091-8" source="CCE"/>
-            <oval-def:reference ref_id="package_setroubleshoot-plugins_removed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package setroubleshoot-plugins is removed" test_ref="oval:ssg-test_package_setroubleshoot-plugins_removed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_setroubleshoot-server_removed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Uninstall setroubleshoot-server Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package setroubleshoot-server should be removed.</oval-def:description>
-            <oval-def:reference ref_id="CCE-84093-4" source="CCE"/>
-            <oval-def:reference ref_id="package_setroubleshoot-server_removed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package setroubleshoot-server is removed" test_ref="oval:ssg-test_package_setroubleshoot-server_removed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_sudo_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install sudo Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package sudo should be installed.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82523-2" source="CCE"/>
-            <oval-def:reference ref_id="package_sudo_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package sudo is installed" test_ref="oval:ssg-test_package_sudo_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_syslogng_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure syslog-ng is Installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package syslog-ng should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_syslogng_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package syslog-ng is installed" test_ref="oval:ssg-test_package_syslog-ng_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_telnetd-ssl_removed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Uninstall the ssl compliant telnet server</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package telnetd-ssl should be removed.</oval-def:description>
-            <oval-def:reference ref_id="package_telnetd-ssl_removed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package telnetd-ssl is removed" test_ref="oval:ssg-test_package_telnetd-ssl_removed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_telnetd_removed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Uninstall the telnet server</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package telnetd should be removed.</oval-def:description>
-            <oval-def:reference ref_id="package_telnetd_removed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package telnetd is removed" test_ref="oval:ssg-test_package_telnetd_removed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_tmux_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install the tmux Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package tmux should be installed.</oval-def:description>
-            <oval-def:reference ref_id="package_tmux_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package tmux is installed" test_ref="oval:ssg-test_package_tmux_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-package_usbguard_installed:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install usbguard Package</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The RPM package usbguard should be installed.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82524-0" source="CCE"/>
-            <oval-def:reference ref_id="package_usbguard_installed" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="package usbguard is installed" test_ref="oval:ssg-test_package_usbguard_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-partition_for_home:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure /home Located On Separate Partition</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>If stored locally, create a separate partition for
-      . If  will be mounted from another
-      system such as an NFS server, then creating a separate partition is not
-      necessary at this time, and the mountpoint can instead be configured
-      later.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82739-4" source="CCE"/>
-            <oval-def:reference ref_id="partition_for_home" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-testhome_partition:tst:1" comment="/home on own partition"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-partition_for_srv:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure /srv Located On Separate Partition</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>If stored locally, create a separate partition for
-      . If  will be mounted from another
-      system such as an NFS server, then creating a separate partition is not
-      necessary at this time, and the mountpoint can instead be configured
-      later.</oval-def:description>
-            <oval-def:reference ref_id="partition_for_srv" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-testsrv_partition:tst:1" comment="/srv on own partition"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-partition_for_tmp:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure /tmp Located On Separate Partition</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>If stored locally, create a separate partition for
-      . If  will be mounted from another
-      system such as an NFS server, then creating a separate partition is not
-      necessary at this time, and the mountpoint can instead be configured
-      later.</oval-def:description>
-            <oval-def:reference ref_id="partition_for_tmp" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-testtmp_partition:tst:1" comment="/tmp on own partition"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-partition_for_var:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure /var Located On Separate Partition</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>If stored locally, create a separate partition for
-      . If  will be mounted from another
-      system such as an NFS server, then creating a separate partition is not
-      necessary at this time, and the mountpoint can instead be configured
-      later.</oval-def:description>
-            <oval-def:reference ref_id="partition_for_var" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-testvar_partition:tst:1" comment="/var on own partition"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-partition_for_var_tmp:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure /var/tmp Located On Separate Partition</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>If stored locally, create a separate partition for
-      . If  will be mounted from another
-      system such as an NFS server, then creating a separate partition is not
-      necessary at this time, and the mountpoint can instead be configured
-      later.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82734-5" source="CCE"/>
-            <oval-def:reference ref_id="partition_for_var_tmp" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-testvar_tmp_partition:tst:1" comment="/var/tmp on own partition"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_auditd_enabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable auditd Service</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The auditd service should be enabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82463-1" source="CCE"/>
-            <oval-def:reference ref_id="service_auditd_enabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package audit installed and service auditd is configured to start" operator="AND">
-            <oval-def:criterion comment="audit installed" test_ref="oval:ssg-test_service_auditd_package_audit_installed:tst:1"/>
-            <oval-def:criteria comment="service auditd is configured to start and is running" operator="AND">
-              <oval-def:criterion comment="auditd is running" test_ref="oval:ssg-test_service_running_auditd:tst:1"/>
-              <oval-def:criteria operator="OR" comment="service auditd is configured to start">
-                <oval-def:criterion comment="multi-user.target wants auditd" test_ref="oval:ssg-test_multi_user_wants_auditd:tst:1"/>
-                <oval-def:criterion comment="multi-user.target wants auditd socket" test_ref="oval:ssg-test_multi_user_wants_auditd_socket:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_autofs_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable the Automounter</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The autofs service should be disabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82663-6" source="CCE"/>
-            <oval-def:reference ref_id="service_autofs_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package autofs removed or service autofs is not configured to start" operator="OR">
-            <oval-def:criterion comment="autofs removed" test_ref="oval:ssg-test_service_autofs_package_autofs_removed:tst:1"/>
-            <oval-def:criteria operator="AND" comment="service autofs is not configured to start">
-              <oval-def:criterion comment="autofs is not running" test_ref="oval:ssg-test_service_not_running_autofs:tst:1"/>
-              <oval-def:criterion comment="Property LoadState of service autofs is masked" test_ref="oval:ssg-test_service_loadstate_is_masked_autofs:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_bluetooth_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Bluetooth Service</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The bluetooth service should be disabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="service_bluetooth_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package bluez removed or service bluetooth is not configured to start" operator="OR">
-            <oval-def:criterion comment="bluez removed" test_ref="oval:ssg-test_service_bluetooth_package_bluez_removed:tst:1"/>
-            <oval-def:criteria operator="AND" comment="service bluetooth is not configured to start">
-              <oval-def:criterion comment="bluetooth is not running" test_ref="oval:ssg-test_service_not_running_bluetooth:tst:1"/>
-              <oval-def:criterion comment="Property LoadState of service bluetooth is masked" test_ref="oval:ssg-test_service_loadstate_is_masked_bluetooth:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_chronyd_enabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>The Chronyd service is enabled</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The chronyd service should be enabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="service_chronyd_enabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package chrony installed and service chronyd is configured to start" operator="AND">
-            <oval-def:criterion comment="chrony installed" test_ref="oval:ssg-test_service_chronyd_package_chrony_installed:tst:1"/>
-            <oval-def:criteria comment="service chronyd is configured to start and is running" operator="AND">
-              <oval-def:criterion comment="chronyd is running" test_ref="oval:ssg-test_service_running_chronyd:tst:1"/>
-              <oval-def:criteria operator="OR" comment="service chronyd is configured to start">
-                <oval-def:criterion comment="multi-user.target wants chronyd" test_ref="oval:ssg-test_multi_user_wants_chronyd:tst:1"/>
-                <oval-def:criterion comment="multi-user.target wants chronyd socket" test_ref="oval:ssg-test_multi_user_wants_chronyd_socket:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_cron_enabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable cron Service</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The cron service should be enabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="service_cron_enabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package cron installed and service cron is configured to start" operator="AND">
-            <oval-def:criterion comment="cron installed" test_ref="oval:ssg-test_service_cron_package_cron_installed:tst:1"/>
-            <oval-def:criteria comment="service cron is configured to start and is running" operator="AND">
-              <oval-def:criterion comment="cron is running" test_ref="oval:ssg-test_service_running_cron:tst:1"/>
-              <oval-def:criteria operator="OR" comment="service cron is configured to start">
-                <oval-def:criterion comment="multi-user.target wants cron" test_ref="oval:ssg-test_multi_user_wants_cron:tst:1"/>
-                <oval-def:criterion comment="multi-user.target wants cron socket" test_ref="oval:ssg-test_multi_user_wants_cron_socket:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_debug-shell_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable debug-shell SystemD Service</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The debug-shell service should be disabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82496-1" source="CCE"/>
-            <oval-def:reference ref_id="service_debug-shell_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package systemd removed or service debug-shell is not configured to start" operator="OR">
-            <oval-def:criterion comment="systemd removed" test_ref="oval:ssg-test_service_debug-shell_package_systemd_removed:tst:1"/>
-            <oval-def:criteria operator="AND" comment="service debug-shell is not configured to start">
-              <oval-def:criterion comment="debug-shell is not running" test_ref="oval:ssg-test_service_not_running_debug-shell:tst:1"/>
-              <oval-def:criterion comment="Property LoadState of service debug-shell is masked" test_ref="oval:ssg-test_service_loadstate_is_masked_debug-shell:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_fapolicyd_enabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable the File Access Policy Service</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The fapolicyd service should be enabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82534-9" source="CCE"/>
-            <oval-def:reference ref_id="service_fapolicyd_enabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package fapolicyd installed and service fapolicyd is configured to start" operator="AND">
-            <oval-def:criterion comment="fapolicyd installed" test_ref="oval:ssg-test_service_fapolicyd_package_fapolicyd_installed:tst:1"/>
-            <oval-def:criteria comment="service fapolicyd is configured to start and is running" operator="AND">
-              <oval-def:criterion comment="fapolicyd is running" test_ref="oval:ssg-test_service_running_fapolicyd:tst:1"/>
-              <oval-def:criteria operator="OR" comment="service fapolicyd is configured to start">
-                <oval-def:criterion comment="multi-user.target wants fapolicyd" test_ref="oval:ssg-test_multi_user_wants_fapolicyd:tst:1"/>
-                <oval-def:criterion comment="multi-user.target wants fapolicyd socket" test_ref="oval:ssg-test_multi_user_wants_fapolicyd_socket:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_firewalld_enabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify firewalld Enabled</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The firewalld service should be enabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82554-7" source="CCE"/>
-            <oval-def:reference ref_id="service_firewalld_enabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package firewalld installed and service firewalld is configured to start" operator="AND">
-            <oval-def:criterion comment="firewalld installed" test_ref="oval:ssg-test_service_firewalld_package_firewalld_installed:tst:1"/>
-            <oval-def:criteria comment="service firewalld is configured to start and is running" operator="AND">
-              <oval-def:criterion comment="firewalld is running" test_ref="oval:ssg-test_service_running_firewalld:tst:1"/>
-              <oval-def:criteria operator="OR" comment="service firewalld is configured to start">
-                <oval-def:criterion comment="multi-user.target wants firewalld" test_ref="oval:ssg-test_multi_user_wants_firewalld:tst:1"/>
-                <oval-def:criterion comment="multi-user.target wants firewalld socket" test_ref="oval:ssg-test_multi_user_wants_firewalld_socket:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_ip6tables_enabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify ip6tables Enabled if Using IPv6</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The ip6tables service should be enabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="service_ip6tables_enabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package iptables-ipv6 installed and service ip6tables is configured to start" operator="AND">
-            <oval-def:criterion comment="iptables-ipv6 installed" test_ref="oval:ssg-test_service_ip6tables_package_iptables-ipv6_installed:tst:1"/>
-            <oval-def:criteria comment="service ip6tables is configured to start and is running" operator="AND">
-              <oval-def:criterion comment="ip6tables is running" test_ref="oval:ssg-test_service_running_ip6tables:tst:1"/>
-              <oval-def:criteria operator="OR" comment="service ip6tables is configured to start">
-                <oval-def:criterion comment="multi-user.target wants ip6tables" test_ref="oval:ssg-test_multi_user_wants_ip6tables:tst:1"/>
-                <oval-def:criterion comment="multi-user.target wants ip6tables socket" test_ref="oval:ssg-test_multi_user_wants_ip6tables_socket:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_iptables_enabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify iptables Enabled</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The iptables service should be enabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="service_iptables_enabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package iptables installed and service iptables is configured to start" operator="AND">
-            <oval-def:criterion comment="iptables installed" test_ref="oval:ssg-test_service_iptables_package_iptables_installed:tst:1"/>
-            <oval-def:criteria comment="service iptables is configured to start and is running" operator="AND">
-              <oval-def:criterion comment="iptables is running" test_ref="oval:ssg-test_service_running_iptables:tst:1"/>
-              <oval-def:criteria operator="OR" comment="service iptables is configured to start">
-                <oval-def:criterion comment="multi-user.target wants iptables" test_ref="oval:ssg-test_multi_user_wants_iptables:tst:1"/>
-                <oval-def:criterion comment="multi-user.target wants iptables socket" test_ref="oval:ssg-test_multi_user_wants_iptables_socket:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_netfs_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Network File Systems (netfs)</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The netfs service should be disabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="service_netfs_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package netfs removed or service netfs is not configured to start" operator="OR">
-            <oval-def:criterion comment="netfs removed" test_ref="oval:ssg-test_service_netfs_package_netfs_removed:tst:1"/>
-            <oval-def:criteria operator="AND" comment="service netfs is not configured to start">
-              <oval-def:criterion comment="netfs is not running" test_ref="oval:ssg-test_service_not_running_netfs:tst:1"/>
-              <oval-def:criterion comment="Property LoadState of service netfs is masked" test_ref="oval:ssg-test_service_loadstate_is_masked_netfs:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_ntp_enabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable the NTP Daemon</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The ntp service should be enabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="service_ntp_enabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package ntp installed and service ntp is configured to start" operator="AND">
-            <oval-def:criterion comment="ntp installed" test_ref="oval:ssg-test_service_ntp_package_ntp_installed:tst:1"/>
-            <oval-def:criteria comment="service ntp is configured to start and is running" operator="AND">
-              <oval-def:criterion comment="ntp is running" test_ref="oval:ssg-test_service_running_ntp:tst:1"/>
-              <oval-def:criteria operator="OR" comment="service ntp is configured to start">
-                <oval-def:criterion comment="multi-user.target wants ntp" test_ref="oval:ssg-test_multi_user_wants_ntp:tst:1"/>
-                <oval-def:criterion comment="multi-user.target wants ntp socket" test_ref="oval:ssg-test_multi_user_wants_ntp_socket:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_ntpd_enabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable the NTP Daemon</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The ntpd service should be enabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="service_ntpd_enabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package ntp installed and service ntpd is configured to start" operator="AND">
-            <oval-def:criterion comment="ntp installed" test_ref="oval:ssg-test_service_ntpd_package_ntp_installed:tst:1"/>
-            <oval-def:criteria comment="service ntpd is configured to start and is running" operator="AND">
-              <oval-def:criterion comment="ntpd is running" test_ref="oval:ssg-test_service_running_ntpd:tst:1"/>
-              <oval-def:criteria operator="OR" comment="service ntpd is configured to start">
-                <oval-def:criterion comment="multi-user.target wants ntpd" test_ref="oval:ssg-test_multi_user_wants_ntpd:tst:1"/>
-                <oval-def:criterion comment="multi-user.target wants ntpd socket" test_ref="oval:ssg-test_multi_user_wants_ntpd_socket:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_rngd_enabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable the Hardware RNG Entropy Gatherer Service</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The rngd service should be enabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82535-6" source="CCE"/>
-            <oval-def:reference ref_id="service_rngd_enabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package rng-tools installed and service rngd is configured to start" operator="AND">
-            <oval-def:criterion comment="rng-tools installed" test_ref="oval:ssg-test_service_rngd_package_rng-tools_installed:tst:1"/>
-            <oval-def:criteria comment="service rngd is configured to start and is running" operator="AND">
-              <oval-def:criterion comment="rngd is running" test_ref="oval:ssg-test_service_running_rngd:tst:1"/>
-              <oval-def:criteria operator="OR" comment="service rngd is configured to start">
-                <oval-def:criterion comment="multi-user.target wants rngd" test_ref="oval:ssg-test_multi_user_wants_rngd:tst:1"/>
-                <oval-def:criterion comment="multi-user.target wants rngd socket" test_ref="oval:ssg-test_multi_user_wants_rngd_socket:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_rsyslog_enabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable rsyslog Service</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The rsyslog service should be enabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="service_rsyslog_enabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package rsyslog installed and service rsyslog is configured to start" operator="AND">
-            <oval-def:criterion comment="rsyslog installed" test_ref="oval:ssg-test_service_rsyslog_package_rsyslog_installed:tst:1"/>
-            <oval-def:criteria comment="service rsyslog is configured to start and is running" operator="AND">
-              <oval-def:criterion comment="rsyslog is running" test_ref="oval:ssg-test_service_running_rsyslog:tst:1"/>
-              <oval-def:criteria operator="OR" comment="service rsyslog is configured to start">
-                <oval-def:criterion comment="multi-user.target wants rsyslog" test_ref="oval:ssg-test_multi_user_wants_rsyslog:tst:1"/>
-                <oval-def:criterion comment="multi-user.target wants rsyslog socket" test_ref="oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_sshd_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable SSH Server If Possible (Unusual)</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The sshd service should be disabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="service_sshd_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package openssh-server removed or service sshd is not configured to start" operator="OR">
-            <oval-def:criterion comment="openssh-server removed" test_ref="oval:ssg-test_service_sshd_package_openssh-server_removed:tst:1"/>
-            <oval-def:criteria operator="AND" comment="service sshd is not configured to start">
-              <oval-def:criterion comment="sshd is not running" test_ref="oval:ssg-test_service_not_running_sshd:tst:1"/>
-              <oval-def:criterion comment="Property LoadState of service sshd is masked" test_ref="oval:ssg-test_service_loadstate_is_masked_sshd:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_syslog_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>service_syslog_disabled</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The syslog service should be disabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="service_syslog_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package rsyslog removed or service syslog is not configured to start" operator="OR">
-            <oval-def:criterion comment="rsyslog removed" test_ref="oval:ssg-test_service_syslog_package_rsyslog_removed:tst:1"/>
-            <oval-def:criteria operator="AND" comment="service syslog is not configured to start">
-              <oval-def:criterion comment="syslog is not running" test_ref="oval:ssg-test_service_not_running_syslog:tst:1"/>
-              <oval-def:criterion comment="Property LoadState of service syslog is masked" test_ref="oval:ssg-test_service_loadstate_is_masked_syslog:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_syslogng_enabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable syslog-ng Service</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The syslog-ng service should be enabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="service_syslogng_enabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package syslog-ng installed and service syslog-ng is configured to start" operator="AND">
-            <oval-def:criterion comment="syslog-ng installed" test_ref="oval:ssg-test_service_syslog-ng_package_syslog-ng_installed:tst:1"/>
-            <oval-def:criteria comment="service syslog-ng is configured to start and is running" operator="AND">
-              <oval-def:criterion comment="syslog-ng is running" test_ref="oval:ssg-test_service_running_syslog-ng:tst:1"/>
-              <oval-def:criteria operator="OR" comment="service syslog-ng is configured to start">
-                <oval-def:criterion comment="multi-user.target wants syslog-ng" test_ref="oval:ssg-test_multi_user_wants_syslog-ng:tst:1"/>
-                <oval-def:criterion comment="multi-user.target wants syslog-ng socket" test_ref="oval:ssg-test_multi_user_wants_syslog-ng_socket:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_systemd-coredump_disabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable acquiring, saving, and processing core dumps</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The systemd-coredump service should be disabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82530-7" source="CCE"/>
-            <oval-def:reference ref_id="service_systemd-coredump_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package systemd removed or service systemd-coredump is not configured to start" operator="OR">
-            <oval-def:criterion comment="systemd removed" test_ref="oval:ssg-test_service_systemd-coredump_package_systemd_removed:tst:1"/>
-            <oval-def:criteria operator="AND" comment="service systemd-coredump is not configured to start">
-              <oval-def:criterion comment="systemd-coredump is not running" test_ref="oval:ssg-test_service_not_running_systemd-coredump:tst:1"/>
-              <oval-def:criterion comment="Property LoadState of service systemd-coredump is masked" test_ref="oval:ssg-test_service_loadstate_is_masked_systemd-coredump:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_systemd-journald_enabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable systemd-journald Service</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The systemd-journald service should be enabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="service_systemd-journald_enabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package systemd installed and service systemd-journald is configured to start" operator="AND">
-            <oval-def:criterion comment="systemd installed" test_ref="oval:ssg-test_service_systemd-journald_package_systemd_installed:tst:1"/>
-            <oval-def:criteria comment="service systemd-journald is configured to start and is running" operator="AND">
-              <oval-def:criterion comment="systemd-journald is running" test_ref="oval:ssg-test_service_running_systemd-journald:tst:1"/>
-              <oval-def:criteria operator="OR" comment="service systemd-journald is configured to start">
-                <oval-def:criterion comment="multi-user.target wants systemd-journald" test_ref="oval:ssg-test_multi_user_wants_systemd-journald:tst:1"/>
-                <oval-def:criterion comment="multi-user.target wants systemd-journald socket" test_ref="oval:ssg-test_multi_user_wants_systemd-journald_socket:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_ufw_enabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify ufw Enabled</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The ufw service should be enabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="service_ufw_enabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package ufw installed and service ufw is configured to start" operator="AND">
-            <oval-def:criterion comment="ufw installed" test_ref="oval:ssg-test_service_ufw_package_ufw_installed:tst:1"/>
-            <oval-def:criteria comment="service ufw is configured to start and is running" operator="AND">
-              <oval-def:criterion comment="ufw is running" test_ref="oval:ssg-test_service_running_ufw:tst:1"/>
-              <oval-def:criteria operator="OR" comment="service ufw is configured to start">
-                <oval-def:criterion comment="multi-user.target wants ufw" test_ref="oval:ssg-test_multi_user_wants_ufw:tst:1"/>
-                <oval-def:criterion comment="multi-user.target wants ufw socket" test_ref="oval:ssg-test_multi_user_wants_ufw_socket:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-service_usbguard_enabled:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable the USBGuard Service</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The usbguard service should be enabled if possible.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82537-2" source="CCE"/>
-            <oval-def:reference ref_id="service_usbguard_enabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="package usbguard installed and service usbguard is configured to start" operator="AND">
-            <oval-def:criterion comment="usbguard installed" test_ref="oval:ssg-test_service_usbguard_package_usbguard_installed:tst:1"/>
-            <oval-def:criteria comment="service usbguard is configured to start and is running" operator="AND">
-              <oval-def:criterion comment="usbguard is running" test_ref="oval:ssg-test_service_running_usbguard:tst:1"/>
-              <oval-def:criteria operator="OR" comment="service usbguard is configured to start">
-                <oval-def:criterion comment="multi-user.target wants usbguard" test_ref="oval:ssg-test_multi_user_wants_usbguard:tst:1"/>
-                <oval-def:criterion comment="multi-user.target wants usbguard socket" test_ref="oval:ssg-test_multi_user_wants_usbguard_socket:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_disable_empty_passwords:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable SSH Access via Empty Passwords</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'PermitEmptyPasswords' is configured with value 'no' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_disable_empty_passwords" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the PermitEmptyPasswords in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_disable_empty_passwords:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_disable_gssapi_auth:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable GSSAPI Authentication</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'GSSAPIAuthentication' is configured with value 'no' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_disable_gssapi_auth" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the GSSAPIAuthentication in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_disable_gssapi_auth:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_disable_kerb_auth:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kerberos Authentication</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'KerberosAuthentication' is configured with value 'no' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_disable_kerb_auth" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the KerberosAuthentication in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_disable_kerb_auth:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_disable_pubkey_auth:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable PubkeyAuthentication Authentication</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'PubkeyAuthentication' is configured with value 'no' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_disable_pubkey_auth" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the PubkeyAuthentication in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_disable_pubkey_auth:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_disable_rhosts:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable SSH Support for .rhosts Files</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'IgnoreRhosts' is configured with value 'yes' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="CCE-82665-1" source="CCE"/>
-            <oval-def:reference ref_id="sshd_disable_rhosts" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the IgnoreRhosts in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_disable_rhosts:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_disable_root_login:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable SSH Root Login</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'PermitRootLogin' is configured with value 'no' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_disable_root_login" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the PermitRootLogin in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_disable_root_login:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_disable_root_password_login:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable SSH root Login with a Password (Insecure)</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'PermitRootLogin' is configured with value 'prohibit-password' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_disable_root_password_login" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the PermitRootLogin in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_disable_root_password_login:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_disable_tcp_forwarding:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable SSH TCP Forwarding</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'AllowTcpForwarding' is configured with value 'no' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_disable_tcp_forwarding" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the AllowTcpForwarding in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_disable_tcp_forwarding:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_disable_user_known_hosts:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable SSH Support for User Known Hosts</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'IgnoreUserKnownHosts' is configured with value 'yes' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_disable_user_known_hosts" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the IgnoreUserKnownHosts in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_disable_user_known_hosts:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_disable_x11_forwarding:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable X11 Forwarding</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'X11Forwarding' is configured with value 'no' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_disable_x11_forwarding" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the X11Forwarding in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_disable_x11_forwarding:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_do_not_permit_user_env:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Do Not Allow SSH Environment Options</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'PermitUserEnvironment' is configured with value 'no' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_do_not_permit_user_env" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the PermitUserEnvironment in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_do_not_permit_user_env:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_enable_gssapi_auth:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable GSSAPI Authentication</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'GSSAPIAuthentication' is configured with value 'yes' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_enable_gssapi_auth" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the GSSAPIAuthentication in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_enable_gssapi_auth:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_enable_pam:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable PAM</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'UsePAM' is configured with value 'yes' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_enable_pam" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the UsePAM in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_enable_pam:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_enable_pubkey_auth:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable Public Key Authentication</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'PubkeyAuthentication' is configured with value 'yes' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_enable_pubkey_auth" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the PubkeyAuthentication in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_enable_pubkey_auth:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_enable_strictmodes:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable Use of Strict Mode Checking</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'StrictModes' is configured with value 'yes' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_enable_strictmodes" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the StrictModes in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_enable_strictmodes:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_enable_warning_banner:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable SSH Warning Banner</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'Banner' is configured with value '/etc/issue' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_enable_warning_banner" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the Banner in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_enable_warning_banner:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_enable_warning_banner_net:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable SSH Warning Banner</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'Banner' is configured with value '/etc/issue.net' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_enable_warning_banner_net" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the Banner in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_enable_warning_banner_net:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_enable_x11_forwarding:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable Encrypted X11 Forwarding</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'X11Forwarding' is configured with value 'yes' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_enable_x11_forwarding" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the X11Forwarding in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_enable_x11_forwarding:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_includes_config_files:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>sshd_includes_config_files</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check presence of Include /etc/ssh/sshd_config.d/*.conf in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_includes_config_files" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND" comment="Test conditions - presence of the file plus 0 extra definitions.">
-            <oval-def:criterion comment="Check that /etc/ssh/sshd_config contains a line with certain text" test_ref="oval:ssg-test_sshd_includes_config_files:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_print_last_log:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable SSH Print Last Log</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'PrintLastLog' is configured with value 'yes' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_print_last_log" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the PrintLastLog in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_print_last_log:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_set_keepalive_0:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Set SSH Client Alive Count Max to zero</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'ClientAliveCountMax' is configured with value '0' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="CCE-83406-9" source="CCE"/>
-            <oval-def:reference ref_id="sshd_set_keepalive_0" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the ClientAliveCountMax in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_set_keepalive_0:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_set_loglevel_info:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Set LogLevel to INFO</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'LogLevel' is configured with value 'INFO' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_set_loglevel_info" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the LogLevel in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_set_loglevel_info:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_set_loglevel_verbose:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Set SSH Daemon LogLevel to VERBOSE</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure 'LogLevel' is configured with value 'VERBOSE' in /etc/ssh/sshd_config</oval-def:description>
-            <oval-def:reference ref_id="sshd_set_loglevel_verbose" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="sshd is configured correctly or is not installed" operator="OR">
-            <oval-def:criteria comment="sshd is not installed" operator="AND">
-              <oval-def:extend_definition comment="sshd is not required or requirement is unset" definition_ref="oval:ssg-sshd_not_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server removed" definition_ref="oval:ssg-package_openssh-server_removed:def:1"/>
-            </oval-def:criteria>
-            <oval-def:criteria comment="sshd is installed and configured" operator="AND">
-              <oval-def:extend_definition comment="sshd is required or requirement is unset" definition_ref="oval:ssg-sshd_required_or_unset:def:1"/>
-              <oval-def:extend_definition comment="rpm package openssh-server installed" definition_ref="oval:ssg-package_openssh-server_installed:def:1"/>
-              <oval-def:criteria comment="sshd is configured correctly" operator="OR">
-                <oval-def:criterion comment="Check the LogLevel in /etc/ssh/sshd_config" test_ref="oval:ssg-test_sshd_set_loglevel_verbose:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sudo_add_noexec:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks sudoers Defaults {{ OPTION }} configuration</oval-def:description>
-            <oval-def:reference ref_id="sudo_add_noexec" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="noexec is configured in /etc/sudoers or /etc/sudoers.d/" test_ref="oval:ssg-test_noexec_sudoers:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sudo_add_requiretty:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks sudoers Defaults {{ OPTION }} configuration</oval-def:description>
-            <oval-def:reference ref_id="sudo_add_requiretty" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="requiretty is configured in /etc/sudoers or /etc/sudoers.d/" test_ref="oval:ssg-test_requiretty_sudoers:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sudo_add_use_pty:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks sudoers Defaults {{ OPTION }} configuration</oval-def:description>
-            <oval-def:reference ref_id="sudo_add_use_pty" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="use_pty is configured in /etc/sudoers or /etc/sudoers.d/" test_ref="oval:ssg-test_use_pty_sudoers:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sudo_custom_logfile:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ensure Sudo Logfile Exists - sudo logfile</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks sudoers Defaults {{ OPTION }} configuration</oval-def:description>
-            <oval-def:reference ref_id="sudo_custom_logfile" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="logfile is configured in /etc/sudoers or /etc/sudoers.d/" test_ref="oval:ssg-test_logfile_sudoers:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_fs_protected_hardlinks:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Enforce DAC on Hardlinks</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'fs.protected_hardlinks' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82506-7" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_fs_protected_hardlinks" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="fs.protected_hardlinks configuration setting check" definition_ref="oval:ssg-sysctl_fs_protected_hardlinks_static:def:1"/>
-            <oval-def:extend_definition comment="fs.protected_hardlinks runtime setting check" definition_ref="oval:ssg-sysctl_fs_protected_hardlinks_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_fs_protected_hardlinks_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Enforce DAC on Hardlinks</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'fs.protected_hardlinks' parameter should be set to 1 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_fs_protected_hardlinks_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter fs.protected_hardlinks set to 1" test_ref="oval:ssg-test_sysctl_fs_protected_hardlinks_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_fs_protected_hardlinks_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Enforce DAC on Hardlinks</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'fs.protected_hardlinks' parameter should be set to 1 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_fs_protected_hardlinks_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter fs.protected_hardlinks set to 1 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_fs_protected_hardlinks_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter fs.protected_hardlinks set to 1 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_fs_protected_hardlinks_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter fs.protected_hardlinks set to 1 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_fs_protected_hardlinks_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that fs_protected_hardlinks is defined in only one file" test_ref="oval:ssg-test_sysctl_fs_protected_hardlinks_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_fs_protected_symlinks:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Enforce DAC on Symlinks</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'fs.protected_symlinks' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82507-5" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_fs_protected_symlinks" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="fs.protected_symlinks configuration setting check" definition_ref="oval:ssg-sysctl_fs_protected_symlinks_static:def:1"/>
-            <oval-def:extend_definition comment="fs.protected_symlinks runtime setting check" definition_ref="oval:ssg-sysctl_fs_protected_symlinks_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_fs_protected_symlinks_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Enforce DAC on Symlinks</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'fs.protected_symlinks' parameter should be set to 1 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_fs_protected_symlinks_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter fs.protected_symlinks set to 1" test_ref="oval:ssg-test_sysctl_fs_protected_symlinks_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_fs_protected_symlinks_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Enforce DAC on Symlinks</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'fs.protected_symlinks' parameter should be set to 1 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_fs_protected_symlinks_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter fs.protected_symlinks set to 1 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_fs_protected_symlinks_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter fs.protected_symlinks set to 1 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_fs_protected_symlinks_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter fs.protected_symlinks set to 1 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_fs_protected_symlinks_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that fs_protected_symlinks is defined in only one file" test_ref="oval:ssg-test_sysctl_fs_protected_symlinks_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_fs_suid_dumpable:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Core Dumps for SUID programs</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'fs.suid_dumpable' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_fs_suid_dumpable" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="fs.suid_dumpable configuration setting check" definition_ref="oval:ssg-sysctl_fs_suid_dumpable_static:def:1"/>
-            <oval-def:extend_definition comment="fs.suid_dumpable runtime setting check" definition_ref="oval:ssg-sysctl_fs_suid_dumpable_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_fs_suid_dumpable_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Core Dumps for SUID programs</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'fs.suid_dumpable' parameter should be set to 0 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_fs_suid_dumpable_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter fs.suid_dumpable set to 0" test_ref="oval:ssg-test_sysctl_fs_suid_dumpable_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_fs_suid_dumpable_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Core Dumps for SUID programs</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'fs.suid_dumpable' parameter should be set to 0 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_fs_suid_dumpable_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter fs.suid_dumpable set to 0 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_fs_suid_dumpable_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter fs.suid_dumpable set to 0 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_fs_suid_dumpable_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter fs.suid_dumpable set to 0 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_fs_suid_dumpable_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that fs_suid_dumpable is defined in only one file" test_ref="oval:ssg-test_sysctl_fs_suid_dumpable_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_core_pattern:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable storing core dumps</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'kernel.core_pattern' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82527-3" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_kernel_core_pattern" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="kernel.core_pattern configuration setting check" definition_ref="oval:ssg-sysctl_kernel_core_pattern_static:def:1"/>
-            <oval-def:extend_definition comment="kernel.core_pattern runtime setting check" definition_ref="oval:ssg-sysctl_kernel_core_pattern_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_core_pattern_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable storing core dumps</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.core_pattern' parameter should be set to | or / or b or i or n or / or f or a or l or s or e in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_core_pattern_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter kernel.core_pattern set to | or / or b or i or n or / or f or a or l or s or e" test_ref="oval:ssg-test_sysctl_kernel_core_pattern_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_core_pattern_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable storing core dumps</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.core_pattern' parameter should be set to | or / or b or i or n or / or f or a or l or s or e in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_core_pattern_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter kernel.core_pattern set to | or / or b or i or n or / or f or a or l or s or e in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_kernel_core_pattern_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.core_pattern set to | or / or b or i or n or / or f or a or l or s or e in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_core_pattern_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.core_pattern set to | or / or b or i or n or / or f or a or l or s or e in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_core_pattern_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that kernel_core_pattern is defined in only one file" test_ref="oval:ssg-test_sysctl_kernel_core_pattern_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_core_pattern_empty_string:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable storing core dumps</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'kernel.core_pattern' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_core_pattern_empty_string" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="kernel.core_pattern configuration setting check" definition_ref="oval:ssg-sysctl_kernel_core_pattern_empty_string_static:def:1"/>
-            <oval-def:extend_definition comment="kernel.core_pattern runtime setting check" definition_ref="oval:ssg-sysctl_kernel_core_pattern_empty_string_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_core_pattern_empty_string_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable storing core dumps</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.core_pattern' parameter should be set to ' or ' in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_core_pattern_empty_string_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter kernel.core_pattern set to ' or '" test_ref="oval:ssg-test_sysctl_kernel_core_pattern_empty_string_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_core_pattern_empty_string_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable storing core dumps</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.core_pattern' parameter should be set to ' or ' in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_core_pattern_empty_string_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter kernel.core_pattern set to ' or ' in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_kernel_core_pattern_empty_string_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.core_pattern set to ' or ' in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.core_pattern set to ' or ' in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that kernel_core_pattern is defined in only one file" test_ref="oval:ssg-test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_core_uses_pid:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure file name of core dumps</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'kernel.core_uses_pid' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_core_uses_pid" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="kernel.core_uses_pid configuration setting check" definition_ref="oval:ssg-sysctl_kernel_core_uses_pid_static:def:1"/>
-            <oval-def:extend_definition comment="kernel.core_uses_pid runtime setting check" definition_ref="oval:ssg-sysctl_kernel_core_uses_pid_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_core_uses_pid_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure file name of core dumps</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.core_uses_pid' parameter should be set to 0 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_core_uses_pid_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter kernel.core_uses_pid set to 0" test_ref="oval:ssg-test_sysctl_kernel_core_uses_pid_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_core_uses_pid_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure file name of core dumps</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.core_uses_pid' parameter should be set to 0 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_core_uses_pid_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter kernel.core_uses_pid set to 0 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_kernel_core_uses_pid_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.core_uses_pid set to 0 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_core_uses_pid_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.core_uses_pid set to 0 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_core_uses_pid_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that kernel_core_uses_pid is defined in only one file" test_ref="oval:ssg-test_sysctl_kernel_core_uses_pid_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_dmesg_restrict:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Restrict Access to Kernel Message Buffer</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'kernel.dmesg_restrict' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82499-5" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_kernel_dmesg_restrict" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="kernel.dmesg_restrict configuration setting check" definition_ref="oval:ssg-sysctl_kernel_dmesg_restrict_static:def:1"/>
-            <oval-def:extend_definition comment="kernel.dmesg_restrict runtime setting check" definition_ref="oval:ssg-sysctl_kernel_dmesg_restrict_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_dmesg_restrict_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Restrict Access to Kernel Message Buffer</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.dmesg_restrict' parameter should be set to 1 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_dmesg_restrict_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter kernel.dmesg_restrict set to 1" test_ref="oval:ssg-test_sysctl_kernel_dmesg_restrict_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_dmesg_restrict_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Restrict Access to Kernel Message Buffer</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.dmesg_restrict' parameter should be set to 1 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_dmesg_restrict_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter kernel.dmesg_restrict set to 1 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_kernel_dmesg_restrict_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.dmesg_restrict set to 1 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_dmesg_restrict_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.dmesg_restrict set to 1 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_dmesg_restrict_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that kernel_dmesg_restrict is defined in only one file" test_ref="oval:ssg-test_sysctl_kernel_dmesg_restrict_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_kexec_load_disabled:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Image Loading</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'kernel.kexec_load_disabled' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82500-0" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_kernel_kexec_load_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="kernel.kexec_load_disabled configuration setting check" definition_ref="oval:ssg-sysctl_kernel_kexec_load_disabled_static:def:1"/>
-            <oval-def:extend_definition comment="kernel.kexec_load_disabled runtime setting check" definition_ref="oval:ssg-sysctl_kernel_kexec_load_disabled_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_kexec_load_disabled_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Image Loading</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.kexec_load_disabled' parameter should be set to 1 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_kexec_load_disabled_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter kernel.kexec_load_disabled set to 1" test_ref="oval:ssg-test_sysctl_kernel_kexec_load_disabled_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_kexec_load_disabled_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Image Loading</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.kexec_load_disabled' parameter should be set to 1 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_kexec_load_disabled_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter kernel.kexec_load_disabled set to 1 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_kernel_kexec_load_disabled_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.kexec_load_disabled set to 1 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.kexec_load_disabled set to 1 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that kernel_kexec_load_disabled is defined in only one file" test_ref="oval:ssg-test_sysctl_kernel_kexec_load_disabled_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_kptr_restrict:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Restrict Exposed Kernel Pointer Addresses Access</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'kernel.kptr_restrict' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82498-7" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_kernel_kptr_restrict" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="kernel.kptr_restrict configuration setting check" definition_ref="oval:ssg-sysctl_kernel_kptr_restrict_static:def:1"/>
-            <oval-def:extend_definition comment="kernel.kptr_restrict runtime setting check" definition_ref="oval:ssg-sysctl_kernel_kptr_restrict_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_kptr_restrict_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Restrict Exposed Kernel Pointer Addresses Access</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.kptr_restrict' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_kptr_restrict_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter kernel.kptr_restrict set to the appropriate value" test_ref="oval:ssg-test_sysctl_kernel_kptr_restrict_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_kptr_restrict_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Restrict Exposed Kernel Pointer Addresses Access</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.kptr_restrict' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_kptr_restrict_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter kernel.kptr_restrict set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_kernel_kptr_restrict_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.kptr_restrict set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_kptr_restrict_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.kptr_restrict set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_kptr_restrict_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that kernel_kptr_restrict is defined in only one file" test_ref="oval:ssg-test_sysctl_kernel_kptr_restrict_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_panic_on_oops:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Kernel panic on oops</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'kernel.panic_on_oops' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_panic_on_oops" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="kernel.panic_on_oops configuration setting check" definition_ref="oval:ssg-sysctl_kernel_panic_on_oops_static:def:1"/>
-            <oval-def:extend_definition comment="kernel.panic_on_oops runtime setting check" definition_ref="oval:ssg-sysctl_kernel_panic_on_oops_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_panic_on_oops_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Kernel panic on oops</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.panic_on_oops' parameter should be set to 1 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_panic_on_oops_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter kernel.panic_on_oops set to 1" test_ref="oval:ssg-test_sysctl_kernel_panic_on_oops_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_panic_on_oops_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Kernel panic on oops</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.panic_on_oops' parameter should be set to 1 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_panic_on_oops_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter kernel.panic_on_oops set to 1 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_kernel_panic_on_oops_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.panic_on_oops set to 1 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_panic_on_oops_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.panic_on_oops set to 1 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_panic_on_oops_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that kernel_panic_on_oops is defined in only one file" test_ref="oval:ssg-test_sysctl_kernel_panic_on_oops_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_perf_event_paranoid:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disallow kernel profiling by unprivileged users</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'kernel.perf_event_paranoid' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82502-6" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_kernel_perf_event_paranoid" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="kernel.perf_event_paranoid configuration setting check" definition_ref="oval:ssg-sysctl_kernel_perf_event_paranoid_static:def:1"/>
-            <oval-def:extend_definition comment="kernel.perf_event_paranoid runtime setting check" definition_ref="oval:ssg-sysctl_kernel_perf_event_paranoid_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_perf_event_paranoid_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disallow kernel profiling by unprivileged users</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.perf_event_paranoid' parameter should be set to 2 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_perf_event_paranoid_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter kernel.perf_event_paranoid set to 2" test_ref="oval:ssg-test_sysctl_kernel_perf_event_paranoid_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_perf_event_paranoid_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disallow kernel profiling by unprivileged users</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.perf_event_paranoid' parameter should be set to 2 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_perf_event_paranoid_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter kernel.perf_event_paranoid set to 2 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_kernel_perf_event_paranoid_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.perf_event_paranoid set to 2 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.perf_event_paranoid set to 2 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that kernel_perf_event_paranoid is defined in only one file" test_ref="oval:ssg-test_sysctl_kernel_perf_event_paranoid_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_randomize_va_space:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Randomized Layout of Virtual Address Space</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'kernel.randomize_va_space' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_randomize_va_space" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="kernel.randomize_va_space configuration setting check" definition_ref="oval:ssg-sysctl_kernel_randomize_va_space_static:def:1"/>
-            <oval-def:extend_definition comment="kernel.randomize_va_space runtime setting check" definition_ref="oval:ssg-sysctl_kernel_randomize_va_space_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_randomize_va_space_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Randomized Layout of Virtual Address Space</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.randomize_va_space' parameter should be set to 2 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_randomize_va_space_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter kernel.randomize_va_space set to 2" test_ref="oval:ssg-test_sysctl_kernel_randomize_va_space_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_randomize_va_space_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Randomized Layout of Virtual Address Space</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.randomize_va_space' parameter should be set to 2 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_randomize_va_space_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter kernel.randomize_va_space set to 2 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_kernel_randomize_va_space_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.randomize_va_space set to 2 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_randomize_va_space_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.randomize_va_space set to 2 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_randomize_va_space_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that kernel_randomize_va_space is defined in only one file" test_ref="oval:ssg-test_sysctl_kernel_randomize_va_space_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_unprivileged_bpf_disabled:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Access to Network bpf() Syscall From Unprivileged Processes</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'kernel.unprivileged_bpf_disabled' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82504-2" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_kernel_unprivileged_bpf_disabled" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="kernel.unprivileged_bpf_disabled configuration setting check" definition_ref="oval:ssg-sysctl_kernel_unprivileged_bpf_disabled_static:def:1"/>
-            <oval-def:extend_definition comment="kernel.unprivileged_bpf_disabled runtime setting check" definition_ref="oval:ssg-sysctl_kernel_unprivileged_bpf_disabled_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_unprivileged_bpf_disabled_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Access to Network bpf() Syscall From Unprivileged Processes</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.unprivileged_bpf_disabled' parameter should be set to 1 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_unprivileged_bpf_disabled_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter kernel.unprivileged_bpf_disabled set to 1" test_ref="oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_unprivileged_bpf_disabled_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Access to Network bpf() Syscall From Unprivileged Processes</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.unprivileged_bpf_disabled' parameter should be set to 1 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_unprivileged_bpf_disabled_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter kernel.unprivileged_bpf_disabled set to 1 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.unprivileged_bpf_disabled set to 1 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.unprivileged_bpf_disabled set to 1 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that kernel_unprivileged_bpf_disabled is defined in only one file" test_ref="oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_yama_ptrace_scope:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Restrict usage of ptrace to descendant processes</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'kernel.yama.ptrace_scope' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82501-8" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_kernel_yama_ptrace_scope" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="kernel.yama.ptrace_scope configuration setting check" definition_ref="oval:ssg-sysctl_kernel_yama_ptrace_scope_static:def:1"/>
-            <oval-def:extend_definition comment="kernel.yama.ptrace_scope runtime setting check" definition_ref="oval:ssg-sysctl_kernel_yama_ptrace_scope_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_yama_ptrace_scope_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Restrict usage of ptrace to descendant processes</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.yama.ptrace_scope' parameter should be set to 1 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_yama_ptrace_scope_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter kernel.yama.ptrace_scope set to 1" test_ref="oval:ssg-test_sysctl_kernel_yama_ptrace_scope_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_yama_ptrace_scope_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Restrict usage of ptrace to descendant processes</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'kernel.yama.ptrace_scope' parameter should be set to 1 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_yama_ptrace_scope_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter kernel.yama.ptrace_scope set to 1 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.yama.ptrace_scope set to 1 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter kernel.yama.ptrace_scope set to 1 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that kernel_yama_ptrace_scope is defined in only one file" test_ref="oval:ssg-test_sysctl_kernel_yama_ptrace_scope_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_core_bpf_jit_harden:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Harden the operation of the BPF just-in-time compiler</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.core.bpf_jit_harden' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82505-9" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_core_bpf_jit_harden" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.core.bpf_jit_harden configuration setting check" definition_ref="oval:ssg-sysctl_net_core_bpf_jit_harden_static:def:1"/>
-            <oval-def:extend_definition comment="net.core.bpf_jit_harden runtime setting check" definition_ref="oval:ssg-sysctl_net_core_bpf_jit_harden_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_core_bpf_jit_harden_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Harden the operation of the BPF just-in-time compiler</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.core.bpf_jit_harden' parameter should be set to 2 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_core_bpf_jit_harden_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.core.bpf_jit_harden set to 2" test_ref="oval:ssg-test_sysctl_net_core_bpf_jit_harden_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_core_bpf_jit_harden_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Harden the operation of the BPF just-in-time compiler</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.core.bpf_jit_harden' parameter should be set to 2 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_core_bpf_jit_harden_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.core.bpf_jit_harden set to 2 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_core_bpf_jit_harden_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.core.bpf_jit_harden set to 2 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.core.bpf_jit_harden set to 2 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_core_bpf_jit_harden is defined in only one file" test_ref="oval:ssg-test_sysctl_net_core_bpf_jit_harden_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_accept_local:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Accepting Packets Routed Between Local Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.conf.all.accept_local' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_accept_local" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.conf.all.accept_local configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_accept_local_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.conf.all.accept_local runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_accept_local_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_accept_local_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Accepting Packets Routed Between Local Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.accept_local' parameter should be set to 0 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_accept_local_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.conf.all.accept_local set to 0" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_local_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_accept_local_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Accepting Packets Routed Between Local Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.accept_local' parameter should be set to 0 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_accept_local_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.accept_local set to 0 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_local_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.accept_local set to 0 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_local_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.accept_local set to 0 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_local_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_conf_all_accept_local is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_local_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Accepting ICMP Redirects for All IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.conf.all.accept_redirects' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82469-8" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_accept_redirects" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.conf.all.accept_redirects configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.conf.all.accept_redirects runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Accepting ICMP Redirects for All IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.accept_redirects' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_accept_redirects_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Accepting ICMP Redirects for All IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.accept_redirects' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_accept_redirects_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.accept_redirects set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.accept_redirects set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.accept_redirects set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_conf_all_accept_redirects is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.conf.all.accept_source_route' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82478-9" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_accept_source_route" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.conf.all.accept_source_route configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.conf.all.accept_source_route runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.accept_source_route' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_accept_source_route_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.accept_source_route' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_accept_source_route_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.accept_source_route set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.accept_source_route set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.accept_source_route set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_conf_all_accept_source_route is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_arp_filter:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure ARP filtering for All IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.conf.all.arp_filter' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_arp_filter" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.conf.all.arp_filter configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_arp_filter_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.conf.all.arp_filter runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_arp_filter_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_arp_filter_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure ARP filtering for All IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.arp_filter' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_arp_filter_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.conf.all.arp_filter set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_filter_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_arp_filter_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure ARP filtering for All IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.arp_filter' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_arp_filter_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.arp_filter set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_filter_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.arp_filter set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_filter_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.arp_filter set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_filter_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_conf_all_arp_filter is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_filter_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_arp_ignore:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure Response Mode of ARP Requests for All IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.conf.all.arp_ignore' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_arp_ignore" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.conf.all.arp_ignore configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_arp_ignore_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.conf.all.arp_ignore runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_arp_ignore_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_arp_ignore_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure Response Mode of ARP Requests for All IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.arp_ignore' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_arp_ignore_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.conf.all.arp_ignore set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_ignore_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_arp_ignore_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure Response Mode of ARP Requests for All IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.arp_ignore' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_arp_ignore_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.arp_ignore set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_ignore_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.arp_ignore set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_ignore_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.arp_ignore set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_ignore_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_conf_all_arp_ignore is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_ignore_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_log_martians:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.conf.all.log_martians' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82486-2" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_log_martians" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.conf.all.log_martians configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_log_martians_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.conf.all.log_martians runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_log_martians_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_log_martians_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.log_martians' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_log_martians_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.conf.all.log_martians set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_log_martians_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.log_martians' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_log_martians_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.log_martians set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.log_martians set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.log_martians set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_conf_all_log_martians is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_route_localnet:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.conf.all.route_localnet' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_route_localnet" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.conf.all.route_localnet configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_route_localnet_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.conf.all.route_localnet runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_route_localnet_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_route_localnet_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.route_localnet' parameter should be set to 0 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_route_localnet_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.conf.all.route_localnet set to 0" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_route_localnet_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_route_localnet_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.route_localnet' parameter should be set to 0 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_route_localnet_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.route_localnet set to 0 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_route_localnet_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.route_localnet set to 0 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_route_localnet_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.route_localnet set to 0 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_route_localnet_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_conf_all_route_localnet is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_route_localnet_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_rp_filter:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.conf.all.rp_filter' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82488-8" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_rp_filter" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.conf.all.rp_filter configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_rp_filter_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.conf.all.rp_filter runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_rp_filter_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_rp_filter_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.rp_filter' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_rp_filter_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.conf.all.rp_filter set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_rp_filter_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.rp_filter' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_rp_filter_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.rp_filter set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.rp_filter set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.rp_filter set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_conf_all_rp_filter is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.conf.all.secure_redirects' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82482-1" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_secure_redirects" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.conf.all.secure_redirects configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.conf.all.secure_redirects runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.secure_redirects' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_secure_redirects_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.conf.all.secure_redirects set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.secure_redirects' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_secure_redirects_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.secure_redirects set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.secure_redirects set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.secure_redirects set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_conf_all_secure_redirects is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_send_redirects:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.conf.all.send_redirects' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82484-7" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_send_redirects" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.conf.all.send_redirects configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_send_redirects_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.conf.all.send_redirects runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_send_redirects_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_send_redirects_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.send_redirects' parameter should be set to 0 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_send_redirects_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_send_redirects_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.send_redirects' parameter should be set to 0 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_send_redirects_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.send_redirects set to 0 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.send_redirects set to 0 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.send_redirects set to 0 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_conf_all_send_redirects is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_shared_media:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.conf.all.shared_media' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_shared_media" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.conf.all.shared_media configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_shared_media_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.conf.all.shared_media runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_all_shared_media_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_shared_media_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.shared_media' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_shared_media_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.conf.all.shared_media set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_shared_media_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_all_shared_media_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.all.shared_media' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_all_shared_media_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.shared_media set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_shared_media_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.shared_media set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_shared_media_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.all.shared_media set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_shared_media_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_conf_all_shared_media is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_all_shared_media_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.conf.default.accept_redirects' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82470-6" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_accept_redirects" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.conf.default.accept_redirects configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.conf.default.accept_redirects runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.default.accept_redirects' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_accept_redirects_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.default.accept_redirects' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_accept_redirects_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.accept_redirects set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.accept_redirects set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.accept_redirects set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_conf_default_accept_redirects is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.conf.default.accept_source_route' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82479-7" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_accept_source_route" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.conf.default.accept_source_route configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.conf.default.accept_source_route runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.default.accept_source_route' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_accept_source_route_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.default.accept_source_route' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_accept_source_route_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.accept_source_route set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.accept_source_route set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.accept_source_route set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_conf_default_accept_source_route is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_log_martians:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.conf.default.log_martians' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82487-0" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_log_martians" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.conf.default.log_martians configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_default_log_martians_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.conf.default.log_martians runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_default_log_martians_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_log_martians_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.default.log_martians' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_log_martians_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.conf.default.log_martians set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_log_martians_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.default.log_martians' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_log_martians_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.log_martians set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.log_martians set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.log_martians set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_conf_default_log_martians is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_rp_filter:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.conf.default.rp_filter' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82489-6" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_rp_filter" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.conf.default.rp_filter configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_default_rp_filter_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.conf.default.rp_filter runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_default_rp_filter_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_rp_filter_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.default.rp_filter' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_rp_filter_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.conf.default.rp_filter set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_rp_filter_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.default.rp_filter' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_rp_filter_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.rp_filter set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.rp_filter set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.rp_filter set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_conf_default_rp_filter is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure Kernel Parameter for Accepting Secure Redirects By Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.conf.default.secure_redirects' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82483-9" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_secure_redirects" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.conf.default.secure_redirects configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.conf.default.secure_redirects runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure Kernel Parameter for Accepting Secure Redirects By Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.default.secure_redirects' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_secure_redirects_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.conf.default.secure_redirects set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure Kernel Parameter for Accepting Secure Redirects By Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.default.secure_redirects' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_secure_redirects_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.secure_redirects set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.secure_redirects set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.secure_redirects set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_conf_default_secure_redirects is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_send_redirects:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.conf.default.send_redirects' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82485-4" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_send_redirects" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.conf.default.send_redirects configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_default_send_redirects_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.conf.default.send_redirects runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_default_send_redirects_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_send_redirects_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.default.send_redirects' parameter should be set to 0 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_send_redirects_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_send_redirects_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.default.send_redirects' parameter should be set to 0 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_send_redirects_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.send_redirects set to 0 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.send_redirects set to 0 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.send_redirects set to 0 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_conf_default_send_redirects is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_shared_media:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure Sending and Accepting Shared Media Redirects by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.conf.default.shared_media' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_shared_media" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.conf.default.shared_media configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_default_shared_media_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.conf.default.shared_media runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_conf_default_shared_media_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_shared_media_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure Sending and Accepting Shared Media Redirects by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.default.shared_media' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_shared_media_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.conf.default.shared_media set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_shared_media_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_conf_default_shared_media_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure Sending and Accepting Shared Media Redirects by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.conf.default.shared_media' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_conf_default_shared_media_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.shared_media set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_shared_media_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.shared_media set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_shared_media_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.conf.default.shared_media set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_shared_media_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_conf_default_shared_media is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_conf_default_shared_media_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.icmp_echo_ignore_broadcasts' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82491-2" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv4_icmp_echo_ignore_broadcasts" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.icmp_echo_ignore_broadcasts configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.icmp_echo_ignore_broadcasts runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.icmp_echo_ignore_broadcasts' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.icmp_echo_ignore_broadcasts' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_icmp_echo_ignore_broadcasts is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.icmp_ignore_bogus_error_responses' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82490-4" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv4_icmp_ignore_bogus_error_responses" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.icmp_ignore_bogus_error_responses configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.icmp_ignore_bogus_error_responses runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.icmp_ignore_bogus_error_responses' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_icmp_ignore_bogus_error_responses_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.icmp_ignore_bogus_error_responses' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_icmp_ignore_bogus_error_responses is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_ip_forward:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.ip_forward' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_ip_forward" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.ip_forward configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_ip_forward_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.ip_forward runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_ip_forward_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_ip_forward_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.ip_forward' parameter should be set to 0 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_ip_forward_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.ip_forward set to 0" test_ref="oval:ssg-test_sysctl_net_ipv4_ip_forward_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_ip_forward_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.ip_forward' parameter should be set to 0 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_ip_forward_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.ip_forward set to 0 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_ip_forward_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.ip_forward set to 0 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_ip_forward_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.ip_forward set to 0 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_ip_forward_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_ip_forward is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_ip_forward_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.tcp_invalid_ratelimit' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_tcp_invalid_ratelimit" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.tcp_invalid_ratelimit configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.tcp_invalid_ratelimit runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.tcp_invalid_ratelimit' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_tcp_invalid_ratelimit_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.tcp_invalid_ratelimit set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv4_tcp_invalid_ratelimit_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.tcp_invalid_ratelimit' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_tcp_invalid_ratelimit_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.tcp_invalid_ratelimit set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_tcp_invalid_ratelimit_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.tcp_invalid_ratelimit set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_tcp_invalid_ratelimit_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.tcp_invalid_ratelimit set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_tcp_invalid_ratelimit_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_tcp_invalid_ratelimit is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_tcp_invalid_ratelimit_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_tcp_syncookies:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'net.ipv4.tcp_syncookies' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82492-0" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv4_tcp_syncookies" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="net.ipv4.tcp_syncookies configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv4_tcp_syncookies_static:def:1"/>
-            <oval-def:extend_definition comment="net.ipv4.tcp_syncookies runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv4_tcp_syncookies_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_tcp_syncookies_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.tcp_syncookies' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_tcp_syncookies_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv4.tcp_syncookies set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv4_tcp_syncookies_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv4.tcp_syncookies' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv4_tcp_syncookies_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv4.tcp_syncookies set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.tcp_syncookies set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv4.tcp_syncookies set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv4_tcp_syncookies is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_all_accept_ra:def:1" version="4">
-          <oval-def:metadata>
-            <oval-def:title>Configure Accepting Router Advertisements on All IPv6 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.all.accept_ra' parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82467-2" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_all_accept_ra" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="IPv6 disabled or net.ipv6.conf.all.accept_ra set correctly" operator="OR">
-            <oval-def:extend_definition comment="is IPv6 enabled?" definition_ref="oval:ssg-sysctl_kernel_ipv6_disable:def:1"/>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="net.ipv6.conf.all.accept_ra configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv6_conf_all_accept_ra_static:def:1"/>
-              <oval-def:extend_definition comment="net.ipv6.conf.all.accept_ra runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv6_conf_all_accept_ra_runtime:def:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_all_accept_ra_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure Accepting Router Advertisements on All IPv6 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.all.accept_ra' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_all_accept_ra_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv6.conf.all.accept_ra set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_all_accept_ra_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Configure Accepting Router Advertisements on All IPv6 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.all.accept_ra' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_all_accept_ra_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.all.accept_ra set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.all.accept_ra set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.all.accept_ra set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv6_conf_all_accept_ra is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects:def:1" version="4">
-          <oval-def:metadata>
-            <oval-def:title>Disable Accepting ICMP Redirects for All IPv6 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.all.accept_redirects' parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82471-4" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_all_accept_redirects" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="IPv6 disabled or net.ipv6.conf.all.accept_redirects set correctly" operator="OR">
-            <oval-def:extend_definition comment="is IPv6 enabled?" definition_ref="oval:ssg-sysctl_kernel_ipv6_disable:def:1"/>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="net.ipv6.conf.all.accept_redirects configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects_static:def:1"/>
-              <oval-def:extend_definition comment="net.ipv6.conf.all.accept_redirects runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects_runtime:def:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Accepting ICMP Redirects for All IPv6 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.all.accept_redirects' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_all_accept_redirects_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Accepting ICMP Redirects for All IPv6 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.all.accept_redirects' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_all_accept_redirects_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.all.accept_redirects set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.all.accept_redirects set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.all.accept_redirects set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv6_conf_all_accept_redirects is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route:def:1" version="4">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.all.accept_source_route' parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82480-5" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_all_accept_source_route" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="IPv6 disabled or net.ipv6.conf.all.accept_source_route set correctly" operator="OR">
-            <oval-def:extend_definition comment="is IPv6 enabled?" definition_ref="oval:ssg-sysctl_kernel_ipv6_disable:def:1"/>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="net.ipv6.conf.all.accept_source_route configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route_static:def:1"/>
-              <oval-def:extend_definition comment="net.ipv6.conf.all.accept_source_route runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route_runtime:def:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.all.accept_source_route' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_all_accept_source_route_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.all.accept_source_route' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_all_accept_source_route_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.all.accept_source_route set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.all.accept_source_route set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.all.accept_source_route set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv6_conf_all_accept_source_route is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_all_disable_ipv6:def:1" version="4">
-          <oval-def:metadata>
-            <oval-def:title>Disable IPv6 Addressing on All IPv6 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.all.disable_ipv6' parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_all_disable_ipv6" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="IPv6 disabled or net.ipv6.conf.all.disable_ipv6 set correctly" operator="OR">
-            <oval-def:extend_definition comment="is IPv6 enabled?" definition_ref="oval:ssg-sysctl_kernel_ipv6_disable:def:1"/>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="net.ipv6.conf.all.disable_ipv6 configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_static:def:1"/>
-              <oval-def:extend_definition comment="net.ipv6.conf.all.disable_ipv6 runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_runtime:def:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable IPv6 Addressing on All IPv6 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.all.disable_ipv6' parameter should be set to 1 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_all_disable_ipv6_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable IPv6 Addressing on All IPv6 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.all.disable_ipv6' parameter should be set to 1 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_all_disable_ipv6_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.all.disable_ipv6 set to 1 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.all.disable_ipv6 set to 1 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.all.disable_ipv6 set to 1 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv6_conf_all_disable_ipv6 is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_default_accept_ra:def:1" version="4">
-          <oval-def:metadata>
-            <oval-def:title>Disable Accepting Router Advertisements on all IPv6 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.default.accept_ra' parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82468-0" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_default_accept_ra" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="IPv6 disabled or net.ipv6.conf.default.accept_ra set correctly" operator="OR">
-            <oval-def:extend_definition comment="is IPv6 enabled?" definition_ref="oval:ssg-sysctl_kernel_ipv6_disable:def:1"/>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="net.ipv6.conf.default.accept_ra configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv6_conf_default_accept_ra_static:def:1"/>
-              <oval-def:extend_definition comment="net.ipv6.conf.default.accept_ra runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv6_conf_default_accept_ra_runtime:def:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_default_accept_ra_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Accepting Router Advertisements on all IPv6 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.default.accept_ra' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_default_accept_ra_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv6.conf.default.accept_ra set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_default_accept_ra_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Accepting Router Advertisements on all IPv6 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.default.accept_ra' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_default_accept_ra_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.default.accept_ra set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.default.accept_ra set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.default.accept_ra set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv6_conf_default_accept_ra is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects:def:1" version="4">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.default.accept_redirects' parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82477-1" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_default_accept_redirects" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="IPv6 disabled or net.ipv6.conf.default.accept_redirects set correctly" operator="OR">
-            <oval-def:extend_definition comment="is IPv6 enabled?" definition_ref="oval:ssg-sysctl_kernel_ipv6_disable:def:1"/>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="net.ipv6.conf.default.accept_redirects configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects_static:def:1"/>
-              <oval-def:extend_definition comment="net.ipv6.conf.default.accept_redirects runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects_runtime:def:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.default.accept_redirects' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_default_accept_redirects_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.default.accept_redirects' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_default_accept_redirects_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.default.accept_redirects set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.default.accept_redirects set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.default.accept_redirects set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv6_conf_default_accept_redirects is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route:def:1" version="4">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.default.accept_source_route' parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82481-3" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_default_accept_source_route" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="IPv6 disabled or net.ipv6.conf.default.accept_source_route set correctly" operator="OR">
-            <oval-def:extend_definition comment="is IPv6 enabled?" definition_ref="oval:ssg-sysctl_kernel_ipv6_disable:def:1"/>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="net.ipv6.conf.default.accept_source_route configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route_static:def:1"/>
-              <oval-def:extend_definition comment="net.ipv6.conf.default.accept_source_route runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route_runtime:def:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.default.accept_source_route' parameter should be set to the appropriate value in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_default_accept_source_route_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.default.accept_source_route' parameter should be set to the appropriate value in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_default_accept_source_route_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.default.accept_source_route set to the appropriate value in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.default.accept_source_route set to the appropriate value in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.default.accept_source_route set to the appropriate value in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv6_conf_default_accept_source_route is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_default_disable_ipv6:def:1" version="4">
-          <oval-def:metadata>
-            <oval-def:title>Disable IPv6 Addressing on IPv6 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.default.disable_ipv6' parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_default_disable_ipv6" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="IPv6 disabled or net.ipv6.conf.default.disable_ipv6 set correctly" operator="OR">
-            <oval-def:extend_definition comment="is IPv6 enabled?" definition_ref="oval:ssg-sysctl_kernel_ipv6_disable:def:1"/>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="net.ipv6.conf.default.disable_ipv6 configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv6_conf_default_disable_ipv6_static:def:1"/>
-              <oval-def:extend_definition comment="net.ipv6.conf.default.disable_ipv6 runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv6_conf_default_disable_ipv6_runtime:def:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_default_disable_ipv6_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable IPv6 Addressing on IPv6 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.default.disable_ipv6' parameter should be set to 1 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_default_disable_ipv6_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter net.ipv6.conf.default.disable_ipv6 set to 1" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_disable_ipv6_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_net_ipv6_conf_default_disable_ipv6_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable IPv6 Addressing on IPv6 Interfaces by Default</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'net.ipv6.conf.default.disable_ipv6' parameter should be set to 1 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_net_ipv6_conf_default_disable_ipv6_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.default.disable_ipv6 set to 1 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_disable_ipv6_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.default.disable_ipv6 set to 1 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_disable_ipv6_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter net.ipv6.conf.default.disable_ipv6 set to 1 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_disable_ipv6_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that net_ipv6_conf_default_disable_ipv6 is defined in only one file" test_ref="oval:ssg-test_sysctl_net_ipv6_conf_default_disable_ipv6_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_user_max_user_namespaces:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable the use of user namespaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The 'user.max_user_namespaces' kernel parameter should be set to the appropriate value in both system configuration and system runtime.</oval-def:description>
-            <oval-def:reference ref_id="CCE-82503-4" source="CCE"/>
-            <oval-def:reference ref_id="sysctl_user_max_user_namespaces" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="user.max_user_namespaces configuration setting check" definition_ref="oval:ssg-sysctl_user_max_user_namespaces_static:def:1"/>
-            <oval-def:extend_definition comment="user.max_user_namespaces runtime setting check" definition_ref="oval:ssg-sysctl_user_max_user_namespaces_runtime:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_user_max_user_namespaces_runtime:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable the use of user namespaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'user.max_user_namespaces' parameter should be set to 0 in the system runtime.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_user_max_user_namespaces_runtime" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="kernel runtime parameter user.max_user_namespaces set to 0" test_ref="oval:ssg-test_sysctl_user_max_user_namespaces_runtime:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_user_max_user_namespaces_static:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Disable the use of user namespaces</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The kernel 'user.max_user_namespaces' parameter should be set to 0 in the system configuration.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_user_max_user_namespaces_static" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="kernel static parameter user.max_user_namespaces set to 0 in /etc/sysctl.conf" test_ref="oval:ssg-test_sysctl_user_max_user_namespaces_static:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter user.max_user_namespaces set to 0 in /etc/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_user_max_user_namespaces_static_etc_sysctld:tst:1"/>
-              <oval-def:criterion comment="kernel static parameter user.max_user_namespaces set to 0 in /run/sysctl.d/*.conf" test_ref="oval:ssg-test_sysctl_user_max_user_namespaces_static_run_sysctld:tst:1"/>
-            </oval-def:criteria>
-            <oval-def:criterion comment="Check that user_max_user_namespaces is defined in only one file" test_ref="oval:ssg-test_sysctl_user_max_user_namespaces_defined_in_one_file:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-zipl_audit_argument:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable Auditing to Start Prior to the Audit Daemon in zIPL</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure audit=1 option is configured in the 'options' line in /boot/loader/entries/*.conf. Make sure that newly installed kernels will retain this option, it should be configured in /etc/kernel/cmdline as well.</oval-def:description>
-            <oval-def:reference ref_id="zipl_audit_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Check if argument audit=1 for Linux kernel is present in /boot/loader/entries/.*.conf" test_ref="oval:ssg-test_zipl_audit_argument_audit_1_argument_in_boot_loader_entries_conf:tst:1"/>
-            <oval-def:criterion comment="Check if argument audit=1 for Linux kernel is present in /etc/kernel/cmdline" test_ref="oval:ssg-test_zipl_audit_argument_audit_1_argument_in_etc_kernel_cmdline:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-zipl_audit_backlog_limit_argument:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Extend Audit Backlog Limit for the Audit Daemon in zIPL</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure audit_backlog_limit=8192 option is configured in the 'options' line in /boot/loader/entries/*.conf. Make sure that newly installed kernels will retain this option, it should be configured in /etc/kernel/cmdline as well.</oval-def:description>
-            <oval-def:reference ref_id="zipl_audit_backlog_limit_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Check if argument audit_backlog_limit=8192 for Linux kernel is present in /boot/loader/entries/.*.conf" test_ref="oval:ssg-test_zipl_audit_backlog_limit_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_conf:tst:1"/>
-            <oval-def:criterion comment="Check if argument audit_backlog_limit=8192 for Linux kernel is present in /etc/kernel/cmdline" test_ref="oval:ssg-test_zipl_audit_backlog_limit_argument_audit_backlog_limit_8192_argument_in_etc_kernel_cmdline:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-zipl_page_poison_argument:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable page allocator poisoning in zIPL</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure page_poison=1 option is configured in the 'options' line in /boot/loader/entries/*.conf. Make sure that newly installed kernels will retain this option, it should be configured in /etc/kernel/cmdline as well.</oval-def:description>
-            <oval-def:reference ref_id="zipl_page_poison_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Check if argument page_poison=1 for Linux kernel is present in /boot/loader/entries/.*.conf" test_ref="oval:ssg-test_zipl_page_poison_argument_page_poison_1_argument_in_boot_loader_entries_conf:tst:1"/>
-            <oval-def:criterion comment="Check if argument page_poison=1 for Linux kernel is present in /etc/kernel/cmdline" test_ref="oval:ssg-test_zipl_page_poison_argument_page_poison_1_argument_in_etc_kernel_cmdline:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-zipl_slub_debug_argument:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Enable SLUB/SLAB allocator poisoning in zIPL</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure slub_debug=P option is configured in the 'options' line in /boot/loader/entries/*.conf. Make sure that newly installed kernels will retain this option, it should be configured in /etc/kernel/cmdline as well.</oval-def:description>
-            <oval-def:reference ref_id="zipl_slub_debug_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Check if argument slub_debug=P for Linux kernel is present in /boot/loader/entries/.*.conf" test_ref="oval:ssg-test_zipl_slub_debug_argument_slub_debug_P_argument_in_boot_loader_entries_conf:tst:1"/>
-            <oval-def:criterion comment="Check if argument slub_debug=P for Linux kernel is present in /etc/kernel/cmdline" test_ref="oval:ssg-test_zipl_slub_debug_argument_slub_debug_P_argument_in_etc_kernel_cmdline:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-zipl_vsyscall_argument:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Disable vsyscalls in zIPL</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure vsyscall=none option is configured in the 'options' line in /boot/loader/entries/*.conf. Make sure that newly installed kernels will retain this option, it should be configured in /etc/kernel/cmdline as well.</oval-def:description>
-            <oval-def:reference ref_id="zipl_vsyscall_argument" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Check if argument vsyscall=none for Linux kernel is present in /boot/loader/entries/.*.conf" test_ref="oval:ssg-test_zipl_vsyscall_argument_vsyscall_none_argument_in_boot_loader_entries_conf:tst:1"/>
-            <oval-def:criterion comment="Check if argument vsyscall=none for Linux kernel is present in /etc/kernel/cmdline" test_ref="oval:ssg-test_zipl_vsyscall_argument_vsyscall_none_argument_in_etc_kernel_cmdline:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_password_pam_faillock:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Check pam_faillock Existence in system-auth</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that pam_faillock.so exists in system-auth</oval-def:description>
-            <oval-def:reference ref_id="accounts_password_pam_faillock" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Conditions for pam_faillock are satisfied" test_ref="oval:ssg-test_accounts_password_pam_faillock:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-accounts_password_pam_pwquality:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Check pam_pwquality Existence in system-auth</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that pam_pwquality.so exists in system-auth</oval-def:description>
-            <oval-def:reference ref_id="accounts_password_pam_pwquality" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Conditions for pam_pwquality are satisfied" test_ref="oval:ssg-test_password_pam_pwquality:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_auditctl:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Any Attempts to Run semanage</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Test if auditctl is in use for audit rules.</oval-def:description>
-            <oval-def:reference ref_id="audit_rules_auditctl" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="audit auditctl" test_ref="oval:ssg-test_audit_rules_auditctl:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_augenrules:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Any Attempts to Run semanage</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Test if augenrules is enabled for audit rules.</oval-def:description>
-            <oval-def:reference ref_id="audit_rules_augenrules" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="audit augenrules" test_ref="oval:ssg-test_audit_rules_augenrules:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_networkconfig_modification_domainname:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Network Environment</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The network environment should not be modified by anything other than
-      administrator action. Any change to network parameters should be audited.</oval-def:description>
-            <oval-def:reference ref_id="audit_rules_networkconfig_modification_domainname" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit setdomainname" test_ref="oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit setdomainname" test_ref="oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit setdomainname" test_ref="oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit setdomainname" test_ref="oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-audit_rules_networkconfig_modification_hostname:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Record Events that Modify the System's Network Environment</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The network environment should not be modified by anything other than
-      administrator action. Any change to network parameters should be audited.</oval-def:description>
-            <oval-def:reference ref_id="audit_rules_networkconfig_modification_hostname" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit augenrules" definition_ref="oval:ssg-audit_rules_augenrules:def:1"/>
-              <oval-def:criterion comment="audit augenrules 32-bit sethostname" test_ref="oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit augenrules 64-bit sethostname" test_ref="oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="audit auditctl" definition_ref="oval:ssg-audit_rules_auditctl:def:1"/>
-              <oval-def:criterion comment="audit auditctl 32-bit sethostname" test_ref="oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1"/>
-              <oval-def:criteria operator="OR">
-                <oval-def:extend_definition comment="64-bit system" definition_ref="oval:ssg-system_info_architecture_64bit:def:1" negate="true"/>
-                <oval-def:criterion comment="audit auditctl 64-bit sethostname" test_ref="oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_conf_log_file_not_set:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>'log_file' Not Set In /etc/audit/auditd.conf</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Verify 'log_file' is not set in /etc/audit/auditd.conf.</oval-def:description>
-            <oval-def:reference ref_id="auditd_conf_log_file_not_set" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_auditd_conf_log_file_not_set:tst:1" comment="Verify 'log_file' not set in /etc/audit/auditd.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-auditd_conf_log_group_not_root:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>'log_group' Not Set To 'root' In /etc/audit/auditd.conf</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Verify 'log_group' is not set to 'root' in
-      /etc/audit/auditd.conf.</oval-def:description>
-            <oval-def:reference ref_id="auditd_conf_log_group_not_root" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_auditd_conf_log_group_not_root:tst:1" comment="Verify 'log_group' not set to 'root' in /etc/audit/auditd.conf"/>
-            <oval-def:criterion test_ref="oval:ssg-test_auditd_conf_log_group_is_set:tst:1" comment="Verify 'log_group' is set in /etc/audit/auditd.conf"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-bootloader_disable_recovery_set_to_true:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Verify GRUB_DISABLE_RECOVERY Set to true</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>GRUB_DISABLE_RECOVERY set to 'true' in
-      /etc/default/grub</oval-def:description>
-            <oval-def:reference ref_id="bootloader_disable_recovery_set_to_true" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1" comment="Check GRUB_DISABLE_RECOVERY=true in /etc/default/grub"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-chronyd_specify_multiple_servers:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Specify Multiple Remote chronyd NTP Servers for Time Data</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Multiple chronyd NTP Servers for time synchronization should be specified.</oval-def:description>
-            <oval-def:reference ref_id="chronyd_specify_multiple_servers" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="chrony.conf conditions are met">
-            <oval-def:criterion test_ref="oval:ssg-test_chronyd_multiple_servers:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_default_exists:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>GRUB_CMDLINE_LINUX_DEFAULT existance check</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub.</oval-def:description>
-            <oval-def:reference ref_id="grub2_default_exists" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_grub2_default_exists:tst:1" comment="check for GRUB_CMDLINE_LINUX_DEFAULT exists in /etc/default/grub"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-grub2_entries_reference_kernelopts:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Use $kernelopts in /boot/loader/entries/*.conf</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Ensure that grubenv-defined kernel options are referenced in individual boot loader entries</oval-def:description>
-            <oval-def:reference ref_id="grub2_entries_reference_kernelopts" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_grub2_entries_reference_kernelopts:tst:1" comment="check kernel command line parameters for referenced boot entries reference the $kernelopts variable."/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-install_mcafee_hbss:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Install McAfee Host-Based Intrusion Detection Software (HBSS)</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>McAfee Host-Based Intrusion Detection Software (HBSS) software
-      should be installed.</oval-def:description>
-            <oval-def:reference ref_id="install_mcafee_hbss" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="McAfee HBSS" definition_ref="oval:ssg-install_mcafee_cma_rt:def:1"/>
-            <oval-def:extend_definition comment="McAfee HBSS" definition_ref="oval:ssg-install_mcafee_hbss_accm:def:1"/>
-            <oval-def:extend_definition comment="McAfee HBSS" definition_ref="oval:ssg-package_MFEhiplsm_installed:def:1"/>
-            <oval-def:extend_definition comment="McAfee HBSS" definition_ref="oval:ssg-install_mcafee_hbss_pa:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_alinux2:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Alibaba Cloud Linux 2</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:Alibaba Cloud Linux:2" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Alibaba Cloud Linux 2</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_alinux2" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="Alibaba Cloud Linux 2 is installed" test_ref="oval:ssg-test_alinux2:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_alinux3:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Alibaba Cloud Linux 3</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:Alibaba Cloud Linux:3" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Alibaba Cloud Linux 3</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_alinux3" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="Alibaba Cloud Linux 3 is installed" test_ref="oval:ssg-test_alinux3:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_centos7:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>CentOS 7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:centos:centos:7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      CentOS 7</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_centos7" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="CentOS7 is installed" test_ref="oval:ssg-test_centos7:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_centos8:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>CentOS 8</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:centos:centos:8" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      CentOS 8</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_centos8" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="OS is CentOS" test_ref="oval:ssg-test_centos8_name:tst:1"/>
-            <oval-def:criterion comment="OS version is 8" test_ref="oval:ssg-test_centos8_version:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_centos9:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>CentOS Stream 9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:centos:centos:9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      CentOS Stream 9</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_centos9" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="OS is CentOS Stream" test_ref="oval:ssg-test_centos9_name:tst:1"/>
-            <oval-def:criterion comment="OS version is 9" test_ref="oval:ssg-test_centos9_version:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_debian:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Debian</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The operating system installed is a Debian System</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_debian" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="System is Debian" operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="Debian is installed" test_ref="oval:ssg-test_debian:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_debian10:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Debian Linux 10</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:debian:debian_linux:10" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Debian 10</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_debian10" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Debian Linux is version 10" operator="AND">
-            <oval-def:extend_definition comment="Debian is installed" definition_ref="oval:ssg-installed_OS_is_debian:def:1"/>
-            <oval-def:criterion comment="Debian10 is installed" test_ref="oval:ssg-test_debian_10:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_debian11:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Debian Linux 11</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:debian:debian_linux:11" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Debian 11</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_debian11" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Debian Linux is version 11" operator="AND">
-            <oval-def:extend_definition comment="Debian is installed" definition_ref="oval:ssg-installed_OS_is_debian:def:1"/>
-            <oval-def:criterion comment="Debian11 is installed" test_ref="oval:ssg-test_debian_11:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_debian9:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Debian 9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:debian:debian_linux:9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Debian 9</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_debian9" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="current Debian version is Debian Stretch" operator="AND">
-            <oval-def:extend_definition comment="Debian is installed" definition_ref="oval:ssg-installed_OS_is_debian:def:1"/>
-            <oval-def:criterion comment="Debian9 is installed" test_ref="oval:ssg-test_debian_9:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_fedora:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Installed operating system is Fedora</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:fedoraproject:fedora:33" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:fedoraproject:fedora:34" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:fedoraproject:fedora:35" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:fedoraproject:fedora:36" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Fedora</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_fedora" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="fedora-release RPM packages are installed" test_ref="oval:ssg-test_fedora_release_rpm:tst:1"/>
-            <oval-def:criterion comment="CPE vendor is 'fedoraproject' and product is 'fedora'" test_ref="oval:ssg-test_fedora_vendor_product:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ol7_family:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Oracle Linux 7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:oracle:linux:7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Oracle Linux 7</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_ol7_family" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Oracle Linux 7 System is installed" test_ref="oval:ssg-test_ol7_system:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ol8_family:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Oracle Linux 8</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:oracle:linux:8" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Oracle Linux 8</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_ol8_family" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Oracle Linux 8 System is installed" test_ref="oval:ssg-test_ol8_system:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ol9_family:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Oracle Linux 9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:oracle:linux:9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Oracle Linux 9</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_ol9_family" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Oracle Linux 9 System is installed" test_ref="oval:ssg-test_ol9_system:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_opensuse:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>openSUSE</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The operating system installed on the system is openSUSE.</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_opensuse" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="openSUSE is installed" test_ref="oval:ssg-test_opensuse_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_opensuse_leap15:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>openSUSE Leap 15</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:opensuse:leap:15.0" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is openSUSE Leap 15.</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_opensuse_leap15" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="openSUSE is installed" definition_ref="oval:ssg-installed_OS_is_opensuse:def:1"/>
-            <oval-def:criterion comment="openSUSE Leap 15 is installed" test_ref="oval:ssg-test_opensuse_leap15_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_opensuse_leap42:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>openSUSE Leap 42</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:opensuse:leap:42.1" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:opensuse:leap:42.2" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:opensuse:leap:42.3" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is openSUSE Leap 42.</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_opensuse_leap42" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="openSUSE is installed" definition_ref="oval:ssg-installed_OS_is_opensuse:def:1"/>
-            <oval-def:criterion comment="openSUSE Leap 42 is installed" test_ref="oval:ssg-test_opensuse_leap42_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_part_of_Unix_family:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Installed operating system is part of the Unix family</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The operating system installed on the system is part of the Unix OS family</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_part_of_Unix_family" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_unix_family:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhcos4:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux CoreOS</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux_coreos:4" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Enterprise Linux CoreOS release 4</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhcos4" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="RHCOS is installed" test_ref="oval:ssg-test_rhcos:tst:1"/>
-              <oval-def:criterion comment="RHCOS version 4 is installed" test_ref="oval:ssg-test_rhcos4:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel7:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Enterprise Linux 7</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel7" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_rhel7_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="RHEL 7 Client is installed" test_ref="oval:ssg-test_rhel7_client:tst:1"/>
-              <oval-def:criterion comment="RHEL 7 Workstation is installed" test_ref="oval:ssg-test_rhel7_workstation:tst:1"/>
-              <oval-def:criterion comment="RHEL 7 Server is installed" test_ref="oval:ssg-test_rhel7_server:tst:1"/>
-              <oval-def:criterion comment="RHEL 7 Compute Node is installed" test_ref="oval:ssg-test_rhel7_computenode:tst:1"/>
-              <oval-def:criteria operator="AND" comment="Red Hat Enterprise Virtualization Host is installed">
-                <oval-def:criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="oval:ssg-test_rhvh4_version:tst:1"/>
-                <oval-def:criterion comment="Red Hat Enterprise Virtualization Host is based on RHEL 7" test_ref="oval:ssg-test_rhevh_rhel7_version:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Enterprise Linux 8</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_rhel8_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="RHEL 8 is installed" test_ref="oval:ssg-test_rhel8:tst:1"/>
-              <oval-def:criteria operator="AND" comment="Red Hat Enterprise Virtualization Host is installed">
-                <oval-def:criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="oval:ssg-test_rhvh4_version:tst:1"/>
-                <oval-def:criterion comment="Red Hat Enterprise Virtualization Host is based on RHEL 8" test_ref="oval:ssg-test_rhevh_rhel8_version:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_0:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.0</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.0" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.0</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_0" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.0 is installed" test_ref="oval:ssg-test_rhel8_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_1:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.1</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.1" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.1</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_1" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.1 is installed" test_ref="oval:ssg-test_rhel8_1:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_2:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.2</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.2" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.2</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_2" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.2 is installed" test_ref="oval:ssg-test_rhel8_2:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_3:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.3</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.3" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.3</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_3" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.3 is installed" test_ref="oval:ssg-test_rhel8_3:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_4:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.4</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.4" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.4</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_4" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.4 is installed" test_ref="oval:ssg-test_rhel8_4:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_5:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.5</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.5" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.5</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_5" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.5 is installed" test_ref="oval:ssg-test_rhel8_5:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_6:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.6</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.6" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.6</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_6" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.6 is installed" test_ref="oval:ssg-test_rhel8_6:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_7:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.7</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_7" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.7 is installed" test_ref="oval:ssg-test_rhel8_7:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_8:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.8</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.8" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.8</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_8" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.8 is installed" test_ref="oval:ssg-test_rhel8_8:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_9:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.9</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_9" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.9 is installed" test_ref="oval:ssg-test_rhel8_9:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_10:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.10</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.10" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.10</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel8_10" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.10 is installed" test_ref="oval:ssg-test_rhel8_10:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel9:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Enterprise Linux 9</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhel9" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_rhel9_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="RHEL 9 is installed" test_ref="oval:ssg-test_rhel9:tst:1"/>
-              <oval-def:criteria operator="AND" comment="Red Hat Enterprise Virtualization Host is installed">
-                <oval-def:criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="oval:ssg-test_rhvh4_version:tst:1"/>
-                <oval-def:criterion comment="Red Hat Enterprise Virtualization Host is based on RHEL 9" test_ref="oval:ssg-test_rhevh_rhel9_version:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhv4:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Virtualization 4</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:virtualization:4" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Virtualization Host 4.4+ or Red Hat Enterprise Host.</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_rhv4" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="RHEL8 OS installed" definition_ref="oval:ssg-installed_OS_is_rhel8:def:1"/>
-            <oval-def:criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="oval:ssg-test_rhvh4_version:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_sl7:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Scientific Linux 7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:scientificlinux:scientificlinux:7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Scientific Linux 7</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_sl7" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="Scientific Linux 7 is installed" test_ref="oval:ssg-test_sl7:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_sle12:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>SUSE Linux Enterprise 12</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:suse:linux_enterprise_server:12" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:suse:linux_enterprise_desktop:12" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      SUSE Linux Enterprise 12.</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_sle12" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_sle12_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="SLE 12 Desktop is installed" test_ref="oval:ssg-test_sle12_desktop:tst:1"/>
-              <oval-def:criterion comment="SLE 12 Server is installed" test_ref="oval:ssg-test_sle12_server:tst:1"/>
-              <oval-def:criterion comment="SLES 12 for SAP Applications is installed" test_ref="oval:ssg-test_sles_12_for_sap:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_sle15:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>SUSE Linux Enterprise 15</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:suse:linux_enterprise_server:15" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:suse:linux_enterprise_desktop:15" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      SUSE Linux Enterprise 15.</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_sle15" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_sle15_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="SLE 15 Desktop is installed" test_ref="oval:ssg-test_sle15_desktop:tst:1"/>
-              <oval-def:criterion comment="SLE 15 Server is installed" test_ref="oval:ssg-test_sle15_server:tst:1"/>
-              <oval-def:criterion comment="SLES 15 for SAP Applications is installed" test_ref="oval:ssg-test_sles_15_for_sap:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ubuntu:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ubuntu</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The operating system installed is an Ubuntu System</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_ubuntu" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="System is Ubuntu" operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="lsb-based distrib" test_ref="oval:ssg-test_lsb:tst:1"/>
-            <oval-def:criterion comment="Ubuntu is installed" test_ref="oval:ssg-test_ubuntu:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ubuntu1604:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ubuntu 1604</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:canonical:ubuntu_linux:16.04" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Ubuntu 1604</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_ubuntu1604" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="current Ubuntu version is Xenial" operator="AND">
-            <oval-def:extend_definition comment="Ubuntu is installed" definition_ref="oval:ssg-installed_OS_is_ubuntu:def:1"/>
-            <oval-def:criterion comment="Xenial is installed" test_ref="oval:ssg-test_ubuntu_xenial:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ubuntu1804:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ubuntu 1804</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:canonical:ubuntu_linux:18.04" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Ubuntu 1804</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_ubuntu1804" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="current Ubuntu version is Bionic" operator="AND">
-            <oval-def:extend_definition comment="Ubuntu is installed" definition_ref="oval:ssg-installed_OS_is_ubuntu:def:1"/>
-            <oval-def:criterion comment="Bionic is installed" test_ref="oval:ssg-test_ubuntu_bionic:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ubuntu2004:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ubuntu 2004</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:canonical:ubuntu_linux:20.04" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Ubuntu 2004</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_ubuntu2004" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="current Ubuntu version is Focal" operator="AND">
-            <oval-def:extend_definition comment="Ubuntu is installed" definition_ref="oval:ssg-installed_OS_is_ubuntu:def:1"/>
-            <oval-def:criterion comment="Focal is installed" test_ref="oval:ssg-test_ubuntu_focal:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_uos20:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>UnionTech OS Server 20</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:UnionTech OS Server:20" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is UnionTech OS Server 20</oval-def:description>
-            <oval-def:reference ref_id="installed_OS_is_uos20" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="UnionTech OS Server 20 is installed" test_ref="oval:ssg-test_uos20:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_app_is_rhv4:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Virtualization 4</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/a:redhat:virtualization:4" source="CPE"/>
-            <oval-def:description>The application installed installed on the system is
-      Red Hat Virtualization 4.</oval-def:description>
-            <oval-def:reference ref_id="installed_app_is_rhv4" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="RHEL7 OS installed" definition_ref="oval:ssg-installed_OS_is_rhel7:def:1"/>
-            <oval-def:criterion comment="Red Hat Virtualization Manager (RHVM)" test_ref="oval:ssg-test_rhevm4_version:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_audit_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package audit is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package audit is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:audit" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_audit_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package audit is installed" test_ref="oval:ssg-test_env_has_audit_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_chrony_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package chrony is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package chrony is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:chrony" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_chrony_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package chrony is installed" test_ref="oval:ssg-test_env_has_chrony_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_gdm_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package gdm is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package gdm is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:gdm" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_gdm_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package gdm is installed" test_ref="oval:ssg-test_env_has_gdm_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_grub2_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package grub2 is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package grub2-common is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:grub2" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_grub2_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Package grub2-common is installed" test_ref="oval:ssg-test_env_has_grub2_installed:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Test for ppcle64 architecture" test_ref="oval:ssg-test_system_info_architecture_ppcle_64:tst:1" negate="true"/>
-              <oval-def:criterion comment="Test if OPAL is not used" test_ref="oval:ssg-test_system_using_opal:tst:1" negate="true"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_libuser_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package libuser is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package libuser is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:libuser" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_libuser_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package libuser is installed" test_ref="oval:ssg-test_env_has_libuser_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_login_defs:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package providing /etc/login.defs is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package providing /etc/login.defs and is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:login_defs" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_login_defs" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package providing /etc/login.defs is installed" test_ref="oval:ssg-test_env_has_login_defs_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_net-snmp_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package net-snmp is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package net-snmp is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:net-snmp" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_net-snmp_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package net-snmp is installed" test_ref="oval:ssg-test_env_has_net-snmp_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_no_ovirt:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Check if the system doesn't act as an oVirt host or manager</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if the system has neither ovirt-host nor ovirt-engine installed.</oval-def:description>
-            <oval-def:reference ref_id="installed_env_has_no_ovirt" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Package ovirt-host is not installed" definition_ref="oval:ssg-installed_env_has_ovirt:def:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_nss-pam-ldapd_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package nss-pam-ldapd is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package nss-pam-ldapd is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:nss-pam-ldapd" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_nss-pam-ldapd_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package nss-pam-ldapd is installed" test_ref="oval:ssg-test_env_has_nss-pam-ldapd_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_ntp_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package ntp is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package ntp is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:ntp" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_ntp_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package ntp is installed" test_ref="oval:ssg-test_env_has_ntp_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_ovirt:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Check if the system acts as an oVirt host or manager</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if the system has ovirt-host or ovirt-engine installed</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:ovirt-host" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_ovirt" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="Package ovirt-host is installed" test_ref="oval:ssg-test_env_has_ovirt-host_installed:tst:1"/>
-            <oval-def:criterion comment="Package ovirt-engine is installed" test_ref="oval:ssg-test_env_has_ovirt-engine_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_pam_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package pam is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package pam is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:pam" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_pam_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package pam is installed" test_ref="oval:ssg-test_env_has_pam_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_polkit_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package polkit is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package polkit is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:polkit" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_polkit_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package polkit is installed" test_ref="oval:ssg-test_env_has_polkit_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_postfix_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package postfix is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package postfix is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:postfix" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_postfix_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package postfix is installed" test_ref="oval:ssg-test_env_has_postfix_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_sssd-common_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package sssd-common is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package sssd-common is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:sssd" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_sssd-common_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package sssd-common is installed" test_ref="oval:ssg-test_env_has_sssd-common_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_sudo_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package sudo is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package sudo is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:sudo" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_sudo_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package sudo is installed" test_ref="oval:ssg-test_env_has_sudo_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_systemd_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package systemd is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package systemd is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:systemd" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_systemd_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package systemd is installed" test_ref="oval:ssg-test_env_has_systemd_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_tftp_server_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package tftp-server is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package tftp-server is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:tftp-server" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_tftp_server_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package tftp-server is installed" test_ref="oval:ssg-test_env_has_tftp_server_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_tmux_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package tmux is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package tmux is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:tmux" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_tmux_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package tmux is installed" test_ref="oval:ssg-test_env_has_tmux_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_usbguard_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package usbguard is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package usbguard is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:usbguard" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_usbguard_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package usbguard is installed" test_ref="oval:ssg-test_env_has_usbguard_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_wifi_interface:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>WiFi interface is present</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if any wifi interface is present.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:wifi-iface" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_wifi_interface" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="WiFi interface is present" test_ref="oval:ssg-test_proc_net_wireless_exists:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_yum_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package yum is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package yum is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:yum" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_yum_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package yum is installed" test_ref="oval:ssg-test_env_has_yum_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_zipl_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>System uses zIPL</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if system uses zIPL bootloader.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:zipl" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_has_zipl_package" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package s390utils-base is installed" test_ref="oval:ssg-test_env_has_zipl_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_is_a_container:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Check if the scan target is a container</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check for presence of files characterizing container filesystems.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:container" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_is_a_container" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="Check if /.dockerenv exists" test_ref="oval:ssg-test_installed_env_is_a_docker_container:tst:1"/>
-            <oval-def:criterion comment="Check if /run/.containerenv exists" test_ref="oval:ssg-test_installed_env_is_a_podman_container:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_is_a_machine:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Check if the scan target is a machine</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check for absence of files characterizing container filesystems.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:machine" source="CPE"/>
-            <oval-def:reference ref_id="installed_env_is_a_machine" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="If environment is not a container, it is machine" definition_ref="oval:ssg-installed_env_is_a_container:def:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-krb5_server_older_than_1_17_18:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Kerberos server is older than 1.17-18</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/a:krb5_server_older_than_1_17-18" source="CPE"/>
-            <oval-def:description>Check if version of Kerberos server is lesser than 1.17-18
-            </oval-def:description>
-            <oval-def:reference ref_id="krb5_server_older_than_1_17_18" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Kerberos server version is lesser than 1.17-18" operator="OR">
-            <oval-def:criterion comment="Check if version of Kerberos server is lesser than 1.17-18" test_ref="oval:ssg-test_krb5_server_version_1_17_18:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-krb5_workstation_older_than_1_17_18:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Kerberos workstation is older than 1.17-18</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/a:krb5_workstation_older_than_1_17-18" source="CPE"/>
-            <oval-def:description>Check if version of Kerberos workstation is lesser than 1.17-18
-            </oval-def:description>
-            <oval-def:reference ref_id="krb5_workstation_older_than_1_17_18" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Kerberos workstation version is lesser than 1.17-18" operator="OR">
-            <oval-def:criterion comment="Check if version of Kerberos workstation is lesser than 1.17-18" test_ref="oval:ssg-test_krb5_workstation_version_1_17_18:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-no_cd_dvd_drive_in_etc_fstab:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>No CD/DVD drive is configured to automount in /etc/fstab</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check the /etc/fstab and check if a CD/DVD drive
-      is not configured for automount.</oval-def:description>
-            <oval-def:reference ref_id="no_cd_dvd_drive_in_etc_fstab" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_no_cd_dvd_drive_in_etc_fstab:tst:1" comment="Check if CD/DVD drive is not configured to automout in /etc/fstab"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test that the architecture is aarch64</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is aarch64</oval-def:description>
-            <oval-def:reference ref_id="proc_sys_kernel_osrelease_arch_aarch64" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Architecture is aarch64" test_ref="oval:ssg-test_proc_sys_kernel_osrelease_arch_aarch64:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_not_aarch64:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for different architecture than aarch64</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is not aarch64</oval-def:description>
-            <oval-def:reference ref_id="proc_sys_kernel_osrelease_arch_not_aarch64" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Architecture is not aarch64" definition_ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for different architecture than s390x</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x</oval-def:description>
-            <oval-def:reference ref_id="proc_sys_kernel_osrelease_arch_not_s390x" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Architecture is not s390x" definition_ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test that the architecture is ppc64le</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is ppc64le</oval-def:description>
-            <oval-def:reference ref_id="proc_sys_kernel_osrelease_arch_ppc64le" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Architecture is ppc64le" test_ref="oval:ssg-test_proc_sys_kernel_osrelease_arch_ppc64le:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test that the architecture is s390x</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is s390x</oval-def:description>
-            <oval-def:reference ref_id="proc_sys_kernel_osrelease_arch_s390x" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Architecture is s390x" test_ref="oval:ssg-test_proc_sys_kernel_osrelease_arch_s390x:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-removable_partition_doesnt_exist:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Device Files for Removable Media Partitions Does Not Exist on the System</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Verify if device file representing removable partitions
-      exist on the system</oval-def:description>
-            <oval-def:reference ref_id="removable_partition_doesnt_exist" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_removable_partition_doesnt_exist:tst:1" comment="Check if removable partition really exists on the system"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_not_required_or_unset:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>SSHD is not required to be installed or requirement not set</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>If SSHD is not required, we check it is not installed. If SSH requirement is unset, we are good.</oval-def:description>
-            <oval-def:reference ref_id="sshd_not_required_or_unset" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="SSH not required or not set" operator="OR">
-            <oval-def:criterion test_ref="oval:ssg-test_sshd_not_required:tst:1"/>
-            <oval-def:extend_definition comment="SSH requirement is unset" definition_ref="oval:ssg-sshd_requirement_unset:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_required_or_unset:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>SSHD is required to be installed or requirement not set</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>If SSHD is required, we check it is installed. If SSH requirement is unset, we are good.</oval-def:description>
-            <oval-def:reference ref_id="sshd_required_or_unset" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="SSH required or not set" operator="OR">
-            <oval-def:criterion test_ref="oval:ssg-test_sshd_required:tst:1"/>
-            <oval-def:extend_definition comment="SSH requirement is unset" definition_ref="oval:ssg-sshd_requirement_unset:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_requirement_unset:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>It doesn't matter if sshd is installed or not</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Test if value sshd_required is 0.</oval-def:description>
-            <oval-def:reference ref_id="sshd_requirement_unset" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_sshd_requirement_unset:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sshd_version_equal_or_higher_than_74:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>OpenSSH Server is 7.4 or newer</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if version of OpenSSH Server is equal or higher than 7.4</oval-def:description>
-            <oval-def:reference ref_id="sshd_version_equal_or_higher_than_74" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="OpenSSH Server version is equal or higher than 7.4" operator="OR">
-            <oval-def:criterion comment="Check if OpenSSH Server is equal or higher than 7.4" test_ref="oval:ssg-test_openssh-server_version:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-sssd_conf_uses_ldap:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>SSSD is configured to use LDAP</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Identification provider is not set to ad within /etc/sssd/sssd.conf</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:sssd-ldap" source="CPE"/>
-            <oval-def:reference ref_id="sssd_conf_uses_ldap" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Identification provider is not set to ad within /etc/sssd/sssd.conf" test_ref="oval:ssg-test_id_provider_is_set_to_ad:tst:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-sysctl_kernel_ipv6_disable:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Kernel Runtime Parameter IPv6 Check</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Disables IPv6 for all network interfaces.</oval-def:description>
-            <oval-def:reference ref_id="sysctl_kernel_ipv6_disable" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="IPv6 disabled or net.ipv6.conf.all.disable_ipv6 set correctly" operator="OR">
-            <oval-def:criteria operator="AND">
-              <oval-def:extend_definition comment="net.ipv6.conf.all.disable_ipv6 configuration setting check" definition_ref="oval:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_static:def:1"/>
-              <oval-def:extend_definition comment="net.ipv6.conf.all.disable_ipv6 runtime setting check" definition_ref="oval:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_runtime:def:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-system_boot_mode_is_non_uefi:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Non-UEFI system boot mode check</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if System boot mode is non-UEFI.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:non-uefi" source="CPE"/>
-            <oval-def:reference ref_id="system_boot_mode_is_non_uefi" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition definition_ref="oval:ssg-system_boot_mode_is_uefi:def:1" negate="true" comment="Pass if System boot mode is non-UEFI"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-system_boot_mode_is_uefi:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>UEFI system boot mode check</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if system boot mode is UEFI.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:uefi" source="CPE"/>
-            <oval-def:reference ref_id="system_boot_mode_is_uefi" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_efi_dir_existence:tst:1" comment="check if /sys/firmware/efi folder exists"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-system_info_architecture_64bit:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for 64-bit Architecture</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Generic test for 64-bit architectures to be used by other tests</oval-def:description>
-            <oval-def:reference ref_id="system_info_architecture_64bit" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="Generic test for x86_64 architecture" definition_ref="oval:ssg-system_info_architecture_x86_64:def:1"/>
-            <oval-def:extend_definition comment="Generic test for ppc64 architecture" definition_ref="oval:ssg-system_info_architecture_ppc_64:def:1"/>
-            <oval-def:extend_definition comment="Generic test for aarch64 architecture" definition_ref="oval:ssg-system_info_architecture_aarch_64:def:1"/>
-            <oval-def:extend_definition comment="Generic test for s390x architecture" definition_ref="oval:ssg-system_info_architecture_s390_64:def:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-system_info_architecture_aarch_64:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for aarch_64 Architecture</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Generic test for aarch_64 architecture to be used by other tests</oval-def:description>
-            <oval-def:reference ref_id="system_info_architecture_aarch_64" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Generic test for aarch_64 architecture" test_ref="oval:ssg-test_system_info_architecture_aarch_64:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-system_info_architecture_ppc_64:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for PPC and PPCLE Architecture</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Generic test for PPC PPC64LE architecture to be used by other tests</oval-def:description>
-            <oval-def:reference ref_id="system_info_architecture_ppc_64" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="Generic test for ppc64 architecture" test_ref="oval:ssg-test_system_info_architecture_ppc_64:tst:1"/>
-            <oval-def:criterion comment="Generic test for ppcle64 architecture" test_ref="oval:ssg-test_system_info_architecture_ppcle_64:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-system_info_architecture_s390_64:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for s390_64 Architecture</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Generic test for s390_64 architecture to be used by other tests</oval-def:description>
-            <oval-def:reference ref_id="system_info_architecture_s390_64" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Generic test for s390_64 architecture" test_ref="oval:ssg-test_system_info_architecture_s390_64:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-system_info_architecture_x86:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for x86 Architecture</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Generic test for x86 architecture to be used by other tests</oval-def:description>
-            <oval-def:reference ref_id="system_info_architecture_x86" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Generic test for x86 architecture" test_ref="oval:ssg-test_system_info_architecture_x86:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-system_info_architecture_x86_64:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for x86_64 Architecture</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Generic test for x86_64 architecture to be used by other tests</oval-def:description>
-            <oval-def:reference ref_id="system_info_architecture_x86_64" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Generic test for x86_64 architecture" test_ref="oval:ssg-test_system_info_architecture_x86_64:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-tmux_conf_readable_by_others:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title/>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check /etc/tmux.conf is readable by others</oval-def:description>
-            <oval-def:reference ref_id="tmux_conf_readable_by_others" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Check /etc/tmux.conf is readable by others" test_ref="oval:ssg-test_tmux_conf_readable_by_others:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-usbguard_rules_not_empty_not_missing:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Check that file storing USBGuard rules exists and is not empty</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that file storing USBGuard rules at /etc/usbguard/rules.conf exists and is not empty</oval-def:description>
-            <oval-def:reference ref_id="usbguard_rules_not_empty_not_missing" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Check that file storing USBGuard rules exists and is not empty" operator="AND">
-            <oval-def:criterion comment="Check that the usbguard rules in either /etc/usbguard/rules.conf or /etc/usbguard/rules.d/ contain at least one non white space character." test_ref="oval:ssg-test_usbguard_rules_nonempty:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-var_accounts_user_umask_as_number:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Value of 'var_accounts_user_umask' variable represented as octal number</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Value of 'var_accounts_user_umask' variable represented as octal number</oval-def:description>
-            <oval-def:reference ref_id="var_accounts_user_umask_as_number" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-var_removable_partition_is_cd_dvd_drive:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Value of 'var_removable_partition' variable is set to '/dev/cdrom'</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Verify if value of 'var_removable_partition' variable is set
-      to '/dev/cdrom'</oval-def:description>
-            <oval-def:reference ref_id="var_removable_partition_is_cd_dvd_drive" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1" comment="Check if removable partition value represents CD/DVD drive"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="compliance" id="oval:ssg-var_umask_for_daemons_as_number:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Value of 'var_umask_for_daemons' variable represented as octal number</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Value of 'var_umask_for_daemons' variable represented as octal number</oval-def:description>
-            <oval-def:reference ref_id="var_umask_for_daemons_as_number" source="ssg"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion test_ref="oval:ssg-test_existence_of_var_umask_for_daemons_as_number_variable:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-      </oval-def:definitions>
-      <oval-def:tests>
-        <unix:file_test id="oval:ssg-test_kerberos_disable_no_keytab:tst:1" check="all" check_existence="none_exist" version="1" comment="Ensure keytab file does not exist">
-          <unix:object object_ref="oval:ssg-obj_kerberos_disable_no_keytab:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" comment="Check if root has the correct mail alias." id="oval:ssg-test_postfix_client_configure_mail_alias:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_root_mail_alias:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_root_mail_alias:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="Check if postmaster has the correct mail alias" id="oval:ssg-test_postfix_client_configure_mail_alias_postmaster:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_postmaster_mail_alias:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_postmaster_mail_alias:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_chronyd_client_only:tst:1" comment="check if port is 0 in /etc/chrony.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-obj_chronyd_port_value:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_chronyd_port_value_0:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_chronyd_no_chronyc_network:tst:1" comment="check if cmdport is 0 in /etc/chrony.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-obj_chronyd_cmdport_value:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_chronyd_cmdport_value_0:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check if maxpoll is set in /etc/ntp.conf" id="oval:ssg-test_ntp_set_maxpoll:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ntp_set_maxpoll:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_time_service_set_maxpoll:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check if maxpoll is set in /etc/chrony.conf" id="oval:ssg-test_chrony_set_maxpoll:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_chrony_set_maxpoll:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_time_service_set_maxpoll:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check if all server entries have maxpoll set in /etc/ntp.conf" id="oval:ssg-test_ntp_all_server_has_maxpoll:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ntp_all_server_has_maxpoll:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_server_has_maxpoll:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check if all server entries have maxpoll set in /etc/chrony.conf" id="oval:ssg-test_chrony_all_server_has_maxpoll:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_chrony_all_server_has_maxpoll:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_server_has_maxpoll:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check if no server entries have server or pool set in /etc/chrony.conf" id="oval:ssg-test_chrony_no_server_nor_pool:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_chrony_no_server_nor_pool:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check if no server entries in /etc/ntp.conf" id="oval:ssg-test_ntp_no_server:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ntp_no_server_nor_pool:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Ensure at least one time source is set with server directive" id="oval:ssg-test_chronyd_server_directive_with_server:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_chronyd_server_directive:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Ensure no time source is set with pool directive" id="oval:ssg-test_chronyd_server_directive_no_pool:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_chronyd_no_pool_directive:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Ensure at least one NTP server is set" id="oval:ssg-test_chronyd_remote_server:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_chronyd_remote_server:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure more than one ntpd NTP server is set" id="oval:ssg-test_ntpd_multiple_servers:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ntpd_multiple_servers:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Ensure at least one ntpd NTP server is set" id="oval:ssg-test_ntp_remote_server:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ntp_remote_server:obj:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .rhosts in /root" id="oval:ssg-test_no_rsh_trust_files_root:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_no_rsh_trust_files_root:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .rhosts in /home" id="oval:ssg-test_no_rsh_trust_files_home:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_no_rsh_trust_files_home:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for /etc/hosts.equiv" id="oval:ssg-test_no_rsh_trust_files_etc:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_no_rsh_trust_files_etc:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="No keys that have unsafe ownership/permissions combination exist" id="oval:ssg-test_no_offending_keys:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_offending_keys:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config file" id="oval:ssg-test_ssh_client_rekey_limit_main_config:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ssh_client_rekey_limit_main_config:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in /etc/ssh/ssh_config.d/*.conf" id="oval:ssg-test_ssh_client_rekey_limit_include_configs:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ssh_client_rekey_limit_include_configs:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="sshd uses protocol 2" id="oval:ssg-test_sshd_allow_only_protocol2:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sshd_allow_only_protocol2:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of Compression setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_disable_compression:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_disable_compression:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_disable_compression:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Tests the value of the RhostsRSAAuthentication[\s]*(&lt;:nocomment:&gt;*) setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_disable_rhosts_rsa:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_disable_rhosts_rsa:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of RekeyLimit setting in the file" id="oval:ssg-test_sshd_rekey_limit:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_rekey_limit:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="timeout is configured" id="oval:ssg-test_sshd_idle_timeout:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sshd_idle_timeout:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_timeout_value_upper_bound:ste:1"/>
-          <ind:state state_ref="oval:ssg-state_timeout_value_lower_bound:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ClientAliveCountMax setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_clientalivecountmax:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_clientalivecountmax:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_clientalivecountmax:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="LoginGraceTime is configured" id="oval:ssg-test_sshd_login_grace_time:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sshd_login_grace_time:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_logingracetime_value_upper_bound:ste:1"/>
-          <ind:state state_ref="oval:ssg-state_logingracetime_value_lower_bound:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="maxauthtries is configured" id="oval:ssg-test_sshd_max_auth_tries:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sshd_max_auth_tries:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_maxauthtries_value_upper_bound:ste:1"/>
-          <ind:state state_ref="oval:ssg-state_maxauthtries_value_lower_bound:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="maxsessions is configured" id="oval:ssg-test_sshd_max_sessions:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sshd_max_sessions:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_maxsessions_value_upper_bound:ste:1"/>
-          <ind:state state_ref="oval:ssg-state_maxsessions_value_lower_bound:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" id="oval:ssg-tst_maxstartups_start_parameter:tst:1" version="1" comment="SSH MaxStartups start parameter is less than or equal to 10">
-          <ind:object object_ref="oval:ssg-obj_sshd_config_maxstartups_first_parameter:obj:1"/>
-          <ind:state state_ref="oval:ssg-ste_sshd_config_start_parameter_valid:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" id="oval:ssg-tst_maxstartups_rate_parameter:tst:1" version="1" comment="SSH MaxStartups rate parameter is greater than or equal to 30">
-          <ind:object object_ref="oval:ssg-obj_sshd_config_maxstartups_second_parameter:obj:1"/>
-          <ind:state state_ref="oval:ssg-ste_sshd_config_rate_parameter_valid:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" id="oval:ssg-tst_maxstartups_full_parameter:tst:1" version="1" comment="SSH MaxStartups full parameter is less than or equal to 100">
-          <ind:object object_ref="oval:ssg-obj_sshd_config_maxstartups_third_parameter:obj:1"/>
-          <ind:state state_ref="oval:ssg-ste_sshd_config_full_parameter_valid:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of UsePrivilegeSeparation setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_use_priv_separation:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_use_priv_separation:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_use_priv_separation:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of pam_cert_auth setting in the /etc/sssd/sssd.conf file" id="oval:ssg-test_sssd_enable_smartcards:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sssd_enable_smartcards:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of offline_credentials_expiration setting in the /etc/sssd/sssd.conf file" id="oval:ssg-test_sssd_offline_cred_expiration:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sssd_offline_cred_expiration:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sssd_run_as_sssd_user:tst:1" comment="tests the value of user setting in SSSD config files" check_existence="at_least_one_exists" check="all" version="1">
-          <ind:object object_ref="oval:ssg-obj_sssd_user_value:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sssd_user_value:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of AuditBackend setting in the /etc/usbguard/usbguard-daemon.conf file" id="oval:ssg-test_configure_usbguard_auditbackend:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_configure_usbguard_auditbackend:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_configure_usbguard_auditbackend:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test id="oval:ssg-test_configure_usbguard_auditbackend_config_file_exists:tst:1" check="all" check_existence="all_exist" comment="The configuration file /etc/usbguard/usbguard-daemon.conf exists for configure_usbguard_auditbackend" version="1">
-          <unix:object object_ref="oval:ssg-obj_configure_usbguard_auditbackend_config_file:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="at least one" check_existence="at_least_one_exists" comment="correct banner in /etc/issue" id="oval:ssg-test_banner_etc_issue:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_banner_etc_issue:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_banner_etc_issue:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check absence of conf pam_succeed_if in /etc/pam.d/sudo" id="oval:ssg-test_disallow_bypass_password_sudo:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_disallow_bypass_password_sudo:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="Check the pam_lastlog configuration" id="oval:ssg-test_display_login_attempts:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_display_login_attempts:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Forbid 'silent' option for pam_lastlog" id="oval:ssg-test_display_login_attempts_silent:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_display_login_attempts_silent:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" version="1" id="oval:ssg-test_pam_faillock_audit_parameter_system_auth:tst:1" comment="Check the presence of audit parameter in system-auth">
-          <ind:object object_ref="oval:ssg-obj_all_pam_faillock_audit_parameter_system_auth:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1" id="oval:ssg-test_pam_faillock_audit_parameter_no_pamd_system:tst:1" comment="Check the absence of audit parameter in system-auth">
-          <ind:object object_ref="oval:ssg-obj_all_pam_faillock_audit_parameter_system_auth:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" version="1" id="oval:ssg-test_pam_faillock_audit_parameter_password_auth:tst:1" comment="Check the presence of audit parameter in password-auth">
-          <ind:object object_ref="oval:ssg-obj_all_pam_faillock_audit_parameter_password_auth:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1" id="oval:ssg-test_pam_faillock_audit_parameter_no_pamd_password:tst:1" comment="Check the absence of audit parameter in password-auth">
-          <ind:object object_ref="oval:ssg-obj_all_pam_faillock_audit_parameter_password_auth:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" version="1" id="oval:ssg-test_pam_faillock_audit_parameter_faillock_conf:tst:1" comment="Check the expected audit value in in /etc/security/faillock.conf">
-          <ind:object object_ref="oval:ssg-object_pam_faillock_audit_parameter_faillock_conf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1" id="oval:ssg-test_pam_faillock_audit_parameter_no_faillock_conf:tst:1" comment="Check the absence of audit parameter in /etc/security/faillock.conf">
-          <ind:object object_ref="oval:ssg-object_pam_faillock_audit_parameter_faillock_conf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check if CtrlAltDelBurstAction is set to none" id="oval:ssg-test_disable_ctrlaltdel_burstaction:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_disable_ctrlaltdel_burstaction:obj:1"/>
-        </ind:textfilecontent54_test>
-        <unix:symlink_test check="all" check_existence="all_exist" comment="Disable Ctrl-Alt-Del key sequence override exists" id="oval:ssg-test_disable_ctrlaltdel_exists:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_disable_ctrlaltdel_exists:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_disable_ctrlaltdel_exists:ste:1"/>
-        </unix:symlink_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux:tst:1" comment="Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX" check="all" check_existence="none_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_disable_interactive_boot_grub_cmdline_linux_default:tst:1" comment="Check systemd.confirm_spawn=(1|true|yes|on) not in GRUB_CMDLINE_LINUX_DEFAULT" check="all" check_existence="none_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux_default:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests that     /usr/lib/systemd/systemd-sulogin-shell     was not removed from the default systemd rescue.service to ensure that a   password must be entered to access single user mode" id="oval:ssg-test_require_rescue_service:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_require_rescue_service:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests that the systemd rescue.service is in the runlevel1.target" id="oval:ssg-test_require_rescue_service_runlevel1:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_require_rescue_service_runlevel1:obj:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for rescue.service in /etc/systemd/system" id="oval:ssg-test_no_custom_rescue_service:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_no_custom_rescue_service:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for runlevel1.target in /etc/systemd/system" id="oval:ssg-test_no_custom_runlevel1_target:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_no_custom_runlevel1_target:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check tmux is configured to exec on the last line of /etc/bashrc" id="oval:ssg-test_configure_bashrc_exec_tmux:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_configure_bashrc_exec_tmux:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check lock-after-time is set to 900 in /etc/tmux.conf" id="oval:ssg-test_configure_tmux_lock_after_time:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_configure_tmux_lock_after_time:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_configure_tmux_lock_after_time_lower_boundary:ste:1"/>
-          <ind:state state_ref="oval:ssg-state_configure_tmux_lock_after_time_upper_boundary:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check lock-command is set to vlock in /etc/tmux.conf" id="oval:ssg-test_configure_tmux_lock_command:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_configure_tmux_lock_command:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check_existence="none_exist" check="all" comment="check that tmux is not listed in /etc/shells" id="oval:ssg-test_no_tmux_in_shells:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_no_tmux_in_shells:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="the value INACTIVE parameter should be set appropriately in /etc/default/useradd" id="oval:ssg-test_etc_default_useradd_inactive:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_etc_default_useradd_inactive:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_etc_default_useradd_inactive:ste:1"/>
-          <ind:state state_ref="oval:ssg-state_etc_default_useradd_inactive_nonnegative:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test id="oval:ssg-test_etc_passwd_no_duplicate_user_names:tst:1" check="all" check_existence="all_exist" comment="There should not exist duplicate user name entries in /etc/passwd" version="1">
-          <ind:object object_ref="oval:ssg-object_count_of_all_usernames_from_etc_passwd:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_etc_passwd_no_duplicate_user_names:ste:1"/>
-        </ind:variable_test>
-        <ind:variable_test id="oval:ssg-test_pass_max_days:tst:1" check="all" comment="The value of PASS_MAX_DAYS should be set appropriately in /etc/login.defs" version="1">
-          <ind:object object_ref="oval:ssg-object_last_pass_max_days_instance_value:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_last_pass_max_days_instance_value:ste:1"/>
-        </ind:variable_test>
-        <ind:variable_test id="oval:ssg-test_pass_min_days:tst:1" check="all" comment="The value of PASS_MIN_DAYS should be set appropriately in /etc/login.defs" version="1">
-          <ind:object object_ref="oval:ssg-object_last_pass_min_days_instance_value:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_last_pass_min_days_instance_value:ste:1"/>
-        </ind:variable_test>
-        <ind:variable_test id="oval:ssg-test_pass_min_len:tst:1" check="all" comment="The value of PASS_MIN_LEN should be set appropriately in /etc/login.defs" version="1">
-          <ind:object object_ref="oval:ssg-object_last_pass_min_len_instance_value:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_last_pass_min_len_instance_value:ste:1"/>
-        </ind:variable_test>
-        <ind:variable_test id="oval:ssg-test_pass_warn_age:tst:1" check="all" comment="The value of PASS_WARN_AGE should be set appropriately in /etc/login.defs" version="1">
-          <ind:object object_ref="oval:ssg-object_last_pass_warn_age_instance_value:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_last_pass_warn_age_instance_value:ste:1"/>
-        </ind:variable_test>
-        <unix:password_test check="all" comment="password hashes are shadowed" id="oval:ssg-test_accounts_password_all_shadowed:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_accounts_password_all_shadowed:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_accounts_password_all_shadowed:ste:1"/>
-        </unix:password_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_gid_passwd_group_same:tst:1" check="all" check_existence="all_exist" comment="Verify all GIDs referenced in /etc/passwd are defined in /etc/group" version="1">
-          <ind:object object_ref="oval:ssg-object_gid_passwd_group_same:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_gid_passwd_group_same:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1" id="oval:ssg-test_no_empty_passwords:tst:1" comment="make sure nullok is not used in /etc/pam.d/system-auth">
-          <ind:object object_ref="oval:ssg-object_no_empty_passwords:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" version="1" id="oval:ssg-test_no_empty_passwords_etc_shadow:tst:1" comment="make sure there aren't blank or null passwords in /etc/shadow">
-          <ind:object object_ref="oval:ssg-obj_no_empty_passwords_etc_shadow:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check for existence of lines starting with +" id="oval:ssg-test_no_legacy_plus_entries_etc_group:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_no_legacy_plus_entries_etc_group:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check for existence of lines starting with +" id="oval:ssg-test_no_legacy_plus_entries_etc_passwd:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_no_legacy_plus_entries_etc_passwd:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check for existence of lines starting with +" id="oval:ssg-test_no_legacy_plus_entries_etc_shadow:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_no_legacy_plus_entries_etc_shadow:obj:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="at_least_one_exists" comment="look for .netrc in /home" id="oval:ssg-test_no_netrc_files_home:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_no_netrc_files_home:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="test that there are no accounts with UID 0 except root in the /etc/passwd file" id="oval:ssg-test_accounts_no_uid_except_root:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_accounts_no_uid_except_root:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_accounts_root_gid_zero:tst:1" check="all" comment="test that there are no accounts with UID 0 except root in the /etc/passwd file" version="1">
-          <ind:object object_ref="oval:ssg-object_accounts_root_gid_zero:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_accounts_root_gid_zero:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="/etc/securetty file exists" id="oval:ssg-test_etc_securetty_exists:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_etc_securetty_exists:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="no entries in /etc/securetty" id="oval:ssg-test_no_direct_root_logins:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_no_direct_root_logins:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test state_operator="OR" id="oval:ssg-test_shell_defined_default_uid_range:tst:1" check="all" check_existence="any_exist" comment="&lt;0, UID_MIN - 1&gt; system UIDs having shell set" version="1">
-          <ind:object object_ref="oval:ssg-object_etc_passwd_entries:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_uid_less_than_zero:ste:1"/>
-          <ind:state state_ref="oval:ssg-state_uid_greater_than_or_equal_uid_min:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sys_uid_min_not_defined:tst:1" comment="SYS_UID_MIN not defined in /etc/login.defs" check="all" check_existence="none_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_last_sys_uid_min_from_etc_login_defs:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sys_uid_max_not_defined:tst:1" comment="SYS_UID_MAX not defined in /etc/login.defs" check="all" check_existence="none_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_last_sys_uid_max_from_etc_login_defs:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test state_operator="OR" id="oval:ssg-test_shell_defined_reserved_uid_range:tst:1" check="all" check_existence="any_exist" comment="&lt;0, SYS_UID_MIN&gt; system UIDs having shell set" version="1">
-          <ind:object object_ref="oval:ssg-object_etc_passwd_entries:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_uid_less_than_zero:ste:1"/>
-          <ind:state state_ref="oval:ssg-state_uid_greater_than_or_equal_sys_uid_min:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test state_operator="OR" id="oval:ssg-test_shell_defined_dynalloc_uid_range:tst:1" check="all" check_existence="any_exist" comment="&lt;SYS_UID_MIN, SYS_UID_MAX&gt; system UIDS having shell set" version="1">
-          <ind:object object_ref="oval:ssg-object_etc_passwd_entries:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_uid_less_than_sys_uid_min:ste:1"/>
-          <ind:state state_ref="oval:ssg-state_uid_greater_than_or_equal_sys_uid_max:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="serial ports /etc/securetty" id="oval:ssg-test_serial_ports_etc_securetty:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_serial_ports_etc_securetty:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="virtual consoles /etc/securetty" id="oval:ssg-test_virtual_consoles_etc_securetty:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_virtual_consoles_etc_securetty:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="check FAIL_DELAY in /etc/login.defs" id="oval:ssg-test_accounts_logon_fail_delay:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_accounts_logon_fail_delay:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_accounts_logon_fail_delay:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="the value maxlogins should be set appropriately in /etc/security/limits.conf" id="oval:ssg-test_maxlogins:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_etc_security_limits_conf_maxlogins:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_maxlogins:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf" id="oval:ssg-test_limitsd_maxlogins:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_etc_security_limitsd_conf_maxlogins:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_maxlogins:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="the value maxlogins should be set appropriately in /etc/security/limits.d/*.conf" id="oval:ssg-test_limitsd_maxlogins_exists:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_etc_security_limitsd_conf_maxlogins_exists:obj:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test comment="Check that /tmp/tmp-inst exists and has mode 000" check="all" check_existence="only_one_exists" id="oval:ssg-test_tmp_inst:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-obj_tmp_inst:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_tmp_inst:ste:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" comment="Check configuration of /tmp in /etc/security/namespace.conf file" id="oval:ssg-test_tmp_in_namespace_conf:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_tmp_in_namespace_conf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test comment="Check that /tmp-inst exists and has mode 000" check="all" check_existence="only_one_exists" id="oval:ssg-test_var_tmp_tmp_inst:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-obj_var_tmp_tmp_inst:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_var_tmp_tmp_inst:ste:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" comment="Check configuration of /tmp in /etc/security/namespace.conf file" id="oval:ssg-test_var_tmp_in_namespace_conf:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_var_tmp_in_namespace_conf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="TMOUT in /etc/profile" id="oval:ssg-test_etc_profile_tmout:tst:1" version="2">
-          <ind:object object_ref="oval:ssg-object_etc_profile_tmout:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_etc_profile_tmout:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="TMOUT in /etc/profile.d/*.sh" id="oval:ssg-test_etc_profiled_tmout:tst:1" version="2">
-          <ind:object object_ref="oval:ssg-object_etc_profiled_tmout:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_etc_profile_tmout:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test id="oval:ssg-test_file_permissions_home_dirs:tst:1" check="all" check_existence="any_exist" version="1" comment="All home directories have proper permissions">
-          <unix:object object_ref="oval:ssg-object_file_permissions_home_dirs_dirs:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_file_permissions_home_dirs_dirs:ste:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Check if there aren't directories in root's path having write permission set for group or other" id="oval:ssg-test_accounts_root_path_dirs_no_group_other_write:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_accounts_root_path_dirs_no_group_other_write:obj:1"/>
-        </unix:file_test>
-        <ind:environmentvariable58_test check="none satisfy" comment="environment variable PATH starts with : or ." id="oval:ssg-test_env_var_begins:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_root_path_no_dot:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_begins_colon_period:ste:1"/>
-        </ind:environmentvariable58_test>
-        <ind:environmentvariable58_test check="none satisfy" comment="environment variable PATH doesn't contain : twice in a row" id="oval:ssg-test_env_var_contains_doublecolon:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_root_path_no_dot:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_contains_double_colon:ste:1"/>
-        </ind:environmentvariable58_test>
-        <ind:environmentvariable58_test check="none satisfy" comment="environment variable PATH doesn't contain . twice in a row" id="oval:ssg-test_env_var_contains_doubleperiod:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_root_path_no_dot:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_contains_double_period:ste:1"/>
-        </ind:environmentvariable58_test>
-        <ind:environmentvariable58_test check="none satisfy" comment="environment variable PATH ends with : or ." id="oval:ssg-test_env_var_ends:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_root_path_no_dot:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_ends_colon_period:ste:1"/>
-        </ind:environmentvariable58_test>
-        <ind:environmentvariable58_test check="none satisfy" comment="environment variable PATH starts with an absolute path /" id="oval:ssg-test_env_var_begins_slash:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_root_path_no_dot:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_begins_slash:ste:1"/>
-        </ind:environmentvariable58_test>
-        <ind:environmentvariable58_test check="none satisfy" comment="environment variable PATH contains relative paths" id="oval:ssg-test_env_var_contains_relative_path:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_root_path_no_dot:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_contains_relative_path:ste:1"/>
-        </ind:environmentvariable58_test>
-        <ind:variable_test id="oval:ssg-tst_accounts_umask_etc_bashrc:tst:1" version="1" check="all" comment="Test the retrieved /etc/bashrc umask value(s) match the var_accounts_user_umask requirement">
-          <ind:object object_ref="oval:ssg-obj_accounts_umask_etc_bashrc:obj:1"/>
-          <ind:state state_ref="oval:ssg-ste_accounts_umask_etc_bashrc:ste:1"/>
-        </ind:variable_test>
-        <ind:variable_test id="oval:ssg-tst_accounts_umask_etc_csh_cshrc:tst:1" version="1" check="all" comment="Test the retrieved /etc/csh.cshrc umask value(s) match the var_accounts_user_umask requirement">
-          <ind:object object_ref="oval:ssg-obj_accounts_umask_etc_csh_cshrc:obj:1"/>
-          <ind:state state_ref="oval:ssg-ste_accounts_umask_etc_csh_cshrc:ste:1"/>
-        </ind:variable_test>
-        <ind:variable_test id="oval:ssg-tst_accounts_umask_etc_login_defs:tst:1" version="1" check="all" comment="Test the retrieved /etc/login.defs umask value(s) match the var_accounts_user_umask requirement">
-          <ind:object object_ref="oval:ssg-obj_accounts_umask_etc_login_defs:obj:1"/>
-          <ind:state state_ref="oval:ssg-ste_accounts_umask_etc_login_defs:ste:1"/>
-        </ind:variable_test>
-        <ind:variable_test id="oval:ssg-tst_accounts_umask_etc_profile:tst:1" version="1" check="all" comment="Test the retrieved /etc/profile umask value(s) match the var_accounts_user_umask requirement">
-          <ind:object object_ref="oval:ssg-obj_accounts_umask_etc_profile:obj:1"/>
-          <ind:state state_ref="oval:ssg-ste_accounts_umask_etc_profile:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check that no audit rule exists in /etc/audit/rules.d/*.rules that disables all syscall auditing" id="oval:ssg-test_enable_syscall_audit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_enable_syscall_audit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check that no audit rule exists in /etc/audit/audit.rules that disables all syscall auditing" id="oval:ssg-test_enable_syscall_audit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_enable_syscall_audit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules configuration locked" id="oval:ssg-test_ari_locked_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_ari_locked_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl configuration locked" id="oval:ssg-test_ari_locked_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_ari_locked_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit selinux changes augenrules" id="oval:ssg-test_armm_selinux_watch_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_armm_selinux_watch_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit selinux changes auditctl" id="oval:ssg-test_armm_selinux_watch_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_armm_selinux_watch_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit /etc/issue augenrules" id="oval:ssg-test_arnm_etc_issue_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arnm_etc_issue_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit /etc/issue.net augenrules" id="oval:ssg-test_arnm_etc_issue_net_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arnm_etc_issue_net_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit /etc/hosts augenrules" id="oval:ssg-test_arnm_etc_hosts_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arnm_etc_hosts_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit /etc/sysconfig/network augenrules" id="oval:ssg-test_arnm_etc_sysconfig_network_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arnm_etc_sysconfig_network_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit /etc/issue auditctl" id="oval:ssg-test_arnm_etc_issue_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arnm_etc_issue_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit /etc/issue.net auditctl" id="oval:ssg-test_arnm_etc_issue_net_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arnm_etc_issue_net_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit /etc/hosts auditctl" id="oval:ssg-test_arnm_etc_hosts_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arnm_etc_hosts_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit /etc/sysconfig/network auditctl" id="oval:ssg-test_arnm_etc_sysconfig_network_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arnm_etc_sysconfig_network_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules utmp" id="oval:ssg-test_arse_utmp_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arse_utmp_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules btmp" id="oval:ssg-test_arse_btmp_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arse_btmp_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules wtmp" id="oval:ssg-test_arse_wtmp_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arse_wtmp_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl utmp" id="oval:ssg-test_arse_utmp_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arse_utmp_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl btmp" id="oval:ssg-test_arse_btmp_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arse_btmp_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl wtmp" id="oval:ssg-test_arse_wtmp_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arse_wtmp_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules sudoers" id="oval:ssg-test_audit_rules_sysadmin_actions_sudoers_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_sysadmin_actions_sudoers_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules sudoers" id="oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_sysadmin_actions_sudoers_d_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl sudoers" id="oval:ssg-test_audit_rules_sysadmin_actions_sudoers_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_sysadmin_actions_sudoers_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl sudoers" id="oval:ssg-test_audit_rules_sysadmin_actions_sudoers_d_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_sysadmin_actions_sudoers_d_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules /etc/group" id="oval:ssg-test_audit_rules_usergroup_modification_etc_group_augen:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_group_augen:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules /etc/passwd" id="oval:ssg-test_audit_rules_usergroup_modification_etc_passwd_augen:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_passwd_augen:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules /etc/gshadow" id="oval:ssg-test_audit_rules_usergroup_modification_etc_gshadow_augen:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_gshadow_augen:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules /etc/shadow" id="oval:ssg-test_audit_rules_usergroup_modification_etc_shadow_augen:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_shadow_augen:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules /etc/security/opasswd" id="oval:ssg-test_audit_rules_usergroup_modification_etc_security_opasswd_augen:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_security_opasswd_augen:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit /etc/group" id="oval:ssg-test_audit_rules_usergroup_modification_etc_group_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_group_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit /etc/passwd" id="oval:ssg-test_audit_rules_usergroup_modification_etc_passwd_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_passwd_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit /etc/gshadow" id="oval:ssg-test_audit_rules_usergroup_modification_etc_gshadow_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_gshadow_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit /etc/shadow" id="oval:ssg-test_audit_rules_usergroup_modification_etc_shadow_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_shadow_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit /etc/security/opasswd" id="oval:ssg-test_audit_rules_usergroup_modification_etc_security_opasswd_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_etc_security_opasswd_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_directory_acccess_var_log_audit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_directory_acccess_var_log_audit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_directory_acccess_var_log_audit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_directory_acccess_var_log_audit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="at_least_one_exists" comment="/var/log/audit mode 0700" id="oval:ssg-test_dir_permissions_audit_log:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_audit_log_directory:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_not_mode_0700:ste:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="at_least_one_exists" comment="/var/log/audit mode 0700" id="oval:ssg-test_dir_permissions_var_log_audit:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_var_log_audit_directory:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_not_mode_0700:ste:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="at_least_one_exists" comment="/var/log/audit files mode 0750" id="oval:ssg-test_dir_permissions_var_log_audit-non_root:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_var_log_audit_directory-non_root:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_not_mode_0750:ste:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="at_least_one_exists" comment="/var/log/audit files mode 0750" id="oval:ssg-test_dir_permissions_audit_log-non_root:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_audit_log_directory-non_root:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_not_mode_0750:ste:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="/var/log/audit directories uid root gid root" id="oval:ssg-test_ownership_var_log_audit_directories:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_ownership_var_log_audit_directories:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="/var/log/audit files uid root gid root" id="oval:ssg-test_ownership_var_log_audit_files:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_ownership_var_log_audit_files:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="/var/log/audit directories uid root gid root" id="oval:ssg-test_ownership_var_log_audit_directories-non_root:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_ownership_var_log_audit_directories-non_root:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="/var/log/audit files uid root gid root" id="oval:ssg-test_ownership_var_log_audit_files-non_root:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_ownership_var_log_audit_files-non_root:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="at_least_one_exists" comment="audit log files mode 0600" id="oval:ssg-test_file_permissions_audit_log:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_audit_log_files:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_not_mode_0600:ste:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="at_least_one_exists" comment="/var/log/audit files mode 0600" id="oval:ssg-test_file_permissions_var_log_audit:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_var_log_audit_files:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_not_mode_0600:ste:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="at_least_one_exists" comment="audit log files mode 0640" id="oval:ssg-test_file_permissions_audit_log-non_root:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_audit_log_files-non_root:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_not_mode_0640:ste:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="at_least_one_exists" comment="/var/log/audit files mode 0640" id="oval:ssg-test_file_permissions_var_log_audit-non_root:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_var_log_audit_files-non_root:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_not_mode_0640:ste:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit umount" id="oval:ssg-test_32bit_ardm_umount_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_umount_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit umount" id="oval:ssg-test_32bit_ardm_umount_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_umount_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit delete_module" id="oval:ssg-test_32bit_ardm_delete_module_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_delete_module_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit delete_module" id="oval:ssg-test_64bit_ardm_delete_module_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_delete_module_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit delete_module" id="oval:ssg-test_32bit_ardm_delete_module_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_delete_module_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit delete_module" id="oval:ssg-test_64bit_ardm_delete_module_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_delete_module_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit finit_module" id="oval:ssg-test_32bit_ardm_finit_module_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_finit_module_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit finit_module" id="oval:ssg-test_64bit_ardm_finit_module_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_finit_module_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit finit_module" id="oval:ssg-test_32bit_ardm_finit_module_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_finit_module_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit finit_module" id="oval:ssg-test_64bit_ardm_finit_module_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_finit_module_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit init_module" id="oval:ssg-test_32bit_ardm_init_module_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_init_module_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit init_module" id="oval:ssg-test_64bit_ardm_init_module_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_init_module_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit init_module" id="oval:ssg-test_32bit_ardm_init_module_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_init_module_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit init_module" id="oval:ssg-test_64bit_ardm_init_module_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_init_module_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="audit augenrules suid sgid" id="oval:ssg-test_arpc_suid_sgid_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arpc_suid_sgid_augenrules:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_audit_rules_privileged_commands:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" id="oval:ssg-test_arpc_bin_count_equals_rules_count_augenrules:tst:1" comment="audit augenrules binaries count matches rules count" version="1">
-          <ind:object object_ref="oval:ssg-object_count_of_suid_sgid_binaries_on_system:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_count_of_privileged_commands_having_audit_definition_augenrules:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="audit auditctl suid sgid" id="oval:ssg-test_arpc_suid_sgid_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arpc_suid_sgid_auditctl:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_audit_rules_privileged_commands:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" id="oval:ssg-test_arpc_bin_count_equals_rules_count_auditctl:tst:1" comment="audit auditctl binaries count matches rules count" version="1">
-          <ind:object object_ref="oval:ssg-object_count_of_suid_sgid_binaries_on_system:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_count_of_privileged_commands_having_audit_definition_auditctl:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit adjtimex" id="oval:ssg-test_32bit_art_adjtimex_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_art_adjtimex_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit adjtimex" id="oval:ssg-test_64bit_art_adjtimex_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_art_adjtimex_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit adjtimex" id="oval:ssg-test_32bit_art_adjtimex_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_art_adjtimex_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit adjtimex" id="oval:ssg-test_64bit_art_adjtimex_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_art_adjtimex_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit clock_settime" id="oval:ssg-test_32bit_art_clock_settime_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_art_clock_settime_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit clock_settime" id="oval:ssg-test_64bit_art_clock_settime_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_art_clock_settime_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit clock_settime" id="oval:ssg-test_32bit_art_clock_settime_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_art_clock_settime_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit clock_settime" id="oval:ssg-test_64bit_art_clock_settime_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_art_clock_settime_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit settimeofday" id="oval:ssg-test_32bit_art_settimeofday_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_art_settimeofday_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit settimeofday" id="oval:ssg-test_64bit_art_settimeofday_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_art_settimeofday_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit settimeofday" id="oval:ssg-test_32bit_art_settimeofday_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_art_settimeofday_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit settimeofday" id="oval:ssg-test_64bit_art_settimeofday_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_art_settimeofday_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit stime" id="oval:ssg-test_32bit_art_stime_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_art_stime_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit stime" id="oval:ssg-test_32bit_art_stime_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_art_stime_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit /etc/localtime watch augenrules" id="oval:ssg-test_artw_etc_localtime_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_artw_etc_localtime_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit /etc/localtime watch auditctl" id="oval:ssg-test_artw_etc_localtime_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_artw_etc_localtime_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="remote server to send audit records" id="oval:ssg-test_auditd_audispd_configure_remote_server:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_audispd_configure_remote_server:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_audispd_configure_remote_server:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="the action the operating system takes if there is an error sending audit records to a remote system" id="oval:ssg-test_auditd_audispd_disk_full_action:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_audispd_disk_full_action:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_audispd_disk_full_action:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="setting in audisp-remote.conf" id="oval:ssg-test_auditd_audispd_encrypt_sent_records:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_audispd_encrypt_sent_records:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="the action the operating system takes if there is an error sending audit records to a remote system" id="oval:ssg-test_auditd_audispd_network_failure_action:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_audispd_network_failure_action:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_audispd_network_failure_action:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audispd syslog plugin activated" id="oval:ssg-test_auditd_audispd_syslog_plugin_activated:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_audispd_syslog_plugin_activated:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="disk full action" id="oval:ssg-test_auditd_data_disk_error_action:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_data_disk_error_action:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_data_disk_error_action:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="disk full action" id="oval:ssg-test_auditd_data_disk_error_action_stig_syslog:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_data_disk_error_action_stig:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_data_disk_error_action_stig_syslog:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="disk full action" id="oval:ssg-test_auditd_data_disk_error_action_stig_single:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_data_disk_error_action_stig:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_data_disk_error_action_stig_single:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="disk full action" id="oval:ssg-test_auditd_data_disk_error_action_stig_halt:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_data_disk_error_action_stig:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_data_disk_error_action_stig_halt:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="disk error action" id="oval:ssg-test_auditd_data_disk_full_action:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_data_disk_full_action:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_data_disk_full_action:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="disk full action" id="oval:ssg-test_auditd_data_disk_full_action_stig_syslog:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_data_disk_full_action_stig:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_data_disk_full_action_stig_syslog:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="disk full action" id="oval:ssg-test_auditd_data_disk_full_action_stig_single:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_data_disk_full_action_stig:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_data_disk_full_action_stig_single:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="disk full action" id="oval:ssg-test_auditd_data_disk_full_action_stig_halt:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_data_disk_full_action_stig:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_data_disk_full_action_stig_halt:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="email account for actions" id="oval:ssg-test_auditd_data_retention_action_mail_acct:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_data_retention_action_mail_acct:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_data_retention_action_mail_acct:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="space left action" id="oval:ssg-test_auditd_data_retention_admin_space_left_action:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_data_retention_admin_space_left_action:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_data_retention_admin_space_left_action:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="test the value of flush parameter in /etc/audit/auditd.conf" id="oval:ssg-test_auditd_data_retention_flush:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_data_retention_flush:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_data_retention_flush:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="max log file size" id="oval:ssg-test_auditd_data_retention_max_log_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_data_retention_max_log_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_data_retention_max_log_file:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="admin space left action " id="oval:ssg-test_auditd_data_retention_max_log_file_action:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_data_retention_max_log_file_action:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_data_retention_max_log_file_action:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="admin space left action " id="oval:ssg-test_auditd_data_retention_max_log_file_action_stig_syslog:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_data_retention_max_log_file_action_stig:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_data_retention_max_log_file_action_stig_syslog:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="admin space left action " id="oval:ssg-test_auditd_data_retention_max_log_file_action_stig_keep_logs:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_data_retention_max_log_file_action_stig:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_data_retention_max_log_file_action_stig_keep_logs:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="admin space left action " id="oval:ssg-test_auditd_data_retention_num_logs:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_data_retention_num_logs:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_data_retention_num_logs:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="admin space left action " id="oval:ssg-test_auditd_data_retention_space_left:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_data_retention_space_left:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_data_retention_space_left:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="space left action" id="oval:ssg-test_auditd_data_retention_space_left_action:tst:1" version="2">
-          <ind:object object_ref="oval:ssg-object_auditd_data_retention_space_left_action:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_data_retention_space_left_action:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of overflow_action setting in the /etc/audit/auditd.conf file" id="oval:ssg-test_auditd_overflow_action:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_auditd_overflow_action:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_overflow_action:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Compare 10-base-config.rules file in /etc/audit/rules.d against file in /usr/share/doc/audit/" id="oval:ssg-test_compare_10-base-config_old:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_etc_10-base-config_old:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_doc_10-base-config:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Compare 11-loginuid.rules file in /etc/audit/rules.d against file in /usr/share/doc/audit/" id="oval:ssg-test_compare_11-loginuid_old:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_etc_11-loginuid_old:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_doc_11-loginuid:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Compare 30-ospp-v42.rules file in /etc/audit/rules.d against file in /usr/share/doc/audit/" id="oval:ssg-test_compare_30-ospp-v42_old:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_etc_30-ospp-v42_old:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_doc_30-ospp-v42:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Compare 43-module-load.rules file in /etc/audit/rules.d against file in /usr/share/doc/audit/" id="oval:ssg-test_compare_43-module-load_old:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_etc_43-module-load_old:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_doc_43-module-load:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="superuser           is defined in /boot/grub2/grub.cfg. Superuser is not           equal to other system account nor root, admin, administrator" id="oval:ssg-test_bootloader_uefi_superuser_differ_from_other_users:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_bootloader_uefi_unique_superuser:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_bootloader_uefi_superuser_differ_from_other_users:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="make sure a password is defined in /boot/grub2/user.cfg" id="oval:ssg-test_grub2_uefi_password_usercfg:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_uefi_password_usercfg:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_zipl_bls_entries_only:tst:1" comment="Test presence of image configuration in /etc/zipl.conf" check="all" check_existence="none_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_zipl_bls_entries_only:obj:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="all_exist" id="oval:ssg-test_zipl_bootmap_is_up_to_date:tst:1" version="1" comment="Check /boot/bootmap timestamps">
-          <unix:object object_ref="oval:ssg-object_zipl_boot_bootmap_file:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_zipl_bootmap_is_newer_than_zipl_conf:ste:1"/>
-          <unix:state state_ref="oval:ssg-state_zipl_bootmap_is_newer_than_boot_entries:ste:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf:tst:1" comment="Check if argument systemd.debug-shell is present in the line starting with 'options ' in /boot/loader/entries/.*.conf" check="at least one" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline:tst:1" comment="Check if argument systemd.debug-shell is present in /etc/kernel/cmdline" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Check if $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.conf" id="oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Check if $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.conf" id="oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_dir:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_dir:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Check if $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.conf" id="oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Check if $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.conf" id="oval:ssg-test_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_dir:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_dir:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Check if $DefaultNetstreamDriver gtls is set in /etc/rsyslog.conf" id="oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Check if $DefaultNetstreamDriver gtls is set in /etc/rsyslog.conf" id="oval:ssg-test_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_dir:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_dir:obj:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="all_exist" id="oval:ssg-test_rsyslog_files_groupownership:tst:1" version="1" comment="System log files are owned by the appropriate group">
-          <unix:object object_ref="oval:ssg-object_rsyslog_files_groupownership:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_rsyslog_files_groupownership:ste:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="all_exist" id="oval:ssg-test_rsyslog_files_ownership:tst:1" version="1" comment="System log files are owned by the appropriate user">
-          <unix:object object_ref="oval:ssg-object_rsyslog_files_ownership:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_rsyslog_files_ownership:ste:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="all_exist" id="oval:ssg-test_rsyslog_files_permissions:tst:1" version="1" comment="Permissions of system log files are correct">
-          <unix:object object_ref="oval:ssg-object_rsyslog_files_permissions:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_rsyslog_files_permissions:ste:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the presence of daily setting in /etc/logrotate.conf file" id="oval:ssg-test_logrotate_conf_daily_setting:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_logrotate_conf_daily_setting:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Test if there is no weekly/monthly/yearly keyword" id="oval:ssg-test_logrotate_conf_no_other_keyword:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_logrotate_conf_no_other_keyword:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the existence of /etc/cron.daily/logrotate file (and verify it actually calls logrotate utility)" id="oval:ssg-test_cron_daily_logrotate_existence:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_cron_daily_logrotate_existence:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensures system configured to export logs to remote host" id="oval:ssg-test_remote_rsyslog_conf:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_remote_loghost_rsyslog_conf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensures system configured to export logs to remote host" id="oval:ssg-test_remote_rsyslog_d:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_remote_loghost_rsyslog_d:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_network_nmcli_permissions:tst:1" comment="polkit is properly configured to prevent non-privilged users from changing networking settings" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_network_nmcli_permissions:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_network_nmcli_permissions:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernel_module_ipv6_option_disabled:tst:1" version="1" check="all" comment="ipv6 disabled any modprobe conf file">
-          <ind:object object_ref="oval:ssg-object_kernel_module_ipv6_option_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <unix:interface_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_wireless_disable_interfaces:tst:1" version="1" comment="check if UP flag is present on wifi interfaces">
-          <unix:object object_ref="oval:ssg-object_active_wifi_interfaces:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_wifi_up:ste:1"/>
-        </unix:interface_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="all local world-writable directories have sticky bit set" id="oval:ssg-test_dir_perms_world_writable_sticky_bits:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_only_local_directories:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_world_writable_and_not_sticky:ste:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="system.map files readable only by root" id="oval:ssg-test_permissions_systemmap_files:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_permissions_systemmap_files:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_owner_systemmap:ste:1"/>
-          <unix:state state_ref="oval:ssg-state_file_permissions_systemmap:ste:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="world writable files" id="oval:ssg-test_file_permissions_unauthorized_world_write:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_permissions_unauthorized_world_write:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="binary directories uid root" id="oval:ssg-test_ownership_binary_directories:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_ownership_binary_directories:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="binary files uid root" id="oval:ssg-test_ownership_binary_files:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_ownership_binary_files:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="binary files go-w" id="oval:ssg-test_perms_binary_files:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_permissions_binary_files:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of GRUB_CMDLINE_LINUX setting in the /etc/default/grub file" id="oval:ssg-test_grub2_nousb_argument:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_grub2_nousb_argument:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_nousb_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <linux:partition_test check="all" check_existence="all_exist" id="oval:ssg-test_nodev_nonroot_local_partitions:tst:1" version="1" comment="nodev on local filesystems">
-          <linux:object object_ref="oval:ssg-object_non_root_partitions:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_local_nodev:ste:1"/>
-        </linux:partition_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of ProcessSizeMax setting in the /etc/systemd/coredump.conf file" id="oval:ssg-test_coredump_disable_backtraces:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_coredump_disable_backtraces:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coredump_disable_backtraces:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of Storage setting in the /etc/systemd/coredump.conf file" id="oval:ssg-test_coredump_disable_storage:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_coredump_disable_storage:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coredump_disable_storage:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.conf file" id="oval:ssg-test_core_dumps_limitsconf:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_core_dumps_limitsconf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_core_dumps_limitsconf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="Tests the value of the ^[\s]*\*[\s]+(hard|-)[\s]+core[\s]+([\d]+) setting in the /etc/security/limits.d directory" id="oval:ssg-test_core_dumps_limits_d:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_core_dumps_limits_d:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_core_dumps_limits_d:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="Tests for existance of the ^[\s]*\*[\s]+(hard|-)[\s]+core setting in the /etc/security/limits.d directory" id="oval:ssg-test_core_dumps_limits_d_exists:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_core_dumps_limits_d_exists:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check value selinux|enforcing=0 in /etc/default/grub, fail if found" id="oval:ssg-test_selinux_default_grub:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_selinux_default_grub:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found" id="oval:ssg-test_selinux_grub2_cfg:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_selinux_grub2_cfg:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="check value selinux|enforcing=0 in /etc/grub.d fail if found" id="oval:ssg-test_selinux_grub_dir:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_selinux_grub_dir:obj:1"/>
-        </ind:textfilecontent54_test>
-        <linux:selinuxsecuritycontext_test check="none satisfy" check_existence="any_exist" comment="none satisfy unconfined_service_t in /proc" id="oval:ssg-test_selinux_confinement_of_daemons:tst:1" version="2">
-          <linux:object object_ref="oval:ssg-object_selinux_confinement_of_daemons:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_selinux_confinement_of_daemons:ste:1"/>
-        </linux:selinuxsecuritycontext_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests the value of the ^[\s]*SELINUXTYPE[\s]*=[\s]*([^#]*) expression in the /etc/selinux/config file" id="oval:ssg-test_selinux_policy:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_selinux_policy:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_selinux_policy:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="/selinux/enforce is 1" id="oval:ssg-test_etc_selinux_config:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_etc_selinux_config:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_etc_selinux_config:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_proc_cpuinfo_64_bit:tst:1" comment="Check for CPU flag lm" check="all" version="1">
-          <ind:object object_ref="oval:ssg-object_proc_cpuinfo_64_bit:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_proc_cpuinfo_64_bit:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Check if kernel nvr arch is 64-bit" id="oval:ssg-test_proc_sys_kernel_osrelease_64_bit:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_proc_sys_kernel_osrelease_64_bit:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_proc_sys_kernel_osrelease_64_bit:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of Enable setting in the /etc/gdm/custom.conf file" id="oval:ssg-test_gnome_gdm_disable_xdmcp:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_gnome_gdm_disable_xdmcp:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_gnome_gdm_disable_xdmcp:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test id="oval:ssg-test_gnome_gdm_disable_xdmcp_config_file_exists:tst:1" check="all" check_existence="all_exist" comment="The configuration file /etc/gdm/custom.conf exists for gnome_gdm_disable_xdmcp" version="1">
-          <unix:object object_ref="oval:ssg-obj_gnome_gdm_disable_xdmcp_config_file:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests whether prelinking is disabled" id="oval:ssg-test_prelinking_disabled:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_prelinking_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_configure_bind_crypto_policy:tst:1" comment="Check that the configuration includes the policy config file." check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_configure_bind_crypto_policy:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" id="oval:ssg-test_crypto_policies_updated:tst:1" version="1" comment="Check if update-crypto-policies has been run">
-          <ind:object object_ref="oval:ssg-object_crypto_policies_config_file_modified_time:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_crypto_current_file_newer_than_config_file:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_configure_crypto_policy:tst:1" comment="check for crypto policy correctly configured in /etc/crypto-policies/config" check="all" check_existence="only_one_exists" version="1">
-          <ind:object object_ref="oval:ssg-object_configure_crypto_policy:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_configure_crypto_policy:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_configure_crypto_policy_current:tst:1" comment="check for crypto policy correctly configured in /etc/crypto-policies/state/current" check="all" check_existence="only_one_exists" version="1">
-          <ind:object object_ref="oval:ssg-object_configure_crypto_policy_current:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_configure_crypto_policy_current:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Check if /etc/crypto-policies/back-ends/nss.config exists" id="oval:ssg-test_crypto_policy_nss_config:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_crypto_policy_nss_config:obj:1"/>
-        </unix:file_test>
-        <ind:variable_test id="oval:ssg-test_configure_kerberos_crypto_policy_symlink:tst:1" check="all" check_existence="all_exist" comment="Check if kerberos configuration symlink and crypto policy kerberos backend symlink point to same file" version="1">
-          <ind:object object_ref="oval:ssg-object_symlink_kerberos_crypto_policy_configuration:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_symlink_kerberos_crypto_policy_backend:ste:1"/>
-        </ind:variable_test>
-        <ind:variable_test id="oval:ssg-test_configure_kerberos_crypto_policy_nosymlink:tst:1" check="all" check_existence="all_exist" comment="Check if kerberos configuration symlink links to the crypto-policy backend file" version="1">
-          <ind:object object_ref="oval:ssg-object_symlink_kerberos_crypto_policy_configuration:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_location_of_kerberos_crypto_policy_backend:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_configure_libreswan_crypto_policy:tst:1" comment="Check that the libreswan configuration includes the crypto policy config file" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_configure_libreswan_crypto_policy:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_configure_openssl_crypto_policy:tst:1" comment="Check that the configuration mandates usage of system-wide crypto policies." check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_configure_openssl_crypto_policy:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_configure_ssh_crypto_policy:tst:1" comment="Check that the SSH configuration mandates usage of system-wide crypto policies." check="all" check_existence="none_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_configure_ssh_crypto_policy:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of Ciphersuites setting in the /etc/crypto-policies/back-ends/opensslcnf.config file" id="oval:ssg-test_harden_openssl_crypto_policy:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_harden_openssl_crypto_policy:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_harden_openssl_crypto_policy:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the absence of Match setting in the /etc/ssh/ssh_config.d/02-ospp.conf file" id="oval:ssg-test_harden_ssh_client_crypto_policy_Match:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_harden_ssh_client_crypto_policy_Match:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_harden_ssh_client_crypto_policy_Match:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the absence of RekeyLimit setting in the /etc/ssh/ssh_config.d/02-ospp.conf file" id="oval:ssg-test_harden_ssh_client_crypto_policy_RekeyLimit:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_harden_ssh_client_crypto_policy_RekeyLimit:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_harden_ssh_client_crypto_policy_RekeyLimit:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the absence of GSSAPIAuthentication setting in the /etc/ssh/ssh_config.d/02-ospp.conf file" id="oval:ssg-test_harden_ssh_client_crypto_policy_GSSAPIAuthentication:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_harden_ssh_client_crypto_policy_GSSAPIAuthentication:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_harden_ssh_client_crypto_policy_GSSAPIAuthentication:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the absence of Ciphers setting in the /etc/ssh/ssh_config.d/02-ospp.conf file" id="oval:ssg-test_harden_ssh_client_crypto_policy_Ciphers:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_harden_ssh_client_crypto_policy_Ciphers:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_harden_ssh_client_crypto_policy_Ciphers:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the absence of PubkeyAcceptedKeyTypes setting in the /etc/ssh/ssh_config.d/02-ospp.conf file" id="oval:ssg-test_harden_ssh_client_crypto_policy_PubkeyAcceptedKeyTypes:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_harden_ssh_client_crypto_policy_PubkeyAcceptedKeyTypes:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_harden_ssh_client_crypto_policy_PubkeyAcceptedKeyTypes:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the absence of MACs setting in the /etc/ssh/ssh_config.d/02-ospp.conf file" id="oval:ssg-test_harden_ssh_client_crypto_policy_MACs:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_harden_ssh_client_crypto_policy_MACs:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_harden_ssh_client_crypto_policy_MACs:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the absence of KexAlgorithms setting in the /etc/ssh/ssh_config.d/02-ospp.conf file" id="oval:ssg-test_harden_ssh_client_crypto_policy_KexAlgorithms:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_harden_ssh_client_crypto_policy_KexAlgorithms:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_harden_ssh_client_crypto_policy_KexAlgorithms:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of CRYPTO_POLICY setting in the /etc/crypto-policies/back-ends/opensshserver.config file" id="oval:ssg-test_harden_sshd_crypto_policy:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_harden_sshd_crypto_policy:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_harden_sshd_crypto_policy:ste:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_linuxshield_install_antivirus:tst:1" version="1" comment="AntiVirus package is installed">
-          <linux:object object_ref="oval:ssg-obj_linuxshield_install_antivirus:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_mcafee_runtime_installed:tst:1" version="1" comment="Runtime Libraries package is installed">
-          <linux:object object_ref="oval:ssg-obj_mcafee_runtime_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_mcafee_management_agent:tst:1" version="1" comment="Agent package is installed">
-          <linux:object object_ref="oval:ssg-obj_mcafee_management_agent:obj:1"/>
-        </linux:rpminfo_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="McAfee ACCM installed" id="oval:ssg-test_mcafee_accm_exists:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_mcafee_accm_exists:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="McAfee Policy Auditor installed" id="oval:ssg-test_mcafee_auditengine_exists:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_mcafee_auditengine_exists:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="add_dracutmodules contains fips" id="oval:ssg-test_enable_dracut_fips_module:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_enable_dracut_fips_module:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_enable_dracut_fips_module:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="at least one" comment="tests if var_system_crypto_policy is set to FIPS" id="oval:ssg-test_system_crypto_policy_value:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_system_crypto_policy_value:obj:1"/>
-          <ind:state state_ref="oval:ssg-ste_system_crypto_policy_value:ste:1"/>
-        </ind:variable_test>
-        <unix:file_test version="1" id="oval:ssg-test_etc_system_fips:tst:1" check="all" check_existence="all_exist" comment="/etc/system-fips exists">
-          <unix:object object_ref="oval:ssg-object_etc_system_fips:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_enable_fips_mode:tst:1" comment="check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_enable_fips_mode:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_enable_fips_mode:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_enable_fips_mode_default:tst:1" comment="check for fips=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_enable_fips_mode_default:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_enable_fips_mode:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="query /proc/cpuinfo" id="oval:ssg-test_processor_aes_instruction:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_processor_aes_instruction:obj:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_dracut-fips-aesni_installed:tst:1" version="1" comment="package dracut-fips-aesni is installed">
-          <linux:object object_ref="oval:ssg-obj_package_dracut-fips-aesni_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_dracut-fips_installed:tst:1" version="1" comment="package dracut-fips is installed">
-          <linux:object object_ref="oval:ssg-obj_package_dracut-fips_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="kernel runtime parameter crypto.fips_enabled set to 1" id="oval:ssg-test_proc_sys_crypto_fips_enabled:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_proc_sys_crypto_fips_enabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test id="oval:ssg-test_aide_build_new_database_absolute_path:tst:1" check="all" check_existence="all_exist" comment="Testing existence of new aide database file" version="1">
-          <unix:object object_ref="oval:ssg-object_aide_build_new_database_absolute_path:obj:1"/>
-        </unix:file_test>
-        <unix:file_test id="oval:ssg-test_aide_operational_database_absolute_path:tst:1" check="all" check_existence="all_exist" comment="Testing existence of operational aide database file" version="1">
-          <unix:object object_ref="oval:ssg-object_aide_operational_database_absolute_path:obj:1"/>
-        </unix:file_test>
-        <linux:rpmverifyfile_test check_existence="none_exist" id="oval:ssg-test_verify_all_rpms_user_ownership:tst:1" version="1" check="all" comment="user ownership of all files matches local rpm database">
-          <linux:object object_ref="oval:ssg-object_files_fail_user_ownership:obj:1"/>
-        </linux:rpmverifyfile_test>
-        <linux:rpmverifyfile_test check_existence="none_exist" id="oval:ssg-test_verify_all_rpms_group_ownership:tst:1" version="1" check="all" comment="group ownership of all files matches local rpm database">
-          <linux:object object_ref="oval:ssg-object_files_fail_group_ownership:obj:1"/>
-        </linux:rpmverifyfile_test>
-        <linux:rpmverifyfile_test check_existence="none_exist" id="oval:ssg-test_verify_all_rpms_mode:tst:1" version="1" check="all" comment="mode of all files matches local rpm database">
-          <linux:object object_ref="oval:ssg-object_files_fail_mode:obj:1"/>
-        </linux:rpmverifyfile_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="!authenticate does not exist in /etc/sudoers" id="oval:ssg-test_no_authenticate_etc_sudoers:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_no_authenticate_etc_sudoers:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="!authenticate does not exist in /etc/sudoers.d" id="oval:ssg-test_no_authenticate_etc_sudoers_d:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="NOPASSWD does not exist /etc/sudoers" id="oval:ssg-test_nopasswd_etc_sudoers:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_nopasswd_etc_sudoers:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="NOPASSWD does not exist in /etc/sudoers.d" id="oval:ssg-test_nopasswd_etc_sudoers_d:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_nopasswd_etc_sudoers_d:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="NOPASSWD only exists for vdsm user in /etc/sudoers" id="oval:ssg-test_vdsm_nopasswd_etc_sudoers:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_vdsm_nopasswd_etc_sudoers:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="NOPASSWD only exists for vdsm user in /etc/sudoers.d" id="oval:ssg-test_vdsm_nopasswd_etc_sudoers_d:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_vdsm_nopasswd_etc_sudoers_d:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Make sure that no command in user spec is without any argument" id="oval:ssg-test_sudoers_explicit_command_args:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sudoers_explicit_command_args:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Make sure that no command in user spec contains negation" id="oval:ssg-test_sudoers_no_command_negation:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sudoers_no_command_negation:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Make sure that no user spec in sudoers has a runas spec that includes root or ALL" id="oval:ssg-test_no_root_or_ALL_in_runas_spec:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-root_or_ALL_in_runas_spec:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="make sure that all user specs in sudoers feature a runas spec" id="oval:ssg-test_no_user_spec_rules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_no_runas_spec:obj:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="only one" check_existence="at_least_one_exists" id="oval:ssg-test_package_gpgkey-fd431d51-4ae0493b_installed:tst:1" version="1" comment="Red Hat release key package is installed">
-          <linux:object object_ref="oval:ssg-object_package_gpg-pubkey:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_package_gpg-pubkey-fd431d51-4ae0493b:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="only one" check_existence="at_least_one_exists" id="oval:ssg-test_package_gpgkey--_installed:tst:1" version="1" comment="Red Hat auxiliary key package is installed">
-          <linux:object object_ref="oval:ssg-object_package_gpg-pubkey:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_package_gpg-pubkey--:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests if contents of /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules is exactly what is defined in rule description" id="oval:ssg-audit_access_failed_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_failed_rules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-audit_access_failed_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_failed_rules:obj:1"/>
-          <ind:state state_ref="oval:ssg-audit_access_failed_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_failed_rules:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests if contents of /etc/audit/rules.d/30-ospp-v42-3-access-success.rules is exactly what is defined in rule description" id="oval:ssg-audit_access_success_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_success_rules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-audit_access_success_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_success_rules:obj:1"/>
-          <ind:state state_ref="oval:ssg-audit_access_success_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_success_rules:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests if contents of /etc/audit/rules.d/10-base-config.rules is exactly what is defined in rule description" id="oval:ssg-audit_basic_configuration_test_whole_file_contents_tc_audit_rules_d_10_base_config_rules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-audit_basic_configuration_object_whole_file_contents_tc_audit_rules_d_10_base_config_rules:obj:1"/>
-          <ind:state state_ref="oval:ssg-audit_basic_configuration_state_whole_file_contents_tc_audit_rules_d_10_base_config_rules:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests if contents of /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules is exactly what is defined in rule description" id="oval:ssg-audit_create_failed_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_1_create_failed_rules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-audit_create_failed_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_1_create_failed_rules:obj:1"/>
-          <ind:state state_ref="oval:ssg-audit_create_failed_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_1_create_failed_rules:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests if contents of /etc/audit/rules.d/30-ospp-v42-1-create-success.rules is exactly what is defined in rule description" id="oval:ssg-audit_create_success_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_1_create_success_rules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-audit_create_success_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_1_create_success_rules:obj:1"/>
-          <ind:state state_ref="oval:ssg-audit_create_success_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_1_create_success_rules:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests if contents of /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules is exactly what is defined in rule description" id="oval:ssg-audit_delete_failed_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_4_delete_failed_rules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-audit_delete_failed_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_4_delete_failed_rules:obj:1"/>
-          <ind:state state_ref="oval:ssg-audit_delete_failed_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_4_delete_failed_rules:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests if contents of /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules is exactly what is defined in rule description" id="oval:ssg-audit_delete_success_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_4_delete_success_rules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-audit_delete_success_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_4_delete_success_rules:obj:1"/>
-          <ind:state state_ref="oval:ssg-audit_delete_success_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_4_delete_success_rules:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests if contents of /etc/audit/rules.d/11-loginuid.rules is exactly what is defined in rule description" id="oval:ssg-audit_immutable_login_uids_test_whole_file_contents_tc_audit_rules_d_11_loginuid_rules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-audit_immutable_login_uids_object_whole_file_contents_tc_audit_rules_d_11_loginuid_rules:obj:1"/>
-          <ind:state state_ref="oval:ssg-audit_immutable_login_uids_state_whole_file_contents_tc_audit_rules_d_11_loginuid_rules:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests if contents of /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules is exactly what is defined in rule description" id="oval:ssg-audit_modify_failed_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_2_modify_failed_rules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-audit_modify_failed_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_2_modify_failed_rules:obj:1"/>
-          <ind:state state_ref="oval:ssg-audit_modify_failed_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_2_modify_failed_rules:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests if contents of /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules is exactly what is defined in rule description" id="oval:ssg-audit_modify_success_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_2_modify_success_rules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-audit_modify_success_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_2_modify_success_rules:obj:1"/>
-          <ind:state state_ref="oval:ssg-audit_modify_success_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_2_modify_success_rules:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests if contents of /etc/audit/rules.d/43-module-load.rules is exactly what is defined in rule description" id="oval:ssg-audit_module_load_test_whole_file_contents_tc_audit_rules_d_43_module_load_rules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-audit_module_load_object_whole_file_contents_tc_audit_rules_d_43_module_load_rules:obj:1"/>
-          <ind:state state_ref="oval:ssg-audit_module_load_state_whole_file_contents_tc_audit_rules_d_43_module_load_rules:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests if contents of /etc/audit/rules.d/30-ospp-v42.rules is exactly what is defined in rule description" id="oval:ssg-audit_ospp_general_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_rules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-audit_ospp_general_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_rules:obj:1"/>
-          <ind:state state_ref="oval:ssg-audit_ospp_general_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_rules:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests if contents of /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules is exactly what is defined in rule description" id="oval:ssg-audit_owner_change_failed_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_6_owner_change_failed_rules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-audit_owner_change_failed_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_6_owner_change_failed_rules:obj:1"/>
-          <ind:state state_ref="oval:ssg-audit_owner_change_failed_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_6_owner_change_failed_rules:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests if contents of /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules is exactly what is defined in rule description" id="oval:ssg-audit_owner_change_success_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_6_owner_change_success_rules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-audit_owner_change_success_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_6_owner_change_success_rules:obj:1"/>
-          <ind:state state_ref="oval:ssg-audit_owner_change_success_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_6_owner_change_success_rules:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests if contents of /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules is exactly what is defined in rule description" id="oval:ssg-audit_perm_change_failed_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_5_perm_change_failed_rules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-audit_perm_change_failed_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_5_perm_change_failed_rules:obj:1"/>
-          <ind:state state_ref="oval:ssg-audit_perm_change_failed_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_5_perm_change_failed_rules:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Tests if contents of /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules is exactly what is defined in rule description" id="oval:ssg-audit_perm_change_success_test_whole_file_contents_tc_audit_rules_d_30_ospp_v42_5_perm_change_success_rules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-audit_perm_change_success_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_5_perm_change_success_rules:obj:1"/>
-          <ind:state state_ref="oval:ssg-audit_perm_change_success_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_5_perm_change_success_rules:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules init" id="oval:ssg-test_audit_privileged_commands_init_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_privileged_commands_init_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl init" id="oval:ssg-test_audit_privileged_commands_init_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_privileged_commands_init_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules poweroff" id="oval:ssg-test_audit_privileged_commands_poweroff_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_privileged_commands_poweroff_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl poweroff" id="oval:ssg-test_audit_privileged_commands_poweroff_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_privileged_commands_poweroff_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules reboot" id="oval:ssg-test_audit_privileged_commands_reboot_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_privileged_commands_reboot_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl reboot" id="oval:ssg-test_audit_privileged_commands_reboot_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_privileged_commands_reboot_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules shutdown" id="oval:ssg-test_audit_privileged_commands_shutdown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_privileged_commands_shutdown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl shutdown" id="oval:ssg-test_audit_privileged_commands_shutdown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_privileged_commands_shutdown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit chmod" id="oval:ssg-test_32bit_ardm_chmod_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_chmod_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit chmod" id="oval:ssg-test_64bit_ardm_chmod_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_chmod_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit chmod" id="oval:ssg-test_32bit_ardm_chmod_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_chmod_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit chmod" id="oval:ssg-test_64bit_ardm_chmod_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_chmod_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit chown" id="oval:ssg-test_32bit_ardm_chown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_chown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit chown" id="oval:ssg-test_64bit_ardm_chown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_chown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit chown" id="oval:ssg-test_32bit_ardm_chown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_chown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit chown" id="oval:ssg-test_64bit_ardm_chown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_chown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit fchmod" id="oval:ssg-test_32bit_ardm_fchmod_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_fchmod_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit fchmod" id="oval:ssg-test_64bit_ardm_fchmod_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_fchmod_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit fchmod" id="oval:ssg-test_32bit_ardm_fchmod_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_fchmod_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit fchmod" id="oval:ssg-test_64bit_ardm_fchmod_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_fchmod_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit fchmodat" id="oval:ssg-test_32bit_ardm_fchmodat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_fchmodat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit fchmodat" id="oval:ssg-test_64bit_ardm_fchmodat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_fchmodat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit fchmodat" id="oval:ssg-test_32bit_ardm_fchmodat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_fchmodat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit fchmodat" id="oval:ssg-test_64bit_ardm_fchmodat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_fchmodat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit fchown" id="oval:ssg-test_32bit_ardm_fchown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_fchown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit fchown" id="oval:ssg-test_64bit_ardm_fchown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_fchown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit fchown" id="oval:ssg-test_32bit_ardm_fchown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_fchown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit fchown" id="oval:ssg-test_64bit_ardm_fchown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_fchown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit fchownat" id="oval:ssg-test_32bit_ardm_fchownat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_fchownat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit fchownat" id="oval:ssg-test_64bit_ardm_fchownat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_fchownat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit fchownat" id="oval:ssg-test_32bit_ardm_fchownat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_fchownat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit fchownat" id="oval:ssg-test_64bit_ardm_fchownat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_fchownat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit fremovexattr" id="oval:ssg-test_32bit_ardm_fremovexattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_fremovexattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit fremovexattr" id="oval:ssg-test_64bit_ardm_fremovexattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_fremovexattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit fremovexattr" id="oval:ssg-test_32bit_ardm_fremovexattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_fremovexattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit fremovexattr" id="oval:ssg-test_64bit_ardm_fremovexattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_fremovexattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit fsetxattr" id="oval:ssg-test_32bit_ardm_fsetxattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_fsetxattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit fsetxattr" id="oval:ssg-test_64bit_ardm_fsetxattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_fsetxattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit fsetxattr" id="oval:ssg-test_32bit_ardm_fsetxattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_fsetxattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit fsetxattr" id="oval:ssg-test_64bit_ardm_fsetxattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_fsetxattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit lchown" id="oval:ssg-test_32bit_ardm_lchown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_lchown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit lchown" id="oval:ssg-test_64bit_ardm_lchown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_lchown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit lchown" id="oval:ssg-test_32bit_ardm_lchown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_lchown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit lchown" id="oval:ssg-test_64bit_ardm_lchown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_lchown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit lremovexattr" id="oval:ssg-test_32bit_ardm_lremovexattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_lremovexattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit lremovexattr" id="oval:ssg-test_64bit_ardm_lremovexattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_lremovexattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit lremovexattr" id="oval:ssg-test_32bit_ardm_lremovexattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_lremovexattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit lremovexattr" id="oval:ssg-test_64bit_ardm_lremovexattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_lremovexattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit lsetxattr" id="oval:ssg-test_32bit_ardm_lsetxattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_lsetxattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit lsetxattr" id="oval:ssg-test_64bit_ardm_lsetxattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_lsetxattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit lsetxattr" id="oval:ssg-test_32bit_ardm_lsetxattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_lsetxattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit lsetxattr" id="oval:ssg-test_64bit_ardm_lsetxattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_lsetxattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit removexattr" id="oval:ssg-test_32bit_ardm_removexattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_removexattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit removexattr" id="oval:ssg-test_64bit_ardm_removexattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_removexattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit removexattr" id="oval:ssg-test_32bit_ardm_removexattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_removexattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit removexattr" id="oval:ssg-test_64bit_ardm_removexattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_removexattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit setxattr" id="oval:ssg-test_32bit_ardm_setxattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_setxattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit setxattr" id="oval:ssg-test_64bit_ardm_setxattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_setxattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit setxattr" id="oval:ssg-test_32bit_ardm_setxattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_setxattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit setxattr" id="oval:ssg-test_64bit_ardm_setxattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_setxattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit umount2" id="oval:ssg-test_32bit_ardm_umount2_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_umount2_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit umount2" id="oval:ssg-test_64bit_ardm_umount2_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_umount2_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit umount2" id="oval:ssg-test_32bit_ardm_umount2_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_umount2_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit umount2" id="oval:ssg-test_64bit_ardm_umount2_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_umount2_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_group_open_32bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_group_open_32bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_group_open_64bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_group_open_64bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_group_open_32bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_group_open_32bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_group_open_64bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_group_open_64bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_group_open_by_handle_at_32bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_group_open_by_handle_at_32bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_group_open_by_handle_at_64bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_group_open_by_handle_at_64bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_group_open_by_handle_at_32bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_group_open_by_handle_at_32bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_group_open_by_handle_at_64bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_group_open_by_handle_at_64bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_group_openat_32bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_group_openat_32bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_group_openat_64bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_group_openat_64bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_group_openat_32bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_group_openat_32bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_group_openat_64bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_group_openat_64bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_gshadow_open_32bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_gshadow_open_32bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_gshadow_open_64bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_gshadow_open_64bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_gshadow_open_32bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_gshadow_open_32bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_gshadow_open_64bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_gshadow_open_64bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_32bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_32bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_64bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_64bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_32bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_32bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_gshadow_open_by_handle_at_64bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_64bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_gshadow_openat_32bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_gshadow_openat_32bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_gshadow_openat_64bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_gshadow_openat_64bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_gshadow_openat_32bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_gshadow_openat_32bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_gshadow_openat_64bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_gshadow_openat_64bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_passwd_open_32bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_passwd_open_32bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_passwd_open_64bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_passwd_open_64bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_passwd_open_32bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_passwd_open_32bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_passwd_open_64bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_passwd_open_64bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_32bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_32bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_64bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_64bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_32bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_32bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_passwd_open_by_handle_at_64bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_64bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_passwd_openat_32bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_passwd_openat_32bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_passwd_openat_64bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_passwd_openat_64bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_passwd_openat_32bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_passwd_openat_32bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_passwd_openat_64bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_passwd_openat_64bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_shadow_open_32bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_shadow_open_32bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_shadow_open_64bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_shadow_open_64bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_shadow_open_32bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_shadow_open_32bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_shadow_open_64bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_shadow_open_64bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_32bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_32bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_64bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_64bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_32bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_32bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_shadow_open_by_handle_at_64bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_64bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_shadow_openat_32bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_shadow_openat_32bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_shadow_openat_64bit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_shadow_openat_64bit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_shadow_openat_32bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_shadow_openat_32bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_audit_rules_tc_shadow_openat_64bit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_tc_shadow_openat_64bit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules chcon" id="oval:ssg-test_audit_rules_execution_chcon_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_execution_chcon_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl chcon" id="oval:ssg-test_audit_rules_execution_chcon_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_execution_chcon_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules restorecon" id="oval:ssg-test_audit_rules_execution_restorecon_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_execution_restorecon_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl restorecon" id="oval:ssg-test_audit_rules_execution_restorecon_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_execution_restorecon_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules semanage" id="oval:ssg-test_audit_rules_execution_semanage_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_execution_semanage_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl semanage" id="oval:ssg-test_audit_rules_execution_semanage_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_execution_semanage_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules setfiles" id="oval:ssg-test_audit_rules_execution_setfiles_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_execution_setfiles_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl setfiles" id="oval:ssg-test_audit_rules_execution_setfiles_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_execution_setfiles_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules setsebool" id="oval:ssg-test_audit_rules_execution_setsebool_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_execution_setsebool_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl setsebool" id="oval:ssg-test_audit_rules_execution_setsebool_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_execution_setsebool_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules seunshare" id="oval:ssg-test_audit_rules_execution_seunshare_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_execution_seunshare_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl seunshare" id="oval:ssg-test_audit_rules_execution_seunshare_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_execution_seunshare_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit rename" id="oval:ssg-test_32bit_ardm_rename_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_rename_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit rename" id="oval:ssg-test_64bit_ardm_rename_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_rename_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit rename" id="oval:ssg-test_32bit_ardm_rename_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_rename_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit rename" id="oval:ssg-test_64bit_ardm_rename_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_rename_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit renameat" id="oval:ssg-test_32bit_ardm_renameat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_renameat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit renameat" id="oval:ssg-test_64bit_ardm_renameat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_renameat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit renameat" id="oval:ssg-test_32bit_ardm_renameat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_renameat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit renameat" id="oval:ssg-test_64bit_ardm_renameat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_renameat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit rmdir" id="oval:ssg-test_32bit_ardm_rmdir_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_rmdir_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit rmdir" id="oval:ssg-test_64bit_ardm_rmdir_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_rmdir_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit rmdir" id="oval:ssg-test_32bit_ardm_rmdir_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_rmdir_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit rmdir" id="oval:ssg-test_64bit_ardm_rmdir_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_rmdir_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit unlink" id="oval:ssg-test_32bit_ardm_unlink_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_unlink_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit unlink" id="oval:ssg-test_64bit_ardm_unlink_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_unlink_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit unlink" id="oval:ssg-test_32bit_ardm_unlink_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_unlink_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit unlink" id="oval:ssg-test_64bit_ardm_unlink_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_unlink_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit unlinkat" id="oval:ssg-test_32bit_ardm_unlinkat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_unlinkat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit unlinkat" id="oval:ssg-test_64bit_ardm_unlinkat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_unlinkat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit unlinkat" id="oval:ssg-test_32bit_ardm_unlinkat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_unlinkat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit unlinkat" id="oval:ssg-test_64bit_ardm_unlinkat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_unlinkat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules faillock" id="oval:ssg-test_arle_faillock_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arle_faillock_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl faillock" id="oval:ssg-test_arle_faillock_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arle_faillock_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules lastlog" id="oval:ssg-test_arle_lastlog_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arle_lastlog_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl lastlog" id="oval:ssg-test_arle_lastlog_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arle_lastlog_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules tallylog" id="oval:ssg-test_arle_tallylog_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arle_tallylog_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl tallylog" id="oval:ssg-test_arle_tallylog_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arle_tallylog_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit mount" id="oval:ssg-test_32bit_ardm_mount_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_mount_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit mount" id="oval:ssg-test_64bit_ardm_mount_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_mount_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit mount" id="oval:ssg-test_32bit_ardm_mount_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_mount_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit mount" id="oval:ssg-test_64bit_ardm_mount_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_mount_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules at" id="oval:ssg-test_audit_rules_privileged_commands_at_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_at_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl at" id="oval:ssg-test_audit_rules_privileged_commands_at_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_at_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules chage" id="oval:ssg-test_audit_rules_privileged_commands_chage_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_chage_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl chage" id="oval:ssg-test_audit_rules_privileged_commands_chage_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_chage_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules chsh" id="oval:ssg-test_audit_rules_privileged_commands_chsh_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_chsh_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl chsh" id="oval:ssg-test_audit_rules_privileged_commands_chsh_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_chsh_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules crontab" id="oval:ssg-test_audit_rules_privileged_commands_crontab_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_crontab_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl crontab" id="oval:ssg-test_audit_rules_privileged_commands_crontab_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_crontab_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules gpasswd" id="oval:ssg-test_audit_rules_privileged_commands_gpasswd_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_gpasswd_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl gpasswd" id="oval:ssg-test_audit_rules_privileged_commands_gpasswd_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_gpasswd_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules mount" id="oval:ssg-test_audit_rules_privileged_commands_mount_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_mount_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl mount" id="oval:ssg-test_audit_rules_privileged_commands_mount_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_mount_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules newgidmap" id="oval:ssg-test_audit_rules_privileged_commands_newgidmap_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_newgidmap_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl newgidmap" id="oval:ssg-test_audit_rules_privileged_commands_newgidmap_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_newgidmap_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules newgrp" id="oval:ssg-test_audit_rules_privileged_commands_newgrp_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_newgrp_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl newgrp" id="oval:ssg-test_audit_rules_privileged_commands_newgrp_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_newgrp_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules newuidmap" id="oval:ssg-test_audit_rules_privileged_commands_newuidmap_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_newuidmap_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl newuidmap" id="oval:ssg-test_audit_rules_privileged_commands_newuidmap_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_newuidmap_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules pam_timestamp_check" id="oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl pam_timestamp_check" id="oval:ssg-test_audit_rules_privileged_commands_pam_timestamp_check_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules passwd" id="oval:ssg-test_audit_rules_privileged_commands_passwd_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_passwd_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl passwd" id="oval:ssg-test_audit_rules_privileged_commands_passwd_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_passwd_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules postdrop" id="oval:ssg-test_audit_rules_privileged_commands_postdrop_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_postdrop_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl postdrop" id="oval:ssg-test_audit_rules_privileged_commands_postdrop_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_postdrop_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules postqueue" id="oval:ssg-test_audit_rules_privileged_commands_postqueue_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_postqueue_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl postqueue" id="oval:ssg-test_audit_rules_privileged_commands_postqueue_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_postqueue_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules pt_chown" id="oval:ssg-test_audit_rules_privileged_commands_pt_chown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_pt_chown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl pt_chown" id="oval:ssg-test_audit_rules_privileged_commands_pt_chown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_pt_chown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules ssh_keysign" id="oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl ssh_keysign" id="oval:ssg-test_audit_rules_privileged_commands_ssh_keysign_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules su" id="oval:ssg-test_audit_rules_privileged_commands_su_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_su_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl su" id="oval:ssg-test_audit_rules_privileged_commands_su_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_su_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules sudo" id="oval:ssg-test_audit_rules_privileged_commands_sudo_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_sudo_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl sudo" id="oval:ssg-test_audit_rules_privileged_commands_sudo_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_sudo_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules sudoedit" id="oval:ssg-test_audit_rules_privileged_commands_sudoedit_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_sudoedit_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl sudoedit" id="oval:ssg-test_audit_rules_privileged_commands_sudoedit_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_sudoedit_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules umount" id="oval:ssg-test_audit_rules_privileged_commands_umount_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_umount_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl umount" id="oval:ssg-test_audit_rules_privileged_commands_umount_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_umount_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules unix_chkpwd" id="oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl unix_chkpwd" id="oval:ssg-test_audit_rules_privileged_commands_unix_chkpwd_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules userhelper" id="oval:ssg-test_audit_rules_privileged_commands_userhelper_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_userhelper_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl userhelper" id="oval:ssg-test_audit_rules_privileged_commands_userhelper_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_userhelper_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit augenrules usernetctl" id="oval:ssg-test_audit_rules_privileged_commands_usernetctl_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_usernetctl_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="audit auditctl usernetctl" id="oval:ssg-test_audit_rules_privileged_commands_usernetctl_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_privileged_commands_usernetctl_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_chmod_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_chmod_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_chmod_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_chmod_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_chmod_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_chmod_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_chmod_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_chmod_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_chmod_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_chmod_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_chmod_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_chmod_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_chmod_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_chmod_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_chmod_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_chmod_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_chown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_chown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_chown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_chown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_chown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_chown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_chown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_chown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_chown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_chown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_chown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_chown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_chown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_chown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_chown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_chown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_creat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_creat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_creat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_creat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_creat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_creat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_creat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_creat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_creat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_creat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_creat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_creat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_creat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_creat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_creat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_creat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_fchmod_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_fchmod_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_fchmod_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_fchmod_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_fchmod_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_fchmod_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_fchmod_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_fchmod_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_fchmod_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_fchmod_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_fchmod_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_fchmod_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_fchmod_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_fchmod_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_fchmod_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_fchmod_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_fchmodat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_fchmodat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_fchmodat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_fchmodat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_fchmodat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_fchmodat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_fchmodat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_fchmodat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_fchmodat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_fchmodat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_fchmodat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_fchmodat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_fchmodat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_fchmodat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_fchmodat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_fchmodat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_fchown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_fchown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_fchown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_fchown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_fchown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_fchown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_fchown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_fchown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_fchown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_fchown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_fchown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_fchown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_fchown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_fchown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_fchown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_fchown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_fchownat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_fchownat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_fchownat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_fchownat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_fchownat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_fchownat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_fchownat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_fchownat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_fchownat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_fchownat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_fchownat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_fchownat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_fchownat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_fchownat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_fchownat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_fchownat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_fremovexattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_fremovexattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_fremovexattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_fremovexattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_fremovexattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_fremovexattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_fremovexattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_fremovexattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_fremovexattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_fremovexattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_fremovexattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_fremovexattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_fremovexattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_fremovexattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_fremovexattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_fremovexattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_fsetxattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_fsetxattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_fsetxattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_fsetxattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_fsetxattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_fsetxattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_fsetxattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_fsetxattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_fsetxattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_fsetxattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_fsetxattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_fsetxattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_fsetxattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_fsetxattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_fsetxattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_fsetxattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_ftruncate_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_ftruncate_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_ftruncate_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_ftruncate_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_ftruncate_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_ftruncate_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_ftruncate_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_ftruncate_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_ftruncate_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_ftruncate_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_ftruncate_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_ftruncate_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_ftruncate_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_ftruncate_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_ftruncate_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_ftruncate_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_lchown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_lchown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_lchown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_lchown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_lchown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_lchown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_lchown_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_lchown_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_lchown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_lchown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_lchown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_lchown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_lchown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_lchown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_lchown_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_lchown_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_lremovexattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_lremovexattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_lremovexattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_lremovexattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_lremovexattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_lremovexattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_lremovexattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_lremovexattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_lremovexattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_lremovexattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_lremovexattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_lremovexattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_lremovexattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_lremovexattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_lremovexattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_lremovexattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_lsetxattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_lsetxattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_lsetxattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_lsetxattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_lsetxattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_lsetxattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_lsetxattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_lsetxattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_lsetxattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_lsetxattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_lsetxattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_lsetxattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_lsetxattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_lsetxattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_lsetxattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_lsetxattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_open_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_open_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_open_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_open_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_open_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_open_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_open_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_open_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_open_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_open_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_open_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_open_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_open_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_open_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_open_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_open_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_open_by_handle_at_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_open_by_handle_at_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_open_by_handle_at_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_open_by_handle_at_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_order_32bit_eacces_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_eacces_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_order_32bit_eperm_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_eperm_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_order_64bit_eacces_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_eacces_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_order_64bit_eperm_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_eperm_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_order_32bit_eacces_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_eacces_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Test order of audit 32bit auditctl eperm rules order" id="oval:ssg-test_arufm_open_by_handle_at_order_32bit_eperm_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_eperm_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_order_64bit_eacces_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_eacces_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_by_handle_at_order_64bit_eperm_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_eperm_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_o_creat_32bit_a20100_eacces_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_o_creat_32bit_a20100_eacces_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_o_creat_32bit_a20100_eperm_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_o_creat_32bit_a20100_eperm_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_o_creat_64bit_a20100_eacces_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_o_creat_64bit_a20100_eacces_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_o_creat_64bit_a20100_eperm_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_o_creat_64bit_a20100_eperm_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_o_creat_32bit_a20100_eacces_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_o_creat_32bit_a20100_eacces_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_o_creat_32bit_a20100_eperm_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_o_creat_32bit_a20100_eperm_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_o_creat_64bit_a20100_eacces_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_o_creat_64bit_a20100_eacces_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_o_creat_64bit_a20100_eperm_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_o_creat_64bit_a20100_eperm_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eacces_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eacces_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eperm_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eperm_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eacces_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eacces_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eperm_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eperm_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eacces_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eacces_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_o_trunc_32bit_a201003_eperm_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eperm_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eacces_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eacces_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_o_trunc_64bit_a201003_eperm_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eperm_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_order_32bit_eacces_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_order_32bit_eacces_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_order_32bit_eperm_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_order_32bit_eperm_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_order_64bit_eacces_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_order_64bit_eacces_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_order_64bit_eperm_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_order_64bit_eperm_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_order_32bit_eacces_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_order_32bit_eacces_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Test order of audit 32bit auditctl eperm rules order" id="oval:ssg-test_arufm_open_order_32bit_eperm_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_order_32bit_eperm_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_order_64bit_eacces_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_order_64bit_eacces_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_open_order_64bit_eperm_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_open_order_64bit_eperm_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_openat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_openat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_openat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_openat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_openat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_openat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_openat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_openat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_openat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_openat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_openat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_openat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_openat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_openat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_openat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_openat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eacces_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eacces_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eperm_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eperm_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eacces_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eacces_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eperm_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eperm_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eacces_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eacces_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_o_creat_32bit_a20100_eperm_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eperm_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eacces_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eacces_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_o_creat_64bit_a20100_eperm_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eperm_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eacces_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eacces_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eperm_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eperm_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eacces_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eacces_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eperm_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eperm_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eacces_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eacces_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_o_trunc_32bit_a201003_eperm_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eperm_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eacces_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eacces_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_o_trunc_64bit_a201003_eperm_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eperm_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_order_32bit_eacces_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_order_32bit_eacces_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_order_32bit_eperm_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_order_32bit_eperm_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_order_64bit_eacces_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_order_64bit_eacces_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_order_64bit_eperm_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_order_64bit_eperm_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_order_32bit_eacces_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_order_32bit_eacces_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="Test order of audit 32bit auditctl eperm rules order" id="oval:ssg-test_arufm_openat_order_32bit_eperm_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_order_32bit_eperm_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_order_64bit_eacces_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_order_64bit_eacces_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="only_one_exists" comment="defined audit rule must exist" id="oval:ssg-test_arufm_openat_order_64bit_eperm_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_arufm_openat_order_64bit_eperm_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_removexattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_removexattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_removexattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_removexattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_removexattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_removexattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_removexattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_removexattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_removexattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_removexattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_removexattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_removexattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_removexattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_removexattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_removexattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_removexattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_rename_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_rename_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_rename_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_rename_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_rename_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_rename_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_rename_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_rename_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_rename_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_rename_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_rename_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_rename_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_rename_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_rename_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_rename_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_rename_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_renameat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_renameat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_renameat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_renameat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_renameat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_renameat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_renameat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_renameat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_renameat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_renameat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_renameat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_renameat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_renameat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_renameat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_renameat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_renameat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_setxattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_setxattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_setxattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_setxattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_setxattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_setxattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_setxattr_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_setxattr_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_setxattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_setxattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_setxattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_setxattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_setxattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_setxattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_setxattr_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_setxattr_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_truncate_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_truncate_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_truncate_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_truncate_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_truncate_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_truncate_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_truncate_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_truncate_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_truncate_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_truncate_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_truncate_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_truncate_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_truncate_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_truncate_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_truncate_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_truncate_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_unlink_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_unlink_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_unlink_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_unlink_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_unlink_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_unlink_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_unlink_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_unlink_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_unlink_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_unlink_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_unlink_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_unlink_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_unlink_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_unlink_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_unlink_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_unlink_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_unlinkat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_unlinkat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_unlinkat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_unlinkat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_unlinkat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_unlinkat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_unlinkat_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_unlinkat_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eacces" id="oval:ssg-test_32bit_arufm_eacces_unlinkat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eacces_unlinkat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit file eperm" id="oval:ssg-test_32bit_arufm_eperm_unlinkat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_arufm_eperm_unlinkat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eacces" id="oval:ssg-test_64bit_arufm_eacces_unlinkat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eacces_unlinkat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit file eperm" id="oval:ssg-test_64bit_arufm_eperm_unlinkat_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_arufm_eperm_unlinkat_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules group" id="oval:ssg-test_audit_rules_usergroup_modification_group_augen:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_group_augen:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit group" id="oval:ssg-test_audit_rules_usergroup_modification_group_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_group_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules gshadow" id="oval:ssg-test_audit_rules_usergroup_modification_gshadow_augen:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_gshadow_augen:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit gshadow" id="oval:ssg-test_audit_rules_usergroup_modification_gshadow_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_gshadow_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules opasswd" id="oval:ssg-test_audit_rules_usergroup_modification_opasswd_augen:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_opasswd_augen:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit opasswd" id="oval:ssg-test_audit_rules_usergroup_modification_opasswd_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_opasswd_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules passwd" id="oval:ssg-test_audit_rules_usergroup_modification_passwd_augen:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_passwd_augen:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit passwd" id="oval:ssg-test_audit_rules_usergroup_modification_passwd_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_passwd_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules shadow" id="oval:ssg-test_audit_rules_usergroup_modification_shadow_augen:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_shadow_augen:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit shadow" id="oval:ssg-test_audit_rules_usergroup_modification_shadow_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_usergroup_modification_shadow_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of freq setting in the /etc/audit/auditd.conf file" id="oval:ssg-test_auditd_freq:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_auditd_freq:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_freq:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of local_events setting in the /etc/audit/auditd.conf file" id="oval:ssg-test_auditd_local_events:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_auditd_local_events:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_local_events:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of log_format setting in the /etc/audit/auditd.conf file" id="oval:ssg-test_auditd_log_format:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_auditd_log_format:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_log_format:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of name_format setting in the /etc/audit/auditd.conf file" id="oval:ssg-test_auditd_name_format:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_auditd_name_format:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_name_format:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of write_logs setting in the /etc/audit/auditd.conf file" id="oval:ssg-test_auditd_write_logs:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_auditd_write_logs:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_auditd_write_logs:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="tests the absence of write_logs setting in the /etc/audit/auditd.conf file" id="oval:ssg-test_auditd_write_logs_default_not_overriden:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_auditd_write_logs_default_not_overriden:obj:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="none_exist" id="oval:ssg-test_coreos_audit_backlog_limit_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1" comment="Check if /boot/loader/entries/ostree-2-.*.conf does not exist" version="1">
-          <unix:object object_ref="oval:ssg-object_coreos_audit_backlog_limit_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_ostree_1_conf:tst:1" comment="Check if argument audit_backlog_limit=8192 is present in the line starting with 'options ' in /boot/loader/entries/ostree-1-.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_ostree_1_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_ostree_1_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_ostree_2_conf:tst:1" comment="Check if argument audit_backlog_limit=8192 is present in the line starting with 'options ' in /boot/loader/entries/ostree-2-.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_ostree_2_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_ostree_2_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_proc_cmdline:tst:1" comment="Check if argument audit_backlog_limit=8192 is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_proc_cmdline:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_proc_cmdline:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="none_exist" id="oval:ssg-test_coreos_audit_option_file_boot_loader_entries_ostree_2_conf_absent:tst:1" comment="Check if /boot/loader/entries/ostree-2-.*.conf does not exist" version="1">
-          <unix:object object_ref="oval:ssg-object_coreos_audit_option_file_boot_loader_entries_ostree_2_conf_absent:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_audit_option_audit_1_argument_in_boot_loader_entries_ostree_1_conf:tst:1" comment="Check if argument audit=1 is present in the line starting with 'options ' in /boot/loader/entries/ostree-1-.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_audit_option_audit_1_argument_in_boot_loader_entries_ostree_1_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_audit_option_audit_1_argument_in_boot_loader_entries_ostree_1_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_audit_option_audit_1_argument_in_boot_loader_entries_ostree_2_conf:tst:1" comment="Check if argument audit=1 is present in the line starting with 'options ' in /boot/loader/entries/ostree-2-.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_audit_option_audit_1_argument_in_boot_loader_entries_ostree_2_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_audit_option_audit_1_argument_in_boot_loader_entries_ostree_2_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_audit_option_audit_1_argument_in_proc_cmdline:tst:1" comment="Check if argument audit=1 is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_audit_option_audit_1_argument_in_proc_cmdline:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_audit_option_audit_1_argument_in_proc_cmdline:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="none_exist" id="oval:ssg-test_coreos_disable_interactive_boot_file_boot_loader_entries_ostree_2_conf_absent:tst:1" comment="Check if /boot/loader/entries/ostree-2-.*.conf does not exist" version="1">
-          <unix:object object_ref="oval:ssg-object_coreos_disable_interactive_boot_file_boot_loader_entries_ostree_2_conf_absent:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_boot_loader_entries_ostree_1_conf:tst:1" comment="Check if argument systemd.confirm_spawn=(?:1|yes|true|on) is present in the line starting with 'options ' in /boot/loader/entries/ostree-1-.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_boot_loader_entries_ostree_1_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_boot_loader_entries_ostree_1_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_boot_loader_entries_ostree_2_conf:tst:1" comment="Check if argument systemd.confirm_spawn=(?:1|yes|true|on) is present in the line starting with 'options ' in /boot/loader/entries/ostree-2-.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_boot_loader_entries_ostree_2_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_boot_loader_entries_ostree_2_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_proc_cmdline:tst:1" comment="Check if argument systemd.confirm_spawn=(?:1|yes|true|on) is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_proc_cmdline:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_proc_cmdline:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="none_exist" id="oval:ssg-test_coreos_enable_selinux_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1" comment="Check if /boot/loader/entries/ostree-2-.*.conf does not exist" version="1">
-          <unix:object object_ref="oval:ssg-object_coreos_enable_selinux_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_boot_loader_entries_ostree_1_conf:tst:1" comment="Check if argument selinux=0 is present in the line starting with 'options ' in /boot/loader/entries/ostree-1-.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_boot_loader_entries_ostree_1_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_boot_loader_entries_ostree_1_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_boot_loader_entries_ostree_2_conf:tst:1" comment="Check if argument selinux=0 is present in the line starting with 'options ' in /boot/loader/entries/ostree-2-.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_boot_loader_entries_ostree_2_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_boot_loader_entries_ostree_2_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_proc_cmdline:tst:1" comment="Check if argument selinux=0 is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_proc_cmdline:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_proc_cmdline:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="none_exist" id="oval:ssg-test_coreos_nousb_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1" comment="Check if /boot/loader/entries/ostree-2-.*.conf does not exist" version="1">
-          <unix:object object_ref="oval:ssg-object_coreos_nousb_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_nousb_kernel_argument_nousb_argument_in_boot_loader_entries_ostree_1_conf:tst:1" comment="Check if argument nousb is present in the line starting with 'options ' in /boot/loader/entries/ostree-1-.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_nousb_kernel_argument_nousb_argument_in_boot_loader_entries_ostree_1_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_nousb_kernel_argument_nousb_argument_in_boot_loader_entries_ostree_1_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_nousb_kernel_argument_nousb_argument_in_boot_loader_entries_ostree_2_conf:tst:1" comment="Check if argument nousb is present in the line starting with 'options ' in /boot/loader/entries/ostree-2-.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_nousb_kernel_argument_nousb_argument_in_boot_loader_entries_ostree_2_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_nousb_kernel_argument_nousb_argument_in_boot_loader_entries_ostree_2_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_nousb_kernel_argument_nousb_argument_in_proc_cmdline:tst:1" comment="Check if argument nousb is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_nousb_kernel_argument_nousb_argument_in_proc_cmdline:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_nousb_kernel_argument_nousb_argument_in_proc_cmdline:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="none_exist" id="oval:ssg-test_coreos_page_poison_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1" comment="Check if /boot/loader/entries/ostree-2-.*.conf does not exist" version="1">
-          <unix:object object_ref="oval:ssg-object_coreos_page_poison_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_page_poison_kernel_argument_page_poison_1_argument_in_boot_loader_entries_ostree_1_conf:tst:1" comment="Check if argument page_poison=1 is present in the line starting with 'options ' in /boot/loader/entries/ostree-1-.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_page_poison_kernel_argument_page_poison_1_argument_in_boot_loader_entries_ostree_1_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_page_poison_kernel_argument_page_poison_1_argument_in_boot_loader_entries_ostree_1_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_page_poison_kernel_argument_page_poison_1_argument_in_boot_loader_entries_ostree_2_conf:tst:1" comment="Check if argument page_poison=1 is present in the line starting with 'options ' in /boot/loader/entries/ostree-2-.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_page_poison_kernel_argument_page_poison_1_argument_in_boot_loader_entries_ostree_2_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_page_poison_kernel_argument_page_poison_1_argument_in_boot_loader_entries_ostree_2_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_page_poison_kernel_argument_page_poison_1_argument_in_proc_cmdline:tst:1" comment="Check if argument page_poison=1 is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_page_poison_kernel_argument_page_poison_1_argument_in_proc_cmdline:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_page_poison_kernel_argument_page_poison_1_argument_in_proc_cmdline:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="none_exist" id="oval:ssg-test_coreos_pti_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1" comment="Check if /boot/loader/entries/ostree-2-.*.conf does not exist" version="1">
-          <unix:object object_ref="oval:ssg-object_coreos_pti_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_pti_kernel_argument_pti_on_argument_in_boot_loader_entries_ostree_1_conf:tst:1" comment="Check if argument pti=on is present in the line starting with 'options ' in /boot/loader/entries/ostree-1-.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_pti_kernel_argument_pti_on_argument_in_boot_loader_entries_ostree_1_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_pti_kernel_argument_pti_on_argument_in_boot_loader_entries_ostree_1_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_pti_kernel_argument_pti_on_argument_in_boot_loader_entries_ostree_2_conf:tst:1" comment="Check if argument pti=on is present in the line starting with 'options ' in /boot/loader/entries/ostree-2-.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_pti_kernel_argument_pti_on_argument_in_boot_loader_entries_ostree_2_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_pti_kernel_argument_pti_on_argument_in_boot_loader_entries_ostree_2_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_pti_kernel_argument_pti_on_argument_in_proc_cmdline:tst:1" comment="Check if argument pti=on is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_pti_kernel_argument_pti_on_argument_in_proc_cmdline:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_pti_kernel_argument_pti_on_argument_in_proc_cmdline:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="none_exist" id="oval:ssg-test_coreos_slub_debug_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1" comment="Check if /boot/loader/entries/ostree-2-.*.conf does not exist" version="1">
-          <unix:object object_ref="oval:ssg-object_coreos_slub_debug_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_slub_debug_kernel_argument_slub_debug_P_argument_in_boot_loader_entries_ostree_1_conf:tst:1" comment="Check if argument slub_debug=P is present in the line starting with 'options ' in /boot/loader/entries/ostree-1-.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_slub_debug_kernel_argument_slub_debug_P_argument_in_boot_loader_entries_ostree_1_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_slub_debug_kernel_argument_slub_debug_P_argument_in_boot_loader_entries_ostree_1_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_slub_debug_kernel_argument_slub_debug_P_argument_in_boot_loader_entries_ostree_2_conf:tst:1" comment="Check if argument slub_debug=P is present in the line starting with 'options ' in /boot/loader/entries/ostree-2-.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_slub_debug_kernel_argument_slub_debug_P_argument_in_boot_loader_entries_ostree_2_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_slub_debug_kernel_argument_slub_debug_P_argument_in_boot_loader_entries_ostree_2_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_slub_debug_kernel_argument_slub_debug_P_argument_in_proc_cmdline:tst:1" comment="Check if argument slub_debug=P is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_slub_debug_kernel_argument_slub_debug_P_argument_in_proc_cmdline:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_slub_debug_kernel_argument_slub_debug_P_argument_in_proc_cmdline:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="none_exist" id="oval:ssg-test_coreos_vsyscall_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:tst:1" comment="Check if /boot/loader/entries/ostree-2-.*.conf does not exist" version="1">
-          <unix:object object_ref="oval:ssg-object_coreos_vsyscall_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_boot_loader_entries_ostree_1_conf:tst:1" comment="Check if argument vsyscall=none is present in the line starting with 'options ' in /boot/loader/entries/ostree-1-.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_boot_loader_entries_ostree_1_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_boot_loader_entries_ostree_1_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_boot_loader_entries_ostree_2_conf:tst:1" comment="Check if argument vsyscall=none is present in the line starting with 'options ' in /boot/loader/entries/ostree-2-.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_boot_loader_entries_ostree_2_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_boot_loader_entries_ostree_2_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_proc_cmdline:tst:1" comment="Check if argument vsyscall=none is present in the line starting with 'BOOT_IMAGE' in /proc/cmdline" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_proc_cmdline:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_proc_cmdline:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /bin/" id="oval:ssg-test_file_ownerdir_ownership_binary_dirs_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_ownerdir_ownership_binary_dirs_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /sbin/" id="oval:ssg-test_file_ownerdir_ownership_binary_dirs_1:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_ownerdir_ownership_binary_dirs_1:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /usr/bin/" id="oval:ssg-test_file_ownerdir_ownership_binary_dirs_2:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_ownerdir_ownership_binary_dirs_2:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /usr/sbin/" id="oval:ssg-test_file_ownerdir_ownership_binary_dirs_3:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_ownerdir_ownership_binary_dirs_3:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /usr/local/bin/" id="oval:ssg-test_file_ownerdir_ownership_binary_dirs_4:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_ownerdir_ownership_binary_dirs_4:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /usr/local/sbin/" id="oval:ssg-test_file_ownerdir_ownership_binary_dirs_5:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_ownerdir_ownership_binary_dirs_5:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /lib/" id="oval:ssg-test_file_ownerdir_ownership_library_dirs_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_ownerdir_ownership_library_dirs_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /lib64/" id="oval:ssg-test_file_ownerdir_ownership_library_dirs_1:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_ownerdir_ownership_library_dirs_1:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /usr/lib/" id="oval:ssg-test_file_ownerdir_ownership_library_dirs_2:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_ownerdir_ownership_library_dirs_2:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /usr/lib64/" id="oval:ssg-test_file_ownerdir_ownership_library_dirs_3:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_ownerdir_ownership_library_dirs_3:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /bin/" id="oval:ssg-test_file_permissionsdir_permissions_binary_dirs_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissionsdir_permissions_binary_dirs_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /sbin/" id="oval:ssg-test_file_permissionsdir_permissions_binary_dirs_1:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissionsdir_permissions_binary_dirs_1:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /usr/bin/" id="oval:ssg-test_file_permissionsdir_permissions_binary_dirs_2:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissionsdir_permissions_binary_dirs_2:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /usr/sbin/" id="oval:ssg-test_file_permissionsdir_permissions_binary_dirs_3:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissionsdir_permissions_binary_dirs_3:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /usr/local/bin/" id="oval:ssg-test_file_permissionsdir_permissions_binary_dirs_4:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissionsdir_permissions_binary_dirs_4:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /usr/local/sbin/" id="oval:ssg-test_file_permissionsdir_permissions_binary_dirs_5:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissionsdir_permissions_binary_dirs_5:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /lib/" id="oval:ssg-test_file_permissionsdir_permissions_library_dirs_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissionsdir_permissions_library_dirs_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /lib64/" id="oval:ssg-test_file_permissionsdir_permissions_library_dirs_1:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissionsdir_permissions_library_dirs_1:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /usr/lib/" id="oval:ssg-test_file_permissionsdir_permissions_library_dirs_2:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissionsdir_permissions_library_dirs_2:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /usr/lib64/" id="oval:ssg-test_file_permissionsdir_permissions_library_dirs_3:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissionsdir_permissions_library_dirs_3:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of HostbasedAuthentication setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_disable_host_auth:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_disable_host_auth:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_disable_host_auth:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing group ownership of /etc/group-" id="oval:ssg-test_file_groupowner_backup_etc_group_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_groupowner_backup_etc_group_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing group ownership of /etc/gshadow-" id="oval:ssg-test_file_groupowner_backup_etc_gshadow_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_groupowner_backup_etc_gshadow_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing group ownership of /etc/passwd-" id="oval:ssg-test_file_groupowner_backup_etc_passwd_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_groupowner_backup_etc_passwd_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing group ownership of /etc/shadow-" id="oval:ssg-test_file_groupowner_backup_etc_shadow_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_groupowner_backup_etc_shadow_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing group ownership of /etc/group" id="oval:ssg-test_file_groupowner_etc_group_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_groupowner_etc_group_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing group ownership of /etc/gshadow" id="oval:ssg-test_file_groupowner_etc_gshadow_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_groupowner_etc_gshadow_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing group ownership of /etc/issue" id="oval:ssg-test_file_groupowner_etc_issue_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_groupowner_etc_issue_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing group ownership of /etc/passwd" id="oval:ssg-test_file_groupowner_etc_passwd_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_groupowner_etc_passwd_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing group ownership of /etc/shadow" id="oval:ssg-test_file_groupowner_etc_shadow_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_groupowner_etc_shadow_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing group ownership of /etc/ssh/sshd_config" id="oval:ssg-test_file_groupowner_sshd_config_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_groupowner_sshd_config_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing group ownership of /var/log/" id="oval:ssg-test_file_groupowner_var_log_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_groupowner_var_log_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing group ownership of /var/log/messages" id="oval:ssg-test_file_groupowner_var_log_messages_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_groupowner_var_log_messages_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing group ownership of /var/log/syslog" id="oval:ssg-test_file_groupowner_var_log_syslog_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_groupowner_var_log_syslog_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing group ownership of /etc/audit/" id="oval:ssg-test_file_groupownership_audit_configuration_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_groupownership_audit_configuration_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing group ownership of /etc/audit/rules.d/" id="oval:ssg-test_file_groupownership_audit_configuration_1:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_groupownership_audit_configuration_1:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /etc/group-" id="oval:ssg-test_file_owner_backup_etc_group_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_owner_backup_etc_group_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /etc/gshadow-" id="oval:ssg-test_file_owner_backup_etc_gshadow_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_owner_backup_etc_gshadow_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /etc/passwd-" id="oval:ssg-test_file_owner_backup_etc_passwd_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_owner_backup_etc_passwd_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /etc/shadow-" id="oval:ssg-test_file_owner_backup_etc_shadow_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_owner_backup_etc_shadow_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /etc/group" id="oval:ssg-test_file_owner_etc_group_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_owner_etc_group_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /etc/gshadow" id="oval:ssg-test_file_owner_etc_gshadow_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_owner_etc_gshadow_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /etc/issue" id="oval:ssg-test_file_owner_etc_issue_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_owner_etc_issue_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /etc/passwd" id="oval:ssg-test_file_owner_etc_passwd_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_owner_etc_passwd_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /etc/shadow" id="oval:ssg-test_file_owner_etc_shadow_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_owner_etc_shadow_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /etc/ssh/sshd_config" id="oval:ssg-test_file_owner_sshd_config_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_owner_sshd_config_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /var/log/" id="oval:ssg-test_file_owner_var_log_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_owner_var_log_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /var/log/messages" id="oval:ssg-test_file_owner_var_log_messages_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_owner_var_log_messages_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /var/log/syslog" id="oval:ssg-test_file_owner_var_log_syslog_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_owner_var_log_syslog_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /etc/audit/" id="oval:ssg-test_file_ownership_audit_configuration_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_ownership_audit_configuration_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /etc/audit/rules.d/" id="oval:ssg-test_file_ownership_audit_configuration_1:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_ownership_audit_configuration_1:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /lib/" id="oval:ssg-test_file_ownership_library_dirs_0:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_ownership_library_dirs_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /lib64/" id="oval:ssg-test_file_ownership_library_dirs_1:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_ownership_library_dirs_1:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /usr/lib/" id="oval:ssg-test_file_ownership_library_dirs_2:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_ownership_library_dirs_2:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing user ownership of /usr/lib64/" id="oval:ssg-test_file_ownership_library_dirs_3:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_ownership_library_dirs_3:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /etc/group-" id="oval:ssg-test_file_permissions_backup_etc_group_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_backup_etc_group_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /etc/gshadow-" id="oval:ssg-test_file_permissions_backup_etc_gshadow_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_backup_etc_gshadow_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /etc/passwd-" id="oval:ssg-test_file_permissions_backup_etc_passwd_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_backup_etc_passwd_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /etc/shadow-" id="oval:ssg-test_file_permissions_backup_etc_shadow_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_backup_etc_shadow_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /etc/group" id="oval:ssg-test_file_permissions_etc_group_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_etc_group_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /etc/gshadow" id="oval:ssg-test_file_permissions_etc_gshadow_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_etc_gshadow_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /etc/issue" id="oval:ssg-test_file_permissions_etc_issue_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_etc_issue_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /etc/passwd" id="oval:ssg-test_file_permissions_etc_passwd_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_etc_passwd_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /etc/shadow" id="oval:ssg-test_file_permissions_etc_shadow_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_etc_shadow_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /lib/" id="oval:ssg-test_file_permissions_library_dirs_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_library_dirs_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /lib64/" id="oval:ssg-test_file_permissions_library_dirs_1:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_library_dirs_1:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /usr/lib/" id="oval:ssg-test_file_permissions_library_dirs_2:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_library_dirs_2:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /usr/lib64/" id="oval:ssg-test_file_permissions_library_dirs_3:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_library_dirs_3:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /etc/ssh/sshd_config" id="oval:ssg-test_file_permissions_sshd_config_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_sshd_config_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /etc/ssh/" id="oval:ssg-test_file_permissions_sshd_pub_key_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_sshd_pub_key_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /var/log/" id="oval:ssg-test_file_permissions_var_log_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_var_log_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /var/log/messages" id="oval:ssg-test_file_permissions_var_log_messages_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_var_log_messages_0:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="none_exist" comment="Testing mode of /var/log/syslog" id="oval:ssg-test_file_permissions_var_log_syslog_0:tst:1" version="3">
-          <unix:object object_ref="oval:ssg-object_file_permissions_var_log_syslog_0:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_iommu_argument:tst:1" comment="check for iommu=force in /etc/default/grub via GRUB_CMDLINE_LINUX" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_iommu_argument:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_iommu_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_iommu_argument_default:tst:1" comment="check for iommu=force in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_iommu_argument_default:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_iommu_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_ipv6_disable_argument:tst:1" comment="check for ipv6.disable=1 in /etc/default/grub via GRUB_CMDLINE_LINUX" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_ipv6_disable_argument:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_ipv6_disable_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_ipv6_disable_argument_default:tst:1" comment="check for ipv6.disable=1 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_ipv6_disable_argument_default:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_ipv6_disable_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_l1tf_argument:tst:1" comment="check for l1tf in /etc/default/grub via GRUB_CMDLINE_LINUX" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_l1tf_argument:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_l1tf_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_l1tf_argument_default:tst:1" comment="check for l1tf in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_l1tf_argument_default:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_l1tf_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_mce_argument:tst:1" comment="check for mce=0 in /etc/default/grub via GRUB_CMDLINE_LINUX" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_mce_argument:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_mce_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_mce_argument_default:tst:1" comment="check for mce=0 in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_mce_argument_default:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_mce_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_nosmap_argument_absent:tst:1" comment="check for absence nosmap in /etc/default/grub via GRUB_CMDLINE_LINUX" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_nosmap_argument_absent:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_nosmap_argument_absent_default:tst:1" comment="check for absence nosmap in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_nosmap_argument_absent_default:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_nosmep_argument_absent:tst:1" comment="check for absence nosmep in /etc/default/grub via GRUB_CMDLINE_LINUX" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_nosmep_argument_absent:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_nosmep_argument_absent_default:tst:1" comment="check for absence nosmep in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_nosmep_argument_absent_default:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_rng_core_default_quality_argument:tst:1" comment="check for rng_core.default_quality in /etc/default/grub via GRUB_CMDLINE_LINUX" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_rng_core_default_quality_argument:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_rng_core_default_quality_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_rng_core_default_quality_argument_default:tst:1" comment="check for rng_core.default_quality in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_rng_core_default_quality_argument_default:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_rng_core_default_quality_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_slab_nomerge_argument:tst:1" comment="check for slab_nomerge=yes in /etc/default/grub via GRUB_CMDLINE_LINUX" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_slab_nomerge_argument:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_slab_nomerge_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_slab_nomerge_argument_default:tst:1" comment="check for slab_nomerge=yes in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_slab_nomerge_argument_default:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_slab_nomerge_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_spec_store_bypass_disable_argument:tst:1" comment="check for spec_store_bypass_disable in /etc/default/grub via GRUB_CMDLINE_LINUX" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_spec_store_bypass_disable_argument:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_spec_store_bypass_disable_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_spec_store_bypass_disable_argument_default:tst:1" comment="check for spec_store_bypass_disable in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_spec_store_bypass_disable_argument_default:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_spec_store_bypass_disable_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_spectre_v2_argument:tst:1" comment="check for spectre_v2=on in /etc/default/grub via GRUB_CMDLINE_LINUX" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_spectre_v2_argument:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_spectre_v2_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_spectre_v2_argument_default:tst:1" comment="check for spectre_v2=on in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_spectre_v2_argument_default:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_grub2_spectre_v2_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_systemd_debug_shell_argument_absent:tst:1" comment="check for absence systemd.debug-shell in /etc/default/grub via GRUB_CMDLINE_LINUX" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_systemd_debug_shell_argument_absent:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_systemd_debug_shell_argument_absent_default:tst:1" comment="check for absence systemd.debug-shell in /etc/default/grub via GRUB_CMDLINE_LINUX_DEFAULT" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_systemd_debug_shell_argument_absent_default:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_ACPI_CUSTOM_METHOD=n" id="oval:ssg-test_kernel_config_acpi_custom_method:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_acpi_custom_method:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_acpi_custom_method:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check /boot/config-.* files for absence of CONFIG_ACPI_CUSTOM_METHOD" id="oval:ssg-test_kernel_config_acpi_custom_method_absence:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_acpi_custom_method:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_acpi_custom_method_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_acpi_custom_method_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_acpi_custom_method:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_BINFMT_MISC=n" id="oval:ssg-test_kernel_config_binfmt_misc:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_binfmt_misc:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_binfmt_misc:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check /boot/config-.* files for absence of CONFIG_BINFMT_MISC" id="oval:ssg-test_kernel_config_binfmt_misc_absence:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_binfmt_misc:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_binfmt_misc_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_binfmt_misc_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_binfmt_misc:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_BUG=y" id="oval:ssg-test_kernel_config_bug:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_bug:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_bug:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_bug_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_bug_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_bug:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_COMPAT_BRK=n" id="oval:ssg-test_kernel_config_compat_brk:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_compat_brk:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_compat_brk:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check /boot/config-.* files for absence of CONFIG_COMPAT_BRK" id="oval:ssg-test_kernel_config_compat_brk_absence:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_compat_brk:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_compat_brk_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_compat_brk_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_compat_brk:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_COMPAT_VDSO=n" id="oval:ssg-test_kernel_config_compat_vdso:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_compat_vdso:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_compat_vdso:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check /boot/config-.* files for absence of CONFIG_COMPAT_VDSO" id="oval:ssg-test_kernel_config_compat_vdso_absence:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_compat_vdso:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_compat_vdso_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_compat_vdso_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_compat_vdso:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_DEBUG_CREDENTIALS=y" id="oval:ssg-test_kernel_config_debug_credentials:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_debug_credentials:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_debug_credentials:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_debug_credentials_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_debug_credentials_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_debug_credentials:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_DEBUG_FS=n" id="oval:ssg-test_kernel_config_debug_fs:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_debug_fs:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_debug_fs:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check /boot/config-.* files for absence of CONFIG_DEBUG_FS" id="oval:ssg-test_kernel_config_debug_fs_absence:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_debug_fs:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_debug_fs_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_debug_fs_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_debug_fs:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_DEBUG_LIST=y" id="oval:ssg-test_kernel_config_debug_list:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_debug_list:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_debug_list:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_debug_list_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_debug_list_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_debug_list:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_DEBUG_NOTIFIERS=y" id="oval:ssg-test_kernel_config_debug_notifiers:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_debug_notifiers:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_debug_notifiers:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_debug_notifiers_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_debug_notifiers_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_debug_notifiers:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_DEBUG_SG=y" id="oval:ssg-test_kernel_config_debug_sg:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_debug_sg:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_debug_sg:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_debug_sg_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_debug_sg_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_debug_sg:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_DEFAULT_MMAP_MIN_ADDR=65536" id="oval:ssg-test_kernel_config_default_mmap_min_addr:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_default_mmap_min_addr:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_default_mmap_min_addr:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_default_mmap_min_addr_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_default_mmap_min_addr_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_default_mmap_min_addr:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_DEVKMEM=n" id="oval:ssg-test_kernel_config_devkmem:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_devkmem:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_devkmem:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check /boot/config-.* files for absence of CONFIG_DEVKMEM" id="oval:ssg-test_kernel_config_devkmem_absence:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_devkmem:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_devkmem_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_devkmem_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_devkmem:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_HIBERNATION=n" id="oval:ssg-test_kernel_config_hibernation:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_hibernation:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_hibernation:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check /boot/config-.* files for absence of CONFIG_HIBERNATION" id="oval:ssg-test_kernel_config_hibernation_absence:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_hibernation:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_hibernation_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_hibernation_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_hibernation:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_IA32_EMULATION=n" id="oval:ssg-test_kernel_config_ia32_emulation:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_ia32_emulation:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_ia32_emulation:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check /boot/config-.* files for absence of CONFIG_IA32_EMULATION" id="oval:ssg-test_kernel_config_ia32_emulation_absence:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_ia32_emulation:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_ia32_emulation_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_ia32_emulation_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_ia32_emulation:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_IPV6=n" id="oval:ssg-test_kernel_config_ipv6:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_ipv6:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_ipv6:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check /boot/config-.* files for absence of CONFIG_IPV6" id="oval:ssg-test_kernel_config_ipv6_absence:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_ipv6:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_ipv6_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_ipv6_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_ipv6:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_KEXEC=n" id="oval:ssg-test_kernel_config_kexec:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_kexec:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_kexec:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check /boot/config-.* files for absence of CONFIG_KEXEC" id="oval:ssg-test_kernel_config_kexec_absence:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_kexec:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_kexec_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_kexec_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_kexec:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_LEGACY_PTYS=n" id="oval:ssg-test_kernel_config_legacy_ptys:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_legacy_ptys:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_legacy_ptys:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check /boot/config-.* files for absence of CONFIG_LEGACY_PTYS" id="oval:ssg-test_kernel_config_legacy_ptys_absence:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_legacy_ptys:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_legacy_ptys_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_legacy_ptys_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_legacy_ptys:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_MODULE_SIG=y" id="oval:ssg-test_kernel_config_module_sig:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_module_sig:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_module_sig:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_module_sig_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_module_sig_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_module_sig:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_MODULE_SIG_ALL=y" id="oval:ssg-test_kernel_config_module_sig_all:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_module_sig_all:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_module_sig_all:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_module_sig_all_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_module_sig_all_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_module_sig_all:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_MODULE_SIG_FORCE=y" id="oval:ssg-test_kernel_config_module_sig_force:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_module_sig_force:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_module_sig_force:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_module_sig_force_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_module_sig_force_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_module_sig_force:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_MODULE_SIG_HASH according to var_kernel_config_module_sig_hash" id="oval:ssg-test_kernel_config_module_sig_hash:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_module_sig_hash:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_module_sig_hash:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_module_sig_hash_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_module_sig_hash_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_module_sig_hash:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_MODULE_SIG_KEY according to var_kernel_config_module_sig_key" id="oval:ssg-test_kernel_config_module_sig_key:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_module_sig_key:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_module_sig_key:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_module_sig_key_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_module_sig_key_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_module_sig_key:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_MODULE_SIG_SHA512=y" id="oval:ssg-test_kernel_config_module_sig_sha512:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_module_sig_sha512:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_module_sig_sha512:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_module_sig_sha512_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_module_sig_sha512_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_module_sig_sha512:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_PAGE_POISONING_NO_SANITY=y" id="oval:ssg-test_kernel_config_page_poisoning_no_sanity:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_page_poisoning_no_sanity:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_page_poisoning_no_sanity:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_page_poisoning_no_sanity_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_page_poisoning_no_sanity_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_page_poisoning_no_sanity:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_PAGE_POISONING_ZERO=y" id="oval:ssg-test_kernel_config_page_poisoning_zero:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_page_poisoning_zero:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_page_poisoning_zero:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_page_poisoning_zero_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_page_poisoning_zero_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_page_poisoning_zero:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_PAGE_TABLE_ISOLATION=y" id="oval:ssg-test_kernel_config_page_table_isolation:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_page_table_isolation:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_page_table_isolation:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_page_table_isolation_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_page_table_isolation_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_page_table_isolation:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_PANIC_ON_OOPS=y" id="oval:ssg-test_kernel_config_panic_on_oops:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_panic_on_oops:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_panic_on_oops:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_panic_on_oops_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_panic_on_oops_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_panic_on_oops:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_PANIC_TIMEOUT according to var_kernel_config_panic_timeout" id="oval:ssg-test_kernel_config_panic_timeout:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_panic_timeout:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_panic_timeout:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_panic_timeout_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_panic_timeout_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_panic_timeout:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_PROC_KCORE=n" id="oval:ssg-test_kernel_config_proc_kcore:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_proc_kcore:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_proc_kcore:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check /boot/config-.* files for absence of CONFIG_PROC_KCORE" id="oval:ssg-test_kernel_config_proc_kcore_absence:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_proc_kcore:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_proc_kcore_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_proc_kcore_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_proc_kcore:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_RANDOMIZE_BASE=y" id="oval:ssg-test_kernel_config_randomize_base:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_randomize_base:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_randomize_base:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_randomize_base_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_randomize_base_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_randomize_base:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_RANDOMIZE_MEMORY=y" id="oval:ssg-test_kernel_config_randomize_memory:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_randomize_memory:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_randomize_memory:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_randomize_memory_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_randomize_memory_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_randomize_memory:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_RETPOLINE=y" id="oval:ssg-test_kernel_config_retpoline:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_retpoline:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_retpoline:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_retpoline_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_retpoline_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_retpoline:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_SECCOMP=y" id="oval:ssg-test_kernel_config_seccomp:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_seccomp:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_seccomp:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_seccomp_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_seccomp_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_seccomp:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_SECCOMP_FILTER=y" id="oval:ssg-test_kernel_config_seccomp_filter:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_seccomp_filter:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_seccomp_filter:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_seccomp_filter_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_seccomp_filter_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_seccomp_filter:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_SECURITY=y" id="oval:ssg-test_kernel_config_security:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_security:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_security:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_security_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_security_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_security:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_SECURITY_DMESG_RESTRICT=n" id="oval:ssg-test_kernel_config_security_dmesg_restrict:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_security_dmesg_restrict:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_security_dmesg_restrict:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check /boot/config-.* files for absence of CONFIG_SECURITY_DMESG_RESTRICT" id="oval:ssg-test_kernel_config_security_dmesg_restrict_absence:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_security_dmesg_restrict:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_security_dmesg_restrict_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_security_dmesg_restrict_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_security_dmesg_restrict:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_SECURITY_WRITABLE_HOOKS=y" id="oval:ssg-test_kernel_config_security_writable_hooks:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_security_writable_hooks:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_security_writable_hooks:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_security_writable_hooks_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_security_writable_hooks_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_security_writable_hooks:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_SECURITY_YAMA=y" id="oval:ssg-test_kernel_config_security_yama:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_security_yama:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_security_yama:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_security_yama_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_security_yama_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_security_yama:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_SLUB_DEBUG=y" id="oval:ssg-test_kernel_config_slub_debug:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_slub_debug:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_slub_debug:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_slub_debug_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_slub_debug_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_slub_debug:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_SYN_COOKIES=y" id="oval:ssg-test_kernel_config_syn_cookies:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_syn_cookies:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_syn_cookies:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_syn_cookies_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_syn_cookies_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_syn_cookies:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_UNMAP_KERNEL_AT_EL0=y" id="oval:ssg-test_kernel_config_unmap_kernel_at_el0:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_unmap_kernel_at_el0:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_unmap_kernel_at_el0:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_unmap_kernel_at_el0_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_unmap_kernel_at_el0_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_unmap_kernel_at_el0:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test check="all" comment="Check /boot/config-.* files for CONFIG_X86_VSYSCALL_EMULATION=n" id="oval:ssg-test_kernel_config_x86_vsyscall_emulation:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_x86_vsyscall_emulation:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_kernel_config_x86_vsyscall_emulation:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="none_exist" comment="Check /boot/config-.* files for absence of CONFIG_X86_VSYSCALL_EMULATION" id="oval:ssg-test_kernel_config_x86_vsyscall_emulation_absence:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_kernel_config_x86_vsyscall_emulation:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check if all installed kernels are compliant" id="oval:ssg-test_all_kernels_config_x86_vsyscall_emulation_compliant:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_var_kernel_config_x86_vsyscall_emulation_count:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_kernel_config_x86_vsyscall_emulation:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_atm_disabled:tst:1" version="1" check="all" comment="kernel module atm disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_atm_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_atm_blacklisted:tst:1" version="1" check="all" comment="kernel module atm blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_atm_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_atm_modprobeconf:tst:1" version="1" check="all" comment="kernel module atm disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_atm_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_bluetooth_disabled:tst:1" version="1" check="all" comment="kernel module bluetooth disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_bluetooth_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_bluetooth_blacklisted:tst:1" version="1" check="all" comment="kernel module bluetooth blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_bluetooth_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_bluetooth_modprobeconf:tst:1" version="1" check="all" comment="kernel module bluetooth disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_bluetooth_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_can_disabled:tst:1" version="1" check="all" comment="kernel module can disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_can_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_can_blacklisted:tst:1" version="1" check="all" comment="kernel module can blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_can_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_can_modprobeconf:tst:1" version="1" check="all" comment="kernel module can disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_can_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_cfg80211_disabled:tst:1" version="1" check="all" comment="kernel module cfg80211 disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_cfg80211_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_cfg80211_blacklisted:tst:1" version="1" check="all" comment="kernel module cfg80211 blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_cfg80211_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_cfg80211_modprobeconf:tst:1" version="1" check="all" comment="kernel module cfg80211 disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_cfg80211_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_cramfs_disabled:tst:1" version="1" check="all" comment="kernel module cramfs disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_cramfs_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_cramfs_blacklisted:tst:1" version="1" check="all" comment="kernel module cramfs blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_cramfs_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_cramfs_modprobeconf:tst:1" version="1" check="all" comment="kernel module cramfs disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_cramfs_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_firewire-core_disabled:tst:1" version="1" check="all" comment="kernel module firewire-core disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_firewire-core_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_firewire-core_blacklisted:tst:1" version="1" check="all" comment="kernel module firewire-core blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_firewire-core_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_firewire-core_modprobeconf:tst:1" version="1" check="all" comment="kernel module firewire-core disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_firewire-core_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_freevxfs_disabled:tst:1" version="1" check="all" comment="kernel module freevxfs disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_freevxfs_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_freevxfs_blacklisted:tst:1" version="1" check="all" comment="kernel module freevxfs blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_freevxfs_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_freevxfs_modprobeconf:tst:1" version="1" check="all" comment="kernel module freevxfs disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_freevxfs_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_hfs_disabled:tst:1" version="1" check="all" comment="kernel module hfs disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_hfs_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_hfs_blacklisted:tst:1" version="1" check="all" comment="kernel module hfs blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_hfs_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_hfs_modprobeconf:tst:1" version="1" check="all" comment="kernel module hfs disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_hfs_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_hfsplus_disabled:tst:1" version="1" check="all" comment="kernel module hfsplus disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_hfsplus_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_hfsplus_blacklisted:tst:1" version="1" check="all" comment="kernel module hfsplus blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_hfsplus_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_hfsplus_modprobeconf:tst:1" version="1" check="all" comment="kernel module hfsplus disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_hfsplus_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_iwlmvm_disabled:tst:1" version="1" check="all" comment="kernel module iwlmvm disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_iwlmvm_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_iwlmvm_blacklisted:tst:1" version="1" check="all" comment="kernel module iwlmvm blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_iwlmvm_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_iwlmvm_modprobeconf:tst:1" version="1" check="all" comment="kernel module iwlmvm disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_iwlmvm_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_iwlwifi_disabled:tst:1" version="1" check="all" comment="kernel module iwlwifi disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_iwlwifi_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_iwlwifi_blacklisted:tst:1" version="1" check="all" comment="kernel module iwlwifi blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_iwlwifi_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_iwlwifi_modprobeconf:tst:1" version="1" check="all" comment="kernel module iwlwifi disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_iwlwifi_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_jffs2_disabled:tst:1" version="1" check="all" comment="kernel module jffs2 disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_jffs2_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_jffs2_blacklisted:tst:1" version="1" check="all" comment="kernel module jffs2 blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_jffs2_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_jffs2_modprobeconf:tst:1" version="1" check="all" comment="kernel module jffs2 disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_jffs2_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_mac80211_disabled:tst:1" version="1" check="all" comment="kernel module mac80211 disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_mac80211_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_mac80211_blacklisted:tst:1" version="1" check="all" comment="kernel module mac80211 blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_mac80211_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_mac80211_modprobeconf:tst:1" version="1" check="all" comment="kernel module mac80211 disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_mac80211_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_rds_disabled:tst:1" version="1" check="all" comment="kernel module rds disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_rds_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_rds_blacklisted:tst:1" version="1" check="all" comment="kernel module rds blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_rds_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_rds_modprobeconf:tst:1" version="1" check="all" comment="kernel module rds disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_rds_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_sctp_disabled:tst:1" version="1" check="all" comment="kernel module sctp disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_sctp_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_sctp_blacklisted:tst:1" version="1" check="all" comment="kernel module sctp blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_sctp_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_sctp_modprobeconf:tst:1" version="1" check="all" comment="kernel module sctp disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_sctp_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_squashfs_disabled:tst:1" version="1" check="all" comment="kernel module squashfs disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_squashfs_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_squashfs_blacklisted:tst:1" version="1" check="all" comment="kernel module squashfs blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_squashfs_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_squashfs_modprobeconf:tst:1" version="1" check="all" comment="kernel module squashfs disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_squashfs_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_tipc_disabled:tst:1" version="1" check="all" comment="kernel module tipc disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_tipc_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_tipc_blacklisted:tst:1" version="1" check="all" comment="kernel module tipc blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_tipc_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_tipc_modprobeconf:tst:1" version="1" check="all" comment="kernel module tipc disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_tipc_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_udf_disabled:tst:1" version="1" check="all" comment="kernel module udf disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_udf_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_udf_blacklisted:tst:1" version="1" check="all" comment="kernel module udf blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_udf_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_udf_modprobeconf:tst:1" version="1" check="all" comment="kernel module udf disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_udf_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_usb-storage_disabled:tst:1" version="1" check="all" comment="kernel module usb-storage disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_usb-storage_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_usb-storage_blacklisted:tst:1" version="1" check="all" comment="kernel module usb-storage blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_usb-storage_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_usb-storage_modprobeconf:tst:1" version="1" check="all" comment="kernel module usb-storage disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_usb-storage_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_uvcvideo_disabled:tst:1" version="1" check="all" comment="kernel module uvcvideo disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_uvcvideo_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_uvcvideo_blacklisted:tst:1" version="1" check="all" comment="kernel module uvcvideo blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_uvcvideo_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_uvcvideo_modprobeconf:tst:1" version="1" check="all" comment="kernel module uvcvideo disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_uvcvideo_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_vfat_disabled:tst:1" version="1" check="all" comment="kernel module vfat disabled">
-          <ind:object object_ref="oval:ssg-obj_kernmod_vfat_disabled:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_vfat_blacklisted:tst:1" version="1" check="all" comment="kernel module vfat blacklisted">
-          <ind:object object_ref="oval:ssg-obj_kernmod_vfat_blacklisted:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_kernmod_vfat_modprobeconf:tst:1" version="1" check="all" comment="kernel module vfat disabled in /etc/modprobe.conf">
-          <ind:object object_ref="oval:ssg-obj_kernmod_vfat_modprobeconf:obj:1"/>
-        </ind:textfilecontent54_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="nodev on /boot optional yes" id="oval:ssg-test_boot_partition_nodev_optional_yes:tst:1">
-          <linux:object object_ref="oval:ssg-object_boot_partition_nodev_optional_yes:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_boot_partition_nodev_optional_yes:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="nosuid on /boot optional yes" id="oval:ssg-test_boot_partition_nosuid_optional_yes:tst:1">
-          <linux:object object_ref="oval:ssg-object_boot_partition_nosuid_optional_yes:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_boot_partition_nosuid_optional_yes:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="nodev on /dev/shm optional no" id="oval:ssg-test_dev_shm_partition_nodev_optional_no:tst:1">
-          <linux:object object_ref="oval:ssg-object_dev_shm_partition_nodev_optional_no:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_dev_shm_partition_nodev_optional_no:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="1" comment="/dev/shm exists" id="oval:ssg-test_dev_shm_no_partition_nodev_optional_no:tst:1">
-          <linux:object object_ref="oval:ssg-object_dev_shm_partition_nodev_optional_no:obj:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="noexec on /dev/shm optional no" id="oval:ssg-test_dev_shm_partition_noexec_optional_no:tst:1">
-          <linux:object object_ref="oval:ssg-object_dev_shm_partition_noexec_optional_no:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_dev_shm_partition_noexec_optional_no:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="1" comment="/dev/shm exists" id="oval:ssg-test_dev_shm_no_partition_noexec_optional_no:tst:1">
-          <linux:object object_ref="oval:ssg-object_dev_shm_partition_noexec_optional_no:obj:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="nosuid on /dev/shm optional no" id="oval:ssg-test_dev_shm_partition_nosuid_optional_no:tst:1">
-          <linux:object object_ref="oval:ssg-object_dev_shm_partition_nosuid_optional_no:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_dev_shm_partition_nosuid_optional_no:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="1" comment="/dev/shm exists" id="oval:ssg-test_dev_shm_no_partition_nosuid_optional_no:tst:1">
-          <linux:object object_ref="oval:ssg-object_dev_shm_partition_nosuid_optional_no:obj:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="nodev on /home optional yes" id="oval:ssg-test_home_partition_nodev_optional_yes:tst:1">
-          <linux:object object_ref="oval:ssg-object_home_partition_nodev_optional_yes:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_home_partition_nodev_optional_yes:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="nosuid on /home optional yes" id="oval:ssg-test_home_partition_nosuid_optional_yes:tst:1">
-          <linux:object object_ref="oval:ssg-object_home_partition_nosuid_optional_yes:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_home_partition_nosuid_optional_yes:ste:1"/>
-        </linux:partition_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_nodev_etc_fstab_cd_dvd_drive:tst:1" check_existence="any_exist" check="all" comment="'nodev' mount option used for at least one CD / DVD drive alternative names in /etc/fstab" version="1">
-          <ind:object object_ref="oval:ssg-object_nodev_etc_fstab_cd_dvd_drive:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_nodev_etc_fstab_cd_dvd_drive:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_nodev_etc_fstab_not_cd_dvd_drive:tst:1" check="at least one" check_existence="all_exist" comment="Check if removable partition is configured with 'nodev' mount option in /etc/fstab" version="1">
-          <ind:object object_ref="oval:ssg-object_nodev_etc_fstab_not_cd_dvd_drive:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_nodev_etc_fstab_not_cd_dvd_drive:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_noexec_etc_fstab_cd_dvd_drive:tst:1" check_existence="any_exist" check="all" comment="'noexec' mount option used for at least one CD / DVD drive alternative names in /etc/fstab" version="1">
-          <ind:object object_ref="oval:ssg-object_noexec_etc_fstab_cd_dvd_drive:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_noexec_etc_fstab_cd_dvd_drive:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_noexec_etc_fstab_not_cd_dvd_drive:tst:1" check="at least one" check_existence="all_exist" comment="Check if removable partition is configured with 'noexec' mount option in /etc/fstab" version="1">
-          <ind:object object_ref="oval:ssg-object_noexec_etc_fstab_not_cd_dvd_drive:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_noexec_etc_fstab_not_cd_dvd_drive:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_nosuid_etc_fstab_cd_dvd_drive:tst:1" check_existence="any_exist" check="all" comment="'nosuid' mount option used for at least one CD / DVD drive alternative names in /etc/fstab" version="1">
-          <ind:object object_ref="oval:ssg-object_nosuid_etc_fstab_cd_dvd_drive:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_nosuid_etc_fstab_cd_dvd_drive:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_nosuid_etc_fstab_not_cd_dvd_drive:tst:1" check="at least one" check_existence="all_exist" comment="Check if removable partition is configured with 'nosuid' mount option in /etc/fstab" version="1">
-          <ind:object object_ref="oval:ssg-object_nosuid_etc_fstab_not_cd_dvd_drive:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_nosuid_etc_fstab_not_cd_dvd_drive:ste:1"/>
-        </ind:textfilecontent54_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="nodev on /tmp optional yes" id="oval:ssg-test_tmp_partition_nodev_optional_yes:tst:1">
-          <linux:object object_ref="oval:ssg-object_tmp_partition_nodev_optional_yes:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_tmp_partition_nodev_optional_yes:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="noexec on /tmp optional yes" id="oval:ssg-test_tmp_partition_noexec_optional_yes:tst:1">
-          <linux:object object_ref="oval:ssg-object_tmp_partition_noexec_optional_yes:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_tmp_partition_noexec_optional_yes:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="nosuid on /tmp optional yes" id="oval:ssg-test_tmp_partition_nosuid_optional_yes:tst:1">
-          <linux:object object_ref="oval:ssg-object_tmp_partition_nosuid_optional_yes:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_tmp_partition_nosuid_optional_yes:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="nodev on /var/log/audit optional yes" id="oval:ssg-test_var_log_audit_partition_nodev_optional_yes:tst:1">
-          <linux:object object_ref="oval:ssg-object_var_log_audit_partition_nodev_optional_yes:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_var_log_audit_partition_nodev_optional_yes:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="noexec on /var/log/audit optional yes" id="oval:ssg-test_var_log_audit_partition_noexec_optional_yes:tst:1">
-          <linux:object object_ref="oval:ssg-object_var_log_audit_partition_noexec_optional_yes:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_var_log_audit_partition_noexec_optional_yes:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="nosuid on /var/log/audit optional yes" id="oval:ssg-test_var_log_audit_partition_nosuid_optional_yes:tst:1">
-          <linux:object object_ref="oval:ssg-object_var_log_audit_partition_nosuid_optional_yes:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_var_log_audit_partition_nosuid_optional_yes:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="nodev on /var/log optional yes" id="oval:ssg-test_var_log_partition_nodev_optional_yes:tst:1">
-          <linux:object object_ref="oval:ssg-object_var_log_partition_nodev_optional_yes:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_var_log_partition_nodev_optional_yes:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="noexec on /var/log optional yes" id="oval:ssg-test_var_log_partition_noexec_optional_yes:tst:1">
-          <linux:object object_ref="oval:ssg-object_var_log_partition_noexec_optional_yes:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_var_log_partition_noexec_optional_yes:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="nosuid on /var/log optional yes" id="oval:ssg-test_var_log_partition_nosuid_optional_yes:tst:1">
-          <linux:object object_ref="oval:ssg-object_var_log_partition_nosuid_optional_yes:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_var_log_partition_nosuid_optional_yes:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="nodev on /var optional yes" id="oval:ssg-test_var_partition_nodev_optional_yes:tst:1">
-          <linux:object object_ref="oval:ssg-object_var_partition_nodev_optional_yes:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_var_partition_nodev_optional_yes:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="nosuid on /var optional yes" id="oval:ssg-test_var_partition_nosuid_optional_yes:tst:1">
-          <linux:object object_ref="oval:ssg-object_var_partition_nosuid_optional_yes:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_var_partition_nosuid_optional_yes:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="nodev on /var/tmp optional yes" id="oval:ssg-test_var_tmp_partition_nodev_optional_yes:tst:1">
-          <linux:object object_ref="oval:ssg-object_var_tmp_partition_nodev_optional_yes:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_var_tmp_partition_nodev_optional_yes:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="noexec on /var/tmp optional yes" id="oval:ssg-test_var_tmp_partition_noexec_optional_yes:tst:1">
-          <linux:object object_ref="oval:ssg-object_var_tmp_partition_noexec_optional_yes:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_var_tmp_partition_noexec_optional_yes:ste:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" version="2" comment="nosuid on /var/tmp optional yes" id="oval:ssg-test_var_tmp_partition_nosuid_optional_yes:tst:1">
-          <linux:object object_ref="oval:ssg-object_var_tmp_partition_nosuid_optional_yes:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_var_tmp_partition_nosuid_optional_yes:ste:1"/>
-        </linux:partition_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_GConf2_installed:tst:1" version="1" comment="package GConf2 is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_GConf2_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_MFEhiplsm_installed:tst:1" version="1" comment="package MFEhiplsm is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_MFEhiplsm_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_aide_installed:tst:1" version="1" comment="package aide is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_aide_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_audispd-plugins_installed:tst:1" version="1" comment="package audispd-plugins is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_audispd-plugins_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_audit-audispd-plugins_installed:tst:1" version="1" comment="package audit-audispd-plugins is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_audit-audispd-plugins_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_audit_installed:tst:1" version="1" comment="package audit is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_audit_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_avahi_installed:tst:1" version="1" comment="package avahi is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_avahi_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_package_bind_removed:tst:1" version="1" comment="package bind is removed">
-          <linux:object object_ref="oval:ssg-obj_test_package_bind_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_chrony_installed:tst:1" version="1" comment="package chrony is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_chrony_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_cron_installed:tst:1" version="1" comment="package cron is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_cron_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_dconf_installed:tst:1" version="1" comment="package dconf is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_dconf_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_esc_installed:tst:1" version="1" comment="package esc is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_esc_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_fapolicyd_installed:tst:1" version="1" comment="package fapolicyd is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_fapolicyd_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_firewalld_installed:tst:1" version="1" comment="package firewalld is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_firewalld_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_gdm_installed:tst:1" version="1" comment="package gdm is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_gdm_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_gnutls-utils_installed:tst:1" version="1" comment="package gnutls-utils is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_gnutls-utils_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_package_inetutils-telnetd_removed:tst:1" version="1" comment="package inetutils-telnetd is removed">
-          <linux:object object_ref="oval:ssg-obj_test_package_inetutils-telnetd_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_iptables_installed:tst:1" version="1" comment="package iptables is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_iptables_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_libreswan_installed:tst:1" version="1" comment="package libreswan is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_libreswan_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_libselinux_installed:tst:1" version="1" comment="package libselinux is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_libselinux_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_package_net-snmp_removed:tst:1" version="1" comment="package net-snmp is removed">
-          <linux:object object_ref="oval:ssg-obj_test_package_net-snmp_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_package_nis_removed:tst:1" version="1" comment="package nis is removed">
-          <linux:object object_ref="oval:ssg-obj_test_package_nis_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_nss-tools_installed:tst:1" version="1" comment="package nss-tools is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_nss-tools_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_ntp_installed:tst:1" version="1" comment="package ntp is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_ntp_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_package_ntpdate_removed:tst:1" version="1" comment="package ntpdate is removed">
-          <linux:object object_ref="oval:ssg-obj_test_package_ntpdate_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_package_openldap-clients_removed:tst:1" version="1" comment="package openldap-clients is removed">
-          <linux:object object_ref="oval:ssg-obj_test_package_openldap-clients_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_openssh-server_installed:tst:1" version="1" comment="package openssh-server is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_openssh-server_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_package_openssh-server_removed:tst:1" version="1" comment="package openssh-server is removed">
-          <linux:object object_ref="oval:ssg-obj_test_package_openssh-server_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_package_pam_ldap_removed:tst:1" version="1" comment="package pam_ldap is removed">
-          <linux:object object_ref="oval:ssg-obj_test_package_pam_ldap_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_postfix_installed:tst:1" version="1" comment="package postfix is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_postfix_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_package_prelink_removed:tst:1" version="1" comment="package prelink is removed">
-          <linux:object object_ref="oval:ssg-obj_test_package_prelink_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_rsyslog_installed:tst:1" version="1" comment="package rsyslog is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_rsyslog_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_samba-common_installed:tst:1" version="1" comment="package samba-common is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_samba-common_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_package_samba-common_removed:tst:1" version="1" comment="package samba-common is removed">
-          <linux:object object_ref="oval:ssg-obj_test_package_samba-common_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_package_sendmail_removed:tst:1" version="1" comment="package sendmail is removed">
-          <linux:object object_ref="oval:ssg-obj_test_package_sendmail_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_package_setroubleshoot-plugins_removed:tst:1" version="1" comment="package setroubleshoot-plugins is removed">
-          <linux:object object_ref="oval:ssg-obj_test_package_setroubleshoot-plugins_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_package_setroubleshoot-server_removed:tst:1" version="1" comment="package setroubleshoot-server is removed">
-          <linux:object object_ref="oval:ssg-obj_test_package_setroubleshoot-server_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_sudo_installed:tst:1" version="1" comment="package sudo is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_sudo_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_syslog-ng_installed:tst:1" version="1" comment="package syslog-ng is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_syslog-ng_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_package_telnetd-ssl_removed:tst:1" version="1" comment="package telnetd-ssl is removed">
-          <linux:object object_ref="oval:ssg-obj_test_package_telnetd-ssl_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_package_telnetd_removed:tst:1" version="1" comment="package telnetd is removed">
-          <linux:object object_ref="oval:ssg-obj_test_package_telnetd_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_tmux_installed:tst:1" version="1" comment="package tmux is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_tmux_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_package_usbguard_installed:tst:1" version="1" comment="package usbguard is installed">
-          <linux:object object_ref="oval:ssg-obj_test_package_usbguard_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:partition_test check="all" check_existence="all_exist" id="oval:ssg-testhome_partition:tst:1" version="1" comment="/home on own partition">
-          <linux:object object_ref="oval:ssg-object_mounthome_own_partition:obj:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" id="oval:ssg-testsrv_partition:tst:1" version="1" comment="/srv on own partition">
-          <linux:object object_ref="oval:ssg-object_mountsrv_own_partition:obj:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" id="oval:ssg-testtmp_partition:tst:1" version="1" comment="/tmp on own partition">
-          <linux:object object_ref="oval:ssg-object_mounttmp_own_partition:obj:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" id="oval:ssg-testvar_partition:tst:1" version="1" comment="/var on own partition">
-          <linux:object object_ref="oval:ssg-object_mountvar_own_partition:obj:1"/>
-        </linux:partition_test>
-        <linux:partition_test check="all" check_existence="all_exist" id="oval:ssg-testvar_tmp_partition:tst:1" version="1" comment="/var/tmp on own partition">
-          <linux:object object_ref="oval:ssg-object_mountvar_tmp_own_partition:obj:1"/>
-        </linux:partition_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_auditd:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_auditd_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_auditd_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_auditd_socket:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_auditd_socket_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_auditd_socket_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_running_auditd:tst:1" check="at least one" check_existence="at_least_one_exists" comment="Test that the auditd service is running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_running_auditd:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_running_auditd:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_service_auditd_package_audit_installed:tst:1" version="1" comment="package audit is installed">
-          <linux:object object_ref="oval:ssg-obj_test_service_auditd_package_audit_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_not_running_autofs:tst:1" check="all" check_existence="any_exist" comment="Test that the autofs service is not running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_not_running_autofs:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_not_running_autofs:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_loadstate_is_masked_autofs:tst:1" check="all" check_existence="any_exist" comment="Test that the property LoadState from the service autofs is masked" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_loadstate_is_masked_autofs:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_loadstate_is_masked_autofs:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_service_autofs_package_autofs_removed:tst:1" version="1" comment="package autofs is removed">
-          <linux:object object_ref="oval:ssg-obj_test_service_autofs_package_autofs_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_not_running_bluetooth:tst:1" check="all" check_existence="any_exist" comment="Test that the bluetooth service is not running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_not_running_bluetooth:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_not_running_bluetooth:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_loadstate_is_masked_bluetooth:tst:1" check="all" check_existence="any_exist" comment="Test that the property LoadState from the service bluetooth is masked" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_loadstate_is_masked_bluetooth:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_loadstate_is_masked_bluetooth:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_service_bluetooth_package_bluez_removed:tst:1" version="1" comment="package bluez is removed">
-          <linux:object object_ref="oval:ssg-obj_test_service_bluetooth_package_bluez_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_chronyd:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_chronyd_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_chronyd_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_chronyd_socket:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_chronyd_socket_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_chronyd_socket_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_running_chronyd:tst:1" check="at least one" check_existence="at_least_one_exists" comment="Test that the chronyd service is running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_running_chronyd:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_running_chronyd:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_service_chronyd_package_chrony_installed:tst:1" version="1" comment="package chrony is installed">
-          <linux:object object_ref="oval:ssg-obj_test_service_chronyd_package_chrony_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_cron:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_cron_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_cron_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_cron_socket:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_cron_socket_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_cron_socket_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_running_cron:tst:1" check="at least one" check_existence="at_least_one_exists" comment="Test that the cron service is running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_running_cron:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_running_cron:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_service_cron_package_cron_installed:tst:1" version="1" comment="package cron is installed">
-          <linux:object object_ref="oval:ssg-obj_test_service_cron_package_cron_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_not_running_debug-shell:tst:1" check="all" check_existence="any_exist" comment="Test that the debug-shell service is not running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_not_running_debug-shell:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_not_running_debug-shell:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_loadstate_is_masked_debug-shell:tst:1" check="all" check_existence="any_exist" comment="Test that the property LoadState from the service debug-shell is masked" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_loadstate_is_masked_debug-shell:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_loadstate_is_masked_debug-shell:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_service_debug-shell_package_systemd_removed:tst:1" version="1" comment="package systemd is removed">
-          <linux:object object_ref="oval:ssg-obj_test_service_debug-shell_package_systemd_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_fapolicyd:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_fapolicyd_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_fapolicyd_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_fapolicyd_socket:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_fapolicyd_socket_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_fapolicyd_socket_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_running_fapolicyd:tst:1" check="at least one" check_existence="at_least_one_exists" comment="Test that the fapolicyd service is running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_running_fapolicyd:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_running_fapolicyd:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_service_fapolicyd_package_fapolicyd_installed:tst:1" version="1" comment="package fapolicyd is installed">
-          <linux:object object_ref="oval:ssg-obj_test_service_fapolicyd_package_fapolicyd_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_firewalld:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_firewalld_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_firewalld_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_firewalld_socket:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_firewalld_socket_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_firewalld_socket_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_running_firewalld:tst:1" check="at least one" check_existence="at_least_one_exists" comment="Test that the firewalld service is running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_running_firewalld:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_running_firewalld:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_service_firewalld_package_firewalld_installed:tst:1" version="1" comment="package firewalld is installed">
-          <linux:object object_ref="oval:ssg-obj_test_service_firewalld_package_firewalld_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_ip6tables:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_ip6tables_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_ip6tables_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_ip6tables_socket:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_ip6tables_socket_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_ip6tables_socket_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_running_ip6tables:tst:1" check="at least one" check_existence="at_least_one_exists" comment="Test that the ip6tables service is running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_running_ip6tables:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_running_ip6tables:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_service_ip6tables_package_iptables-ipv6_installed:tst:1" version="1" comment="package iptables-ipv6 is installed">
-          <linux:object object_ref="oval:ssg-obj_test_service_ip6tables_package_iptables-ipv6_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_iptables:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_iptables_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_iptables_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_iptables_socket:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_iptables_socket_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_iptables_socket_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_running_iptables:tst:1" check="at least one" check_existence="at_least_one_exists" comment="Test that the iptables service is running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_running_iptables:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_running_iptables:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_service_iptables_package_iptables_installed:tst:1" version="1" comment="package iptables is installed">
-          <linux:object object_ref="oval:ssg-obj_test_service_iptables_package_iptables_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_not_running_netfs:tst:1" check="all" check_existence="any_exist" comment="Test that the netfs service is not running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_not_running_netfs:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_not_running_netfs:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_loadstate_is_masked_netfs:tst:1" check="all" check_existence="any_exist" comment="Test that the property LoadState from the service netfs is masked" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_loadstate_is_masked_netfs:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_loadstate_is_masked_netfs:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_service_netfs_package_netfs_removed:tst:1" version="1" comment="package netfs is removed">
-          <linux:object object_ref="oval:ssg-obj_test_service_netfs_package_netfs_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_ntp:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_ntp_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_ntp_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_ntp_socket:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_ntp_socket_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_ntp_socket_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_running_ntp:tst:1" check="at least one" check_existence="at_least_one_exists" comment="Test that the ntp service is running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_running_ntp:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_running_ntp:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_service_ntp_package_ntp_installed:tst:1" version="1" comment="package ntp is installed">
-          <linux:object object_ref="oval:ssg-obj_test_service_ntp_package_ntp_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_ntpd:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_ntpd_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_ntpd_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_ntpd_socket:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_ntpd_socket_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_ntpd_socket_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_running_ntpd:tst:1" check="at least one" check_existence="at_least_one_exists" comment="Test that the ntpd service is running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_running_ntpd:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_running_ntpd:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_service_ntpd_package_ntp_installed:tst:1" version="1" comment="package ntp is installed">
-          <linux:object object_ref="oval:ssg-obj_test_service_ntpd_package_ntp_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_rngd:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_rngd_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_rngd_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_rngd_socket:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_rngd_socket_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_rngd_socket_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_running_rngd:tst:1" check="at least one" check_existence="at_least_one_exists" comment="Test that the rngd service is running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_running_rngd:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_running_rngd:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_service_rngd_package_rng-tools_installed:tst:1" version="1" comment="package rng-tools is installed">
-          <linux:object object_ref="oval:ssg-obj_test_service_rngd_package_rng-tools_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_rsyslog:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_rsyslog_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_rsyslog_socket:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_rsyslog_socket_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_running_rsyslog:tst:1" check="at least one" check_existence="at_least_one_exists" comment="Test that the rsyslog service is running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_running_rsyslog:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_running_rsyslog:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_service_rsyslog_package_rsyslog_installed:tst:1" version="1" comment="package rsyslog is installed">
-          <linux:object object_ref="oval:ssg-obj_test_service_rsyslog_package_rsyslog_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_not_running_sshd:tst:1" check="all" check_existence="any_exist" comment="Test that the sshd service is not running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_not_running_sshd:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_not_running_sshd:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_loadstate_is_masked_sshd:tst:1" check="all" check_existence="any_exist" comment="Test that the property LoadState from the service sshd is masked" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_loadstate_is_masked_sshd:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_loadstate_is_masked_sshd:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_service_sshd_package_openssh-server_removed:tst:1" version="1" comment="package openssh-server is removed">
-          <linux:object object_ref="oval:ssg-obj_test_service_sshd_package_openssh-server_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_not_running_syslog:tst:1" check="all" check_existence="any_exist" comment="Test that the syslog service is not running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_not_running_syslog:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_not_running_syslog:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_loadstate_is_masked_syslog:tst:1" check="all" check_existence="any_exist" comment="Test that the property LoadState from the service syslog is masked" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_loadstate_is_masked_syslog:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_loadstate_is_masked_syslog:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_service_syslog_package_rsyslog_removed:tst:1" version="1" comment="package rsyslog is removed">
-          <linux:object object_ref="oval:ssg-obj_test_service_syslog_package_rsyslog_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_syslog-ng:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_syslog-ng_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_syslog-ng_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_syslog-ng_socket:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_syslog-ng_socket_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_syslog-ng_socket_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_running_syslog-ng:tst:1" check="at least one" check_existence="at_least_one_exists" comment="Test that the syslog-ng service is running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_running_syslog-ng:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_running_syslog-ng:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_service_syslog-ng_package_syslog-ng_installed:tst:1" version="1" comment="package syslog-ng is installed">
-          <linux:object object_ref="oval:ssg-obj_test_service_syslog-ng_package_syslog-ng_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_not_running_systemd-coredump:tst:1" check="all" check_existence="any_exist" comment="Test that the systemd-coredump service is not running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_not_running_systemd-coredump:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_not_running_systemd-coredump:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_loadstate_is_masked_systemd-coredump:tst:1" check="all" check_existence="any_exist" comment="Test that the property LoadState from the service systemd-coredump is masked" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_loadstate_is_masked_systemd-coredump:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_loadstate_is_masked_systemd-coredump:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="none_exist" id="oval:ssg-test_service_systemd-coredump_package_systemd_removed:tst:1" version="1" comment="package systemd is removed">
-          <linux:object object_ref="oval:ssg-obj_test_service_systemd-coredump_package_systemd_removed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_systemd-journald:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_systemd-journald_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_systemd-journald_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_systemd-journald_socket:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_systemd-journald_socket_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_systemd-journald_socket_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_running_systemd-journald:tst:1" check="at least one" check_existence="at_least_one_exists" comment="Test that the systemd-journald service is running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_running_systemd-journald:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_running_systemd-journald:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_service_systemd-journald_package_systemd_installed:tst:1" version="1" comment="package systemd is installed">
-          <linux:object object_ref="oval:ssg-obj_test_service_systemd-journald_package_systemd_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_ufw:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_ufw_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_ufw_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_ufw_socket:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_ufw_socket_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_ufw_socket_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_running_ufw:tst:1" check="at least one" check_existence="at_least_one_exists" comment="Test that the ufw service is running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_running_ufw:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_running_ufw:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_service_ufw_package_ufw_installed:tst:1" version="1" comment="package ufw is installed">
-          <linux:object object_ref="oval:ssg-obj_test_service_ufw_package_ufw_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_usbguard:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_usbguard_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_usbguard_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitdependency_test check="all" check_existence="any_exist" comment="systemd test" id="oval:ssg-test_multi_user_wants_usbguard_socket:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_multi_user_target_for_usbguard_socket_enabled:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_systemd_usbguard_socket_on:ste:1"/>
-        </linux:systemdunitdependency_test>
-        <linux:systemdunitproperty_test id="oval:ssg-test_service_running_usbguard:tst:1" check="at least one" check_existence="at_least_one_exists" comment="Test that the usbguard service is running" version="1">
-          <linux:object object_ref="oval:ssg-obj_service_running_usbguard:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_service_running_usbguard:ste:1"/>
-        </linux:systemdunitproperty_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_service_usbguard_package_usbguard_installed:tst:1" version="1" comment="package usbguard is installed">
-          <linux:object object_ref="oval:ssg-obj_test_service_usbguard_package_usbguard_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of PermitEmptyPasswords setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_disable_empty_passwords:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_disable_empty_passwords:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_disable_empty_passwords:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_disable_gssapi_auth:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_disable_gssapi_auth:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_disable_gssapi_auth:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of KerberosAuthentication setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_disable_kerb_auth:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_disable_kerb_auth:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_disable_kerb_auth:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of PubkeyAuthentication setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_disable_pubkey_auth:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_disable_pubkey_auth:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_disable_pubkey_auth:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of IgnoreRhosts setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_disable_rhosts:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_disable_rhosts:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_disable_rhosts:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_disable_root_login:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_disable_root_login:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_disable_root_login:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of PermitRootLogin setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_disable_root_password_login:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_disable_root_password_login:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_disable_root_password_login:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of AllowTcpForwarding setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_disable_tcp_forwarding:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_disable_tcp_forwarding:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_disable_tcp_forwarding:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of IgnoreUserKnownHosts setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_disable_user_known_hosts:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_disable_user_known_hosts:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_disable_user_known_hosts:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of X11Forwarding setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_disable_x11_forwarding:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_disable_x11_forwarding:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_disable_x11_forwarding:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of PermitUserEnvironment setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_do_not_permit_user_env:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_do_not_permit_user_env:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_do_not_permit_user_env:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of GSSAPIAuthentication setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_enable_gssapi_auth:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_enable_gssapi_auth:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_enable_gssapi_auth:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of UsePAM setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_enable_pam:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_enable_pam:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_enable_pam:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of PubkeyAuthentication setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_enable_pubkey_auth:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_enable_pubkey_auth:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_enable_pubkey_auth:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of StrictModes setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_enable_strictmodes:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_enable_strictmodes:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_enable_strictmodes:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of Banner setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_enable_warning_banner:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_enable_warning_banner:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_enable_warning_banner:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of Banner setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_enable_warning_banner_net:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_enable_warning_banner_net:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_enable_warning_banner_net:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of X11Forwarding setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_enable_x11_forwarding:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_enable_x11_forwarding:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_enable_x11_forwarding:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="tests the presence of 'Include /etc/ssh/sshd_config.d/*.conf' setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_includes_config_files:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_includes_config_files:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of PrintLastLog setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_print_last_log:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_print_last_log:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_print_last_log:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of ClientAliveCountMax setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_set_keepalive_0:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_set_keepalive_0:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_set_keepalive_0:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of LogLevel setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_set_loglevel_info:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_set_loglevel_info:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_set_loglevel_info:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="tests the value of LogLevel setting in the /etc/ssh/sshd_config file" id="oval:ssg-test_sshd_set_loglevel_verbose:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sshd_set_loglevel_verbose:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_set_loglevel_verbose:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_noexec_sudoers:tst:1" comment="noexec exists in /etc/sudoers or /etc/sudoers.d/" version="1">
-          <ind:object object_ref="oval:ssg-object_noexec_sudoers:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_requiretty_sudoers:tst:1" comment="requiretty exists in /etc/sudoers or /etc/sudoers.d/" version="1">
-          <ind:object object_ref="oval:ssg-object_requiretty_sudoers:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_use_pty_sudoers:tst:1" comment="use_pty exists in /etc/sudoers or /etc/sudoers.d/" version="1">
-          <ind:object object_ref="oval:ssg-object_use_pty_sudoers:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_logfile_sudoers:tst:1" comment="logfile exists in /etc/sudoers or /etc/sudoers.d/" version="1">
-          <ind:object object_ref="oval:ssg-object_logfile_sudoers:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_logfile_sudoers:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_fs_protected_hardlinks_runtime:tst:1" version="1" comment="kernel runtime parameter fs.protected_hardlinks set to 1" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_fs_protected_hardlinks_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_fs_protected_hardlinks_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_fs_protected_hardlinks_static:tst:1" version="1" check="all" check_existence="all_exist" comment="fs.protected_hardlinks static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_fs_protected_hardlinks:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_fs_protected_hardlinks:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_fs_protected_hardlinks_static_etc_sysctld:tst:1" version="1" check="all" comment="fs.protected_hardlinks static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_fs_protected_hardlinks:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_fs_protected_hardlinks:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_fs_protected_hardlinks_static_run_sysctld:tst:1" version="1" check="all" comment="fs.protected_hardlinks static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_fs_protected_hardlinks:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_fs_protected_hardlinks:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains fs_protected_hardlinks" id="oval:ssg-test_sysctl_fs_protected_hardlinks_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_fs_protected_hardlinks_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_fs_protected_hardlinks_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_fs_protected_symlinks_runtime:tst:1" version="1" comment="kernel runtime parameter fs.protected_symlinks set to 1" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_fs_protected_symlinks_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_fs_protected_symlinks_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_fs_protected_symlinks_static:tst:1" version="1" check="all" check_existence="all_exist" comment="fs.protected_symlinks static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_fs_protected_symlinks:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_fs_protected_symlinks:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_fs_protected_symlinks_static_etc_sysctld:tst:1" version="1" check="all" comment="fs.protected_symlinks static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_fs_protected_symlinks:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_fs_protected_symlinks:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_fs_protected_symlinks_static_run_sysctld:tst:1" version="1" check="all" comment="fs.protected_symlinks static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_fs_protected_symlinks:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_fs_protected_symlinks:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains fs_protected_symlinks" id="oval:ssg-test_sysctl_fs_protected_symlinks_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_fs_protected_symlinks_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_fs_protected_symlinks_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_fs_suid_dumpable_runtime:tst:1" version="1" comment="kernel runtime parameter fs.suid_dumpable set to 0" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_fs_suid_dumpable_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_fs_suid_dumpable_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_fs_suid_dumpable_static:tst:1" version="1" check="all" check_existence="all_exist" comment="fs.suid_dumpable static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_fs_suid_dumpable:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_fs_suid_dumpable:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_fs_suid_dumpable_static_etc_sysctld:tst:1" version="1" check="all" comment="fs.suid_dumpable static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_fs_suid_dumpable:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_fs_suid_dumpable:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_fs_suid_dumpable_static_run_sysctld:tst:1" version="1" check="all" comment="fs.suid_dumpable static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_fs_suid_dumpable:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_fs_suid_dumpable:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains fs_suid_dumpable" id="oval:ssg-test_sysctl_fs_suid_dumpable_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_fs_suid_dumpable_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_fs_suid_dumpable_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_kernel_core_pattern_runtime:tst:1" version="1" comment="kernel runtime parameter kernel.core_pattern set to | or / or b or i or n or / or f or a or l or s or e" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_kernel_core_pattern_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_kernel_core_pattern_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_core_pattern_static:tst:1" version="1" check="all" check_existence="all_exist" comment="kernel.core_pattern static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_kernel_core_pattern:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_core_pattern:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_core_pattern_static_etc_sysctld:tst:1" version="1" check="all" comment="kernel.core_pattern static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_kernel_core_pattern:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_core_pattern:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_core_pattern_static_run_sysctld:tst:1" version="1" check="all" comment="kernel.core_pattern static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_kernel_core_pattern:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_core_pattern:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains kernel_core_pattern" id="oval:ssg-test_sysctl_kernel_core_pattern_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_kernel_core_pattern_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_kernel_core_pattern_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_kernel_core_pattern_empty_string_runtime:tst:1" version="1" comment="kernel runtime parameter kernel.core_pattern set to ' or '" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_kernel_core_pattern_empty_string_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_kernel_core_pattern_empty_string_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_core_pattern_empty_string_static:tst:1" version="1" check="all" check_existence="all_exist" comment="kernel.core_pattern static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_kernel_core_pattern_empty_string:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_core_pattern_empty_string:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_core_pattern_empty_string_static_etc_sysctld:tst:1" version="1" check="all" comment="kernel.core_pattern static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_core_pattern_empty_string:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_core_pattern_empty_string_static_run_sysctld:tst:1" version="1" check="all" comment="kernel.core_pattern static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_core_pattern_empty_string:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains kernel_core_pattern" id="oval:ssg-test_sysctl_kernel_core_pattern_empty_string_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_kernel_core_pattern_empty_string_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_kernel_core_pattern_empty_string_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_kernel_core_uses_pid_runtime:tst:1" version="1" comment="kernel runtime parameter kernel.core_uses_pid set to 0" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_kernel_core_uses_pid_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_kernel_core_uses_pid_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_core_uses_pid_static:tst:1" version="1" check="all" check_existence="all_exist" comment="kernel.core_uses_pid static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_kernel_core_uses_pid:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_core_uses_pid:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_core_uses_pid_static_etc_sysctld:tst:1" version="1" check="all" comment="kernel.core_uses_pid static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_kernel_core_uses_pid:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_core_uses_pid:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_core_uses_pid_static_run_sysctld:tst:1" version="1" check="all" comment="kernel.core_uses_pid static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_kernel_core_uses_pid:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_core_uses_pid:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains kernel_core_uses_pid" id="oval:ssg-test_sysctl_kernel_core_uses_pid_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_kernel_core_uses_pid_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_kernel_core_uses_pid_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_kernel_dmesg_restrict_runtime:tst:1" version="1" comment="kernel runtime parameter kernel.dmesg_restrict set to 1" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_kernel_dmesg_restrict_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_kernel_dmesg_restrict_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_dmesg_restrict_static:tst:1" version="1" check="all" check_existence="all_exist" comment="kernel.dmesg_restrict static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_kernel_dmesg_restrict:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_dmesg_restrict:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_dmesg_restrict_static_etc_sysctld:tst:1" version="1" check="all" comment="kernel.dmesg_restrict static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_kernel_dmesg_restrict:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_dmesg_restrict:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_dmesg_restrict_static_run_sysctld:tst:1" version="1" check="all" comment="kernel.dmesg_restrict static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_kernel_dmesg_restrict:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_dmesg_restrict:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains kernel_dmesg_restrict" id="oval:ssg-test_sysctl_kernel_dmesg_restrict_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_kernel_dmesg_restrict_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_kernel_dmesg_restrict_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_kernel_kexec_load_disabled_runtime:tst:1" version="1" comment="kernel runtime parameter kernel.kexec_load_disabled set to 1" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_kernel_kexec_load_disabled_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_kernel_kexec_load_disabled_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_kexec_load_disabled_static:tst:1" version="1" check="all" check_existence="all_exist" comment="kernel.kexec_load_disabled static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_kernel_kexec_load_disabled:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_kexec_load_disabled:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_etc_sysctld:tst:1" version="1" check="all" comment="kernel.kexec_load_disabled static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_kernel_kexec_load_disabled:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_kexec_load_disabled:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_kexec_load_disabled_static_run_sysctld:tst:1" version="1" check="all" comment="kernel.kexec_load_disabled static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_kernel_kexec_load_disabled:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_kexec_load_disabled:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains kernel_kexec_load_disabled" id="oval:ssg-test_sysctl_kernel_kexec_load_disabled_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_kernel_kexec_load_disabled_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_kernel_kexec_load_disabled_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_kernel_kptr_restrict_runtime:tst:1" version="1" comment="kernel runtime parameter kernel.kptr_restrict set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_kernel_kptr_restrict_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_kernel_kptr_restrict_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_kptr_restrict_static:tst:1" version="1" check="all" check_existence="all_exist" comment="kernel.kptr_restrict static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_kernel_kptr_restrict:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_kptr_restrict:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_kptr_restrict_static_etc_sysctld:tst:1" version="1" check="all" comment="kernel.kptr_restrict static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_kernel_kptr_restrict:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_kptr_restrict:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_kptr_restrict_static_run_sysctld:tst:1" version="1" check="all" comment="kernel.kptr_restrict static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_kernel_kptr_restrict:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_kptr_restrict:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains kernel_kptr_restrict" id="oval:ssg-test_sysctl_kernel_kptr_restrict_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_kernel_kptr_restrict_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_kernel_kptr_restrict_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_kernel_panic_on_oops_runtime:tst:1" version="1" comment="kernel runtime parameter kernel.panic_on_oops set to 1" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_kernel_panic_on_oops_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_kernel_panic_on_oops_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_panic_on_oops_static:tst:1" version="1" check="all" check_existence="all_exist" comment="kernel.panic_on_oops static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_kernel_panic_on_oops:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_panic_on_oops:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_panic_on_oops_static_etc_sysctld:tst:1" version="1" check="all" comment="kernel.panic_on_oops static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_kernel_panic_on_oops:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_panic_on_oops:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_panic_on_oops_static_run_sysctld:tst:1" version="1" check="all" comment="kernel.panic_on_oops static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_kernel_panic_on_oops:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_panic_on_oops:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains kernel_panic_on_oops" id="oval:ssg-test_sysctl_kernel_panic_on_oops_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_kernel_panic_on_oops_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_kernel_panic_on_oops_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_kernel_perf_event_paranoid_runtime:tst:1" version="1" comment="kernel runtime parameter kernel.perf_event_paranoid set to 2" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_kernel_perf_event_paranoid_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_kernel_perf_event_paranoid_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_perf_event_paranoid_static:tst:1" version="1" check="all" check_existence="all_exist" comment="kernel.perf_event_paranoid static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_kernel_perf_event_paranoid:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_perf_event_paranoid:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_etc_sysctld:tst:1" version="1" check="all" comment="kernel.perf_event_paranoid static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_kernel_perf_event_paranoid:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_perf_event_paranoid:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_perf_event_paranoid_static_run_sysctld:tst:1" version="1" check="all" comment="kernel.perf_event_paranoid static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_kernel_perf_event_paranoid:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_perf_event_paranoid:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains kernel_perf_event_paranoid" id="oval:ssg-test_sysctl_kernel_perf_event_paranoid_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_kernel_perf_event_paranoid_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_kernel_perf_event_paranoid_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_kernel_randomize_va_space_runtime:tst:1" version="1" comment="kernel runtime parameter kernel.randomize_va_space set to 2" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_kernel_randomize_va_space_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_kernel_randomize_va_space_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_randomize_va_space_static:tst:1" version="1" check="all" check_existence="all_exist" comment="kernel.randomize_va_space static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_kernel_randomize_va_space:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_randomize_va_space:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_randomize_va_space_static_etc_sysctld:tst:1" version="1" check="all" comment="kernel.randomize_va_space static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_kernel_randomize_va_space:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_randomize_va_space:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_randomize_va_space_static_run_sysctld:tst:1" version="1" check="all" comment="kernel.randomize_va_space static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_kernel_randomize_va_space:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_randomize_va_space:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains kernel_randomize_va_space" id="oval:ssg-test_sysctl_kernel_randomize_va_space_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_kernel_randomize_va_space_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_kernel_randomize_va_space_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_runtime:tst:1" version="1" comment="kernel runtime parameter kernel.unprivileged_bpf_disabled set to 1" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_kernel_unprivileged_bpf_disabled_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_kernel_unprivileged_bpf_disabled_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static:tst:1" version="1" check="all" check_existence="all_exist" comment="kernel.unprivileged_bpf_disabled static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_kernel_unprivileged_bpf_disabled:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_unprivileged_bpf_disabled:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_etc_sysctld:tst:1" version="1" check="all" comment="kernel.unprivileged_bpf_disabled static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_kernel_unprivileged_bpf_disabled:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_unprivileged_bpf_disabled:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_static_run_sysctld:tst:1" version="1" check="all" comment="kernel.unprivileged_bpf_disabled static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_kernel_unprivileged_bpf_disabled:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_unprivileged_bpf_disabled:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains kernel_unprivileged_bpf_disabled" id="oval:ssg-test_sysctl_kernel_unprivileged_bpf_disabled_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_kernel_unprivileged_bpf_disabled_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_kernel_unprivileged_bpf_disabled_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_kernel_yama_ptrace_scope_runtime:tst:1" version="1" comment="kernel runtime parameter kernel.yama.ptrace_scope set to 1" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_kernel_yama_ptrace_scope_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_kernel_yama_ptrace_scope_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static:tst:1" version="1" check="all" check_existence="all_exist" comment="kernel.yama.ptrace_scope static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_kernel_yama_ptrace_scope:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_yama_ptrace_scope:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_etc_sysctld:tst:1" version="1" check="all" comment="kernel.yama.ptrace_scope static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_kernel_yama_ptrace_scope:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_yama_ptrace_scope:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_kernel_yama_ptrace_scope_static_run_sysctld:tst:1" version="1" check="all" comment="kernel.yama.ptrace_scope static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_kernel_yama_ptrace_scope:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_kernel_yama_ptrace_scope:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains kernel_yama_ptrace_scope" id="oval:ssg-test_sysctl_kernel_yama_ptrace_scope_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_kernel_yama_ptrace_scope_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_kernel_yama_ptrace_scope_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_core_bpf_jit_harden_runtime:tst:1" version="1" comment="kernel runtime parameter net.core.bpf_jit_harden set to 2" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_core_bpf_jit_harden_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_core_bpf_jit_harden_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_core_bpf_jit_harden_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.core.bpf_jit_harden static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_core_bpf_jit_harden:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_core_bpf_jit_harden:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_etc_sysctld:tst:1" version="1" check="all" comment="net.core.bpf_jit_harden static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_core_bpf_jit_harden:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_core_bpf_jit_harden:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_core_bpf_jit_harden_static_run_sysctld:tst:1" version="1" check="all" comment="net.core.bpf_jit_harden static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_core_bpf_jit_harden:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_core_bpf_jit_harden:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_core_bpf_jit_harden" id="oval:ssg-test_sysctl_net_core_bpf_jit_harden_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_core_bpf_jit_harden_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_core_bpf_jit_harden_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_local_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.conf.all.accept_local set to 0" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_local_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_accept_local_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_local_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.conf.all.accept_local static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_accept_local:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_accept_local:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_local_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.accept_local static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_accept_local:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_accept_local:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_local_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.accept_local static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_local:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_accept_local:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_conf_all_accept_local" id="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_local_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_local_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_accept_local_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.conf.all.accept_redirects set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_redirects_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_accept_redirects_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.conf.all.accept_redirects static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_accept_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.accept_redirects static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_conf_all_accept_redirects" id="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_redirects_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_redirects_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_accept_redirects_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.conf.all.accept_source_route set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_source_route_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_accept_source_route_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.conf.all.accept_source_route static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_accept_source_route:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.accept_source_route static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_conf_all_accept_source_route" id="oval:ssg-test_sysctl_net_ipv4_conf_all_accept_source_route_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_source_route_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_accept_source_route_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_filter_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.conf.all.arp_filter set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_filter_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_arp_filter_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_filter_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.conf.all.arp_filter static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_arp_filter:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_arp_filter:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_filter_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.arp_filter static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_arp_filter:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_arp_filter:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_filter_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.arp_filter static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_arp_filter:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_arp_filter:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_conf_all_arp_filter" id="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_filter_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_filter_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_arp_filter_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_ignore_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.conf.all.arp_ignore set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_ignore_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_arp_ignore_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_ignore_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.conf.all.arp_ignore static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_arp_ignore:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_arp_ignore:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_ignore_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.arp_ignore static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_arp_ignore:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_arp_ignore:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_ignore_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.arp_ignore static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_arp_ignore:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_arp_ignore:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_conf_all_arp_ignore" id="oval:ssg-test_sysctl_net_ipv4_conf_all_arp_ignore_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_ignore_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_arp_ignore_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.conf.all.log_martians set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_log_martians_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_log_martians_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.conf.all.log_martians static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_log_martians:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_log_martians:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.log_martians static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_log_martians:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.log_martians static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_log_martians:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_conf_all_log_martians" id="oval:ssg-test_sysctl_net_ipv4_conf_all_log_martians_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_log_martians_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_log_martians_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_route_localnet_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.conf.all.route_localnet set to 0" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_route_localnet_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_route_localnet_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_route_localnet_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.conf.all.route_localnet static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_route_localnet:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_route_localnet:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_route_localnet_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.route_localnet static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_route_localnet:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_route_localnet:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_route_localnet_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.route_localnet static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_route_localnet:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_route_localnet:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_conf_all_route_localnet" id="oval:ssg-test_sysctl_net_ipv4_conf_all_route_localnet_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_route_localnet_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_route_localnet_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.conf.all.rp_filter set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_rp_filter_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_rp_filter_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.conf.all.rp_filter static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_rp_filter:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_rp_filter:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.rp_filter static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_rp_filter:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.rp_filter static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_rp_filter:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_conf_all_rp_filter" id="oval:ssg-test_sysctl_net_ipv4_conf_all_rp_filter_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_rp_filter_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_rp_filter_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.conf.all.secure_redirects set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_secure_redirects_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_secure_redirects_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.conf.all.secure_redirects static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_secure_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.secure_redirects static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.secure_redirects static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_conf_all_secure_redirects" id="oval:ssg-test_sysctl_net_ipv4_conf_all_secure_redirects_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_secure_redirects_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_secure_redirects_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.conf.all.send_redirects set to 0" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_send_redirects_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_send_redirects_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.conf.all.send_redirects static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_send_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_send_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.send_redirects static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_send_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.send_redirects static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_send_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_conf_all_send_redirects" id="oval:ssg-test_sysctl_net_ipv4_conf_all_send_redirects_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_send_redirects_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_send_redirects_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_shared_media_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.conf.all.shared_media set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_shared_media_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_shared_media_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_shared_media_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.conf.all.shared_media static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_shared_media:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_shared_media:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_shared_media_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.shared_media static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_shared_media:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_shared_media:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_all_shared_media_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.all.shared_media static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_shared_media:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_shared_media:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_conf_all_shared_media" id="oval:ssg-test_sysctl_net_ipv4_conf_all_shared_media_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_shared_media_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_all_shared_media_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.conf.default.accept_redirects set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_redirects_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_accept_redirects_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.conf.default.accept_redirects static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_accept_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.default.accept_redirects static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_conf_default_accept_redirects" id="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_redirects_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_redirects_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_accept_redirects_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.conf.default.accept_source_route set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_source_route_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_accept_source_route_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.conf.default.accept_source_route static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_accept_source_route:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.default.accept_source_route static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_conf_default_accept_source_route" id="oval:ssg-test_sysctl_net_ipv4_conf_default_accept_source_route_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_source_route_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_accept_source_route_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.conf.default.log_martians set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_log_martians_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_log_martians_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.conf.default.log_martians static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_log_martians:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_log_martians:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.default.log_martians static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_log_martians:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.default.log_martians static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_log_martians:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_conf_default_log_martians" id="oval:ssg-test_sysctl_net_ipv4_conf_default_log_martians_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_log_martians_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_log_martians_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.conf.default.rp_filter set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_rp_filter_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_rp_filter_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.conf.default.rp_filter static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_rp_filter:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_rp_filter:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.default.rp_filter static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_rp_filter:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_rp_filter:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.default.rp_filter static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_rp_filter:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_rp_filter:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_conf_default_rp_filter" id="oval:ssg-test_sysctl_net_ipv4_conf_default_rp_filter_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_rp_filter_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_rp_filter_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.conf.default.secure_redirects set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_secure_redirects_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_secure_redirects_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.conf.default.secure_redirects static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_secure_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.default.secure_redirects static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.default.secure_redirects static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_conf_default_secure_redirects" id="oval:ssg-test_sysctl_net_ipv4_conf_default_secure_redirects_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_secure_redirects_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_secure_redirects_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.conf.default.send_redirects set to 0" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_send_redirects_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_send_redirects_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.conf.default.send_redirects static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_send_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_send_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.default.send_redirects static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_send_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.default.send_redirects static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_send_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_conf_default_send_redirects" id="oval:ssg-test_sysctl_net_ipv4_conf_default_send_redirects_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_send_redirects_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_send_redirects_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_shared_media_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.conf.default.shared_media set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_shared_media_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_shared_media_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_shared_media_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.conf.default.shared_media static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_shared_media:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_shared_media:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_shared_media_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.default.shared_media static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_shared_media:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_shared_media:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_conf_default_shared_media_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.conf.default.shared_media static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_shared_media:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_shared_media:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_conf_default_shared_media" id="oval:ssg-test_sysctl_net_ipv4_conf_default_shared_media_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_shared_media_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_conf_default_shared_media_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.icmp_echo_ignore_broadcasts set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.icmp_echo_ignore_broadcasts static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.icmp_echo_ignore_broadcasts static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.icmp_echo_ignore_broadcasts static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_icmp_echo_ignore_broadcasts" id="oval:ssg-test_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.icmp_ignore_bogus_error_responses set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.icmp_ignore_bogus_error_responses static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.icmp_ignore_bogus_error_responses static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.icmp_ignore_bogus_error_responses static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_icmp_ignore_bogus_error_responses" id="oval:ssg-test_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_ip_forward_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.ip_forward set to 0" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_ip_forward_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_ip_forward_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_ip_forward_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.ip_forward static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_ip_forward:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_ip_forward:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_ip_forward_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.ip_forward static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_ip_forward:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_ip_forward:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_ip_forward_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.ip_forward static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_ip_forward:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_ip_forward:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_ip_forward" id="oval:ssg-test_sysctl_net_ipv4_ip_forward_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_ip_forward_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_ip_forward_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_tcp_invalid_ratelimit_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.tcp_invalid_ratelimit set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_tcp_invalid_ratelimit_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_tcp_invalid_ratelimit_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_tcp_invalid_ratelimit_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.tcp_invalid_ratelimit static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_tcp_invalid_ratelimit:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_tcp_invalid_ratelimit_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.tcp_invalid_ratelimit static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_tcp_invalid_ratelimit:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_tcp_invalid_ratelimit_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.tcp_invalid_ratelimit static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_tcp_invalid_ratelimit:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_tcp_invalid_ratelimit" id="oval:ssg-test_sysctl_net_ipv4_tcp_invalid_ratelimit_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_tcp_invalid_ratelimit_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_tcp_invalid_ratelimit_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv4.tcp_syncookies set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv4_tcp_syncookies_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv4_tcp_syncookies_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv4.tcp_syncookies static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv4_tcp_syncookies:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_tcp_syncookies:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv4.tcp_syncookies static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_tcp_syncookies:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_tcp_syncookies:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv4.tcp_syncookies static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_tcp_syncookies:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv4_tcp_syncookies:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv4_tcp_syncookies" id="oval:ssg-test_sysctl_net_ipv4_tcp_syncookies_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv4_tcp_syncookies_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv4_tcp_syncookies_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv6.conf.all.accept_ra set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_ra_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_all_accept_ra_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv6.conf.all.accept_ra static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_accept_ra:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_all_accept_ra:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv6.conf.all.accept_ra static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_all_accept_ra:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv6.conf.all.accept_ra static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_all_accept_ra:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv6_conf_all_accept_ra" id="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_ra_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_ra_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_all_accept_ra_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv6.conf.all.accept_redirects set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_redirects_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_all_accept_redirects_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv6.conf.all.accept_redirects static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_accept_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv6.conf.all.accept_redirects static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv6.conf.all.accept_redirects static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv6_conf_all_accept_redirects" id="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_redirects_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_redirects_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_all_accept_redirects_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv6.conf.all.accept_source_route set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_source_route_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_all_accept_source_route_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv6.conf.all.accept_source_route static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_accept_source_route:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv6.conf.all.accept_source_route static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv6.conf.all.accept_source_route static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv6_conf_all_accept_source_route" id="oval:ssg-test_sysctl_net_ipv6_conf_all_accept_source_route_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_source_route_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_all_accept_source_route_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv6.conf.all.disable_ipv6 set to 1" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv6.conf.all.disable_ipv6 static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv6.conf.all.disable_ipv6 static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv6.conf.all.disable_ipv6 static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv6_conf_all_disable_ipv6" id="oval:ssg-test_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv6.conf.default.accept_ra set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_ra_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_default_accept_ra_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv6.conf.default.accept_ra static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_default_accept_ra:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_default_accept_ra:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv6.conf.default.accept_ra static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_default_accept_ra:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv6.conf.default.accept_ra static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_default_accept_ra:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv6_conf_default_accept_ra" id="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_ra_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_ra_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_default_accept_ra_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv6.conf.default.accept_redirects set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_redirects_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_default_accept_redirects_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv6.conf.default.accept_redirects static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_default_accept_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv6.conf.default.accept_redirects static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv6.conf.default.accept_redirects static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv6_conf_default_accept_redirects" id="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_redirects_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_redirects_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_default_accept_redirects_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv6.conf.default.accept_source_route set to the appropriate value" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_source_route_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_default_accept_source_route_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv6.conf.default.accept_source_route static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_default_accept_source_route:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv6.conf.default.accept_source_route static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv6.conf.default.accept_source_route static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv6_conf_default_accept_source_route" id="oval:ssg-test_sysctl_net_ipv6_conf_default_accept_source_route_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_source_route_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_default_accept_source_route_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_net_ipv6_conf_default_disable_ipv6_runtime:tst:1" version="1" comment="kernel runtime parameter net.ipv6.conf.default.disable_ipv6 set to 1" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_disable_ipv6_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_default_disable_ipv6_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_default_disable_ipv6_static:tst:1" version="1" check="all" check_existence="all_exist" comment="net.ipv6.conf.default.disable_ipv6 static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_default_disable_ipv6:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_default_disable_ipv6_static_etc_sysctld:tst:1" version="1" check="all" comment="net.ipv6.conf.default.disable_ipv6 static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_default_disable_ipv6:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_net_ipv6_conf_default_disable_ipv6_static_run_sysctld:tst:1" version="1" check="all" comment="net.ipv6.conf.default.disable_ipv6 static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_default_disable_ipv6:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains net_ipv6_conf_default_disable_ipv6" id="oval:ssg-test_sysctl_net_ipv6_conf_default_disable_ipv6_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_disable_ipv6_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_net_ipv6_conf_default_disable_ipv6_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <unix:sysctl_test id="oval:ssg-test_sysctl_user_max_user_namespaces_runtime:tst:1" version="1" comment="kernel runtime parameter user.max_user_namespaces set to 0" check="all" check_existence="all_exist" state_operator="OR">
-          <unix:object object_ref="oval:ssg-object_sysctl_user_max_user_namespaces_runtime:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_sysctl_user_max_user_namespaces_runtime:ste:1"/>
-        </unix:sysctl_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_user_max_user_namespaces_static:tst:1" version="1" check="all" check_existence="all_exist" comment="user.max_user_namespaces static configuration" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_sysctl_sysctl_user_max_user_namespaces:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_user_max_user_namespaces:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_user_max_user_namespaces_static_etc_sysctld:tst:1" version="1" check="all" comment="user.max_user_namespaces static configuration in /etc/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_etc_sysctld_sysctl_user_max_user_namespaces:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_user_max_user_namespaces:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_sysctl_user_max_user_namespaces_static_run_sysctld:tst:1" version="1" check="all" comment="user.max_user_namespaces static configuration in /run/sysctl.d/*.conf" state_operator="OR">
-          <ind:object object_ref="oval:ssg-object_static_run_sysctld_sysctl_user_max_user_namespaces:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_static_sysctld_sysctl_user_max_user_namespaces:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test check="all" check_existence="all_exist" comment="Check that only one file contains user_max_user_namespaces" id="oval:ssg-test_sysctl_user_max_user_namespaces_defined_in_one_file:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_sysctl_user_max_user_namespaces_defined_in_one_file:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sysctl_user_max_user_namespaces_defined_in_one_file:ste:1"/>
-        </ind:variable_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_zipl_audit_argument_audit_1_argument_in_boot_loader_entries_conf:tst:1" comment="Check if argument audit=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_zipl_audit_argument_audit_1_argument_in_boot_loader_entries_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_zipl_audit_argument_audit_1_argument_in_boot_loader_entries_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_zipl_audit_argument_audit_1_argument_in_etc_kernel_cmdline:tst:1" comment="Check if argument audit=1 is present in /etc/kernel/cmdline" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_zipl_audit_argument_audit_1_argument_in_etc_kernel_cmdline:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_zipl_audit_argument_audit_1_argument_in_etc_kernel_cmdline:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_zipl_audit_backlog_limit_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_conf:tst:1" comment="Check if argument audit_backlog_limit=8192 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_zipl_audit_backlog_limit_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_zipl_audit_backlog_limit_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_zipl_audit_backlog_limit_argument_audit_backlog_limit_8192_argument_in_etc_kernel_cmdline:tst:1" comment="Check if argument audit_backlog_limit=8192 is present in /etc/kernel/cmdline" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_zipl_audit_backlog_limit_argument_audit_backlog_limit_8192_argument_in_etc_kernel_cmdline:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_zipl_audit_backlog_limit_argument_audit_backlog_limit_8192_argument_in_etc_kernel_cmdline:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_zipl_page_poison_argument_page_poison_1_argument_in_boot_loader_entries_conf:tst:1" comment="Check if argument page_poison=1 is present in the line starting with 'options ' in /boot/loader/entries/.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_zipl_page_poison_argument_page_poison_1_argument_in_boot_loader_entries_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_zipl_page_poison_argument_page_poison_1_argument_in_boot_loader_entries_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_zipl_page_poison_argument_page_poison_1_argument_in_etc_kernel_cmdline:tst:1" comment="Check if argument page_poison=1 is present in /etc/kernel/cmdline" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_zipl_page_poison_argument_page_poison_1_argument_in_etc_kernel_cmdline:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_zipl_page_poison_argument_page_poison_1_argument_in_etc_kernel_cmdline:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_zipl_slub_debug_argument_slub_debug_P_argument_in_boot_loader_entries_conf:tst:1" comment="Check if argument slub_debug=P is present in the line starting with 'options ' in /boot/loader/entries/.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_zipl_slub_debug_argument_slub_debug_P_argument_in_boot_loader_entries_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_zipl_slub_debug_argument_slub_debug_P_argument_in_boot_loader_entries_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_zipl_slub_debug_argument_slub_debug_P_argument_in_etc_kernel_cmdline:tst:1" comment="Check if argument slub_debug=P is present in /etc/kernel/cmdline" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_zipl_slub_debug_argument_slub_debug_P_argument_in_etc_kernel_cmdline:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_zipl_slub_debug_argument_slub_debug_P_argument_in_etc_kernel_cmdline:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_zipl_vsyscall_argument_vsyscall_none_argument_in_boot_loader_entries_conf:tst:1" comment="Check if argument vsyscall=none is present in the line starting with 'options ' in /boot/loader/entries/.*.conf" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_zipl_vsyscall_argument_vsyscall_none_argument_in_boot_loader_entries_conf:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_zipl_vsyscall_argument_vsyscall_none_argument_in_boot_loader_entries_conf:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_zipl_vsyscall_argument_vsyscall_none_argument_in_etc_kernel_cmdline:tst:1" comment="Check if argument vsyscall=none is present in /etc/kernel/cmdline" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_zipl_vsyscall_argument_vsyscall_none_argument_in_etc_kernel_cmdline:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_zipl_vsyscall_argument_vsyscall_none_argument_in_etc_kernel_cmdline:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg-test_accounts_password_pam_faillock:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_accounts_password_pam_faillock:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="check the configuration of /etc/pam.d/system-auth" id="oval:ssg-test_password_pam_pwquality:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_password_pam_pwquality:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl" id="oval:ssg-test_audit_rules_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules" id="oval:ssg-test_audit_rules_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_audit_rules_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit setdomainname" id="oval:ssg-test_32bit_ardm_setdomainname_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_setdomainname_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit setdomainname" id="oval:ssg-test_64bit_ardm_setdomainname_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_setdomainname_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit setdomainname" id="oval:ssg-test_32bit_ardm_setdomainname_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_setdomainname_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit setdomainname" id="oval:ssg-test_64bit_ardm_setdomainname_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_setdomainname_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 32-bit sethostname" id="oval:ssg-test_32bit_ardm_sethostname_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_sethostname_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit augenrules 64-bit sethostname" id="oval:ssg-test_64bit_ardm_sethostname_augenrules:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_sethostname_augenrules:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 32-bit sethostname" id="oval:ssg-test_32bit_ardm_sethostname_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_32bit_ardm_sethostname_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="audit auditctl 64-bit sethostname" id="oval:ssg-test_64bit_ardm_sethostname_auditctl:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_64bit_ardm_sethostname_auditctl:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_auditd_conf_log_file_not_set:tst:1" check="all" check_existence="none_exist" comment="log_file not set" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_conf_log_file:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_auditd_conf_log_group_not_root:tst:1" check="all" check_existence="none_exist" comment="log_group = root" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_conf_log_group_root:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_auditd_conf_log_group_is_set:tst:1" check="all" check_existence="all_exist" comment="log_group is set" version="1">
-          <ind:object object_ref="oval:ssg-object_auditd_conf_log_group_is_set:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_bootloader_disable_recovery_set_to_true:tst:1" comment="Check for GRUB_DISABLE_RECOVERY=true in /etc/default/grub" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_bootloader_disable_recovery_argument:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_bootloader_disable_recovery_argument:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="Ensure more than one chronyd NTP server is set" id="oval:ssg-test_chronyd_multiple_servers:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_chronyd_multiple_servers:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_default_exists:tst:1" comment="check for GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub" check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_default_exists:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_grub2_entries_reference_kernelopts:tst:1" comment="check kernel command line parameters for referenced boot entries reference the $kernelopts variable." check="all" check_existence="all_exist" version="1">
-          <ind:object object_ref="oval:ssg-object_grub2_entries_reference_kernelopts:obj:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="alinux-release is version 2" id="oval:ssg-test_alinux2:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_alinux2:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_alinux2:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="alinux-release is version 3" id="oval:ssg-test_alinux3:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_alinux3:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_alinux3:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="centos-release is version 7" id="oval:ssg-test_centos7:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_centos7:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_centos7:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check os-release ID" id="oval:ssg-test_centos8_name:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_name_centos8:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_name_centos8:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="Check os-release VERSION_ID" id="oval:ssg-test_centos8_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_version_centos8:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_version_centos8:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check os-release ID" id="oval:ssg-test_centos9_name:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_name_centos9:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_name_centos9:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="Check os-release VERSION_ID" id="oval:ssg-test_centos9_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_version_centos9:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_version_centos9:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="/etc/debian_version exists" id="oval:ssg-test_debian:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-obj_debian:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Debian version" id="oval:ssg-test_debian_10:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_debian_10:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Debian version" id="oval:ssg-test_debian_11:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_debian_11:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Debian version" id="oval:ssg-test_debian_9:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_debian_9:obj:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="fedora-release RPM packages are installed" id="oval:ssg-test_fedora_release_rpm:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_fedora_release_rpm:obj:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" comment="CPE vendor is 'fedoraproject' and 'product' is fedora" id="oval:ssg-test_fedora_vendor_product:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_fedora_vendor_product:obj:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="oraclelinux-release is version 7" id="oval:ssg-test_ol7_system:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_ol7_system:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_ol7_system:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="oraclelinux-release is version 8" id="oval:ssg-test_ol8_system:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_ol8_system:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_ol8_system:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="oraclelinux-release is version 9" id="oval:ssg-test_ol9_system:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_ol9_system:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_ol9_system:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="openSUSE is installed" id="oval:ssg-test_opensuse_installed:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_opensuse_installed:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_opensuse_installed:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="openSUSE Leap 15 is installed" id="oval:ssg-test_opensuse_leap15_installed:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_opensuse_leap15_installed:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_opensuse_leap15_installed:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="openSUSE Leap 42 is installed" id="oval:ssg-test_opensuse_leap42_installed:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_opensuse_leap42_installed:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_opensuse_leap42_installed:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:family_test id="oval:ssg-test_unix_family:tst:1" check="all" check_existence="at_least_one_exists" comment="Test installed OS is part of the unix family" version="1">
-          <ind:object object_ref="oval:ssg-object_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_unix_family:ste:1"/>
-        </ind:family_test>
-        <ind:textfilecontent54_test check="all" comment="os-release is rhcos" id="oval:ssg-test_rhcos:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhcos:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhcos:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="rhcoreos is version 4" id="oval:ssg-test_rhcos4:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhcos4:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhcos4:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_rhel7_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhel7_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhel7_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-client is version 7" id="oval:ssg-test_rhel7_client:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel7_client:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel7_client:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 7" id="oval:ssg-test_rhel7_workstation:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel7_workstation:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel7_workstation:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 7" id="oval:ssg-test_rhel7_server:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel7_server:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel7_server:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-computenode is version 7" id="oval:ssg-test_rhel7_computenode:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel7_computenode:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel7_computenode:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" comment="RHEVH base RHEL is version 7" id="oval:ssg-test_rhevh_rhel7_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhevh_rhel7_version:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhevh_rhel7_version:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_rhel8_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhel8_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhel8_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8" id="oval:ssg-test_rhel8:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.0" id="oval:ssg-test_rhel8_0:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_0:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_0:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.1" id="oval:ssg-test_rhel8_1:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_1:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_1:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.2" id="oval:ssg-test_rhel8_2:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_2:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_2:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.3" id="oval:ssg-test_rhel8_3:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_3:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_3:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.4" id="oval:ssg-test_rhel8_4:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_4:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_4:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.5" id="oval:ssg-test_rhel8_5:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_5:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_5:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.6" id="oval:ssg-test_rhel8_6:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_6:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_6:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.7" id="oval:ssg-test_rhel8_7:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_7:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_7:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.8" id="oval:ssg-test_rhel8_8:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_8:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_8:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.9" id="oval:ssg-test_rhel8_9:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_9:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_9:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.10" id="oval:ssg-test_rhel8_10:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_10:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_10:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" comment="RHEVH base RHEL is version 8" id="oval:ssg-test_rhevh_rhel8_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhevh_rhel8_version:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhevh_rhel8_version:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_rhel9_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhel9_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhel9_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 9" id="oval:ssg-test_rhel9:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel9:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel9:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" comment="RHEVH base RHEL is version 9" id="oval:ssg-test_rhevh_rhel9_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhevh_rhel9_version:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhevh_rhel9_version:ste:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="only_one_exists" comment="redhat-release-virtualization-host RPM package is installed" id="oval:ssg-test_rhvh4_version:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhvh4_version:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhvh4_version:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sl-release is version 7" id="oval:ssg-test_sl7:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sl7:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sl7:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_sle12_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sle12_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sle12_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sled-release is version 6" id="oval:ssg-test_sle12_desktop:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sle12_desktop:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sle12_desktop:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sles-release is version 6" id="oval:ssg-test_sle12_server:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sle12_server:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sle12_server:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="SLES_SAP-release is version 12" id="oval:ssg-test_sles_12_for_sap:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sles_12_for_sap:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sles_12_for_sap:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_sle15_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sle15_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sle15_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sled-release is version 15" id="oval:ssg-test_sle15_desktop:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sle15_desktop:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sle15_desktop:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sles-release is version 15" id="oval:ssg-test_sle15_server:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sle15_server:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sle15_server:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="SLES_SAP-release is version 15" id="oval:ssg-test_sles_15_for_sap:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sles_15_for_sap:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sles_15_for_sap:ste:1"/>
-        </linux:rpminfo_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="/etc/lsb-release exists" id="oval:ssg-test_lsb:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-obj_lsb:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu" id="oval:ssg-test_ubuntu:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ubuntu:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu version" id="oval:ssg-test_ubuntu_xenial:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ubuntu_xenial:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu version" id="oval:ssg-test_ubuntu_bionic:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ubuntu_bionic:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu version" id="oval:ssg-test_ubuntu_focal:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ubuntu_focal:obj:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="uos-release is version 20" id="oval:ssg-test_uos20:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_uos20:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_uos20:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="rhevm4-appliance is installed" id="oval:ssg-test_rhevm4_version:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhevm4_version:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhevm4_version:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_audit_installed:tst:1" version="1" comment="system has package audit installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_audit_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_env_has_chrony_installed:tst:1" version="1" comment="package chrony is installed">
-          <linux:object object_ref="oval:ssg-obj_test_env_has_chrony_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_gdm_installed:tst:1" version="1" comment="system has package gdm installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_gdm_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_grub2_installed:tst:1" version="1" comment="system has package grub2-common installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_grub2_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Check if /sys/firmware/opal exists" id="oval:ssg-test_system_using_opal:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_system_using_opal:obj:1"/>
-        </unix:file_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_libuser_installed:tst:1" version="1" comment="system has package libuser installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_libuser_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_login_defs_installed:tst:1" version="1" comment="system has package shadow-utils installed, which provides the /etc/login.defs file.">
-          <linux:object object_ref="oval:ssg-obj_env_has_login_defs_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_net-snmp_installed:tst:1" version="1" comment="system has package net-snmp installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_net-snmp_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_nss-pam-ldapd_installed:tst:1" version="1" comment="system has package nss-pam-ldapd installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_nss-pam-ldapd_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_env_has_ntp_installed:tst:1" version="1" comment="package ntp is installed">
-          <linux:object object_ref="oval:ssg-obj_test_env_has_ntp_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_ovirt-host_installed:tst:1" version="1" comment="system has package ovirt-host installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_ovirt-host_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_ovirt-engine_installed:tst:1" version="1" comment="system has package ovirt-engine installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_ovirt-engine_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_pam_installed:tst:1" version="1" comment="system has package pam installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_pam_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_env_has_polkit_installed:tst:1" version="1" comment="package polkit is installed">
-          <linux:object object_ref="oval:ssg-obj_test_env_has_polkit_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_env_has_postfix_installed:tst:1" version="1" comment="package postfix is installed">
-          <linux:object object_ref="oval:ssg-obj_test_env_has_postfix_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_sssd-common_installed:tst:1" version="1" comment="system has package sssd-common installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_sssd-common_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_sudo_installed:tst:1" version="1" comment="system has package sudo installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_sudo_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_systemd_installed:tst:1" version="1" comment="system has package systemd installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_systemd_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_tftp_server_installed:tst:1" version="1" comment="system has package tftp-server installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_tftp_server_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_tmux_installed:tst:1" version="1" comment="system has package tmux installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_tmux_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_usbguard_installed:tst:1" version="1" comment="system has package usbguard installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_usbguard_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Test if /proc/net/wireless exists" id="oval:ssg-test_proc_net_wireless_exists:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_proc_net_wireless_exists:obj:1"/>
-        </unix:file_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_yum_installed:tst:1" version="1" comment="system has package yum installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_yum_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_zipl_installed:tst:1" version="1" comment="system has package zipl installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_zipl_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Check if /.dockerenv exists" id="oval:ssg-test_installed_env_is_a_docker_container:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_installed_env_is_a_docker_container:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Check if /run/.containerenv exists" id="oval:ssg-test_installed_env_is_a_podman_container:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_installed_env_is_a_podman_container:obj:1"/>
-        </unix:file_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="Kerberos server version is lesser than 1.17-18" id="oval:ssg-test_krb5_server_version_1_17_18:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_krb5_server_version_1_17_18:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_krb5_server_version_1_17_18:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="Kerberos workstaton version is lesser than 1.17-18" id="oval:ssg-test_krb5_workstation_version_1_17_18:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_krb5_workstation_version_1_17_18:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_krb5_workstation_version_1_17_18:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test id="oval:ssg-test_no_cd_dvd_drive_in_etc_fstab:tst:1" check_existence="none_exist" check="all" comment="'CD/DVD drive is not listed in /etc/fstab" version="1">
-          <ind:object object_ref="oval:ssg-object_no_cd_dvd_drive_in_etc_fstab:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="proc_sys_kernel is for aarch64 architecture" id="oval:ssg-test_proc_sys_kernel_osrelease_arch_aarch64:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_proc_sys_kernel_osrelease_arch_aarch64:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_proc_sys_kernel_osrelease_arch_aarch64:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="proc_sys_kernel is for ppc64le architecture" id="oval:ssg-test_proc_sys_kernel_osrelease_arch_ppc64le:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_proc_sys_kernel_osrelease_arch_ppc64le:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_proc_sys_kernel_osrelease_arch_ppc64le:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="proc_sys_kernel is for s390x architecture" id="oval:ssg-test_proc_sys_kernel_osrelease_arch_s390x:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_proc_sys_kernel_osrelease_arch_s390x:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_proc_sys_kernel_osrelease_arch_s390x:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test id="oval:ssg-test_removable_partition_doesnt_exist:tst:1" check="all" check_existence="none_exist" comment="Check if expected removable partitions truly exist on the system" version="1">
-          <unix:object object_ref="oval:ssg-object_removable_partition_doesnt_exist:obj:1"/>
-        </unix:file_test>
-        <ind:variable_test id="oval:ssg-test_sshd_not_required:tst:1" comment="Verify if Profile set Value sshd_required as not required" check="all" check_existence="at_least_one_exists" version="1">
-          <ind:object object_ref="oval:ssg-object_sshd_not_required:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_not_required:ste:1"/>
-        </ind:variable_test>
-        <ind:variable_test id="oval:ssg-test_sshd_required:tst:1" comment="Verify if Profile set Value sshd_required as required" check="all" check_existence="at_least_one_exists" version="1">
-          <ind:object object_ref="oval:ssg-object_sshd_required:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_required:ste:1"/>
-        </ind:variable_test>
-        <ind:variable_test id="oval:ssg-test_sshd_requirement_unset:tst:1" comment="Verify if Value of sshd_required is the default" check="all" check_existence="at_least_one_exists" version="1">
-          <ind:object object_ref="oval:ssg-object_sshd_requirement_unknown:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sshd_requirement_unset:ste:1"/>
-        </ind:variable_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="OpenSSH is version 7.4 or higher" id="oval:ssg-test_openssh-server_version:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_openssh-server_version:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_openssh-server_version:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="SSSD Configuration is set to use Active Directory" id="oval:ssg-test_id_provider_is_set_to_ad:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_id_provider_is_set_to_ad:obj:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="at_least_one_exists" comment="Verify if /sys/firmware/efi folder exists" id="oval:ssg-test_efi_dir_existence:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_sys_firmware_efi:obj:1"/>
-        </unix:file_test>
-        <unix:uname_test check="all" comment="64 bit architecture" id="oval:ssg-test_system_info_architecture_aarch_64:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_system_info_architecture_aarch_64:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_system_info_architecture_aarch_64:ste:1"/>
-        </unix:uname_test>
-        <unix:uname_test check="all" comment="64 bit architecture" id="oval:ssg-test_system_info_architecture_ppc_64:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_system_info_architecture_ppc_64:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_system_info_architecture_ppc_64:ste:1"/>
-        </unix:uname_test>
-        <unix:uname_test check="all" comment="64 bit architecture" id="oval:ssg-test_system_info_architecture_ppcle_64:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_system_info_architecture_ppcle_64:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_system_info_architecture_ppcle_64:ste:1"/>
-        </unix:uname_test>
-        <unix:uname_test check="all" comment="64 bit architecture" id="oval:ssg-test_system_info_architecture_s390_64:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_system_info_architecture_s390_64:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_system_info_architecture_s390_64:ste:1"/>
-        </unix:uname_test>
-        <unix:uname_test check="all" comment="32 bit architecture" id="oval:ssg-test_system_info_architecture_x86:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_system_info_architecture_x86:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_system_info_architecture_x86:ste:1"/>
-        </unix:uname_test>
-        <unix:uname_test check="all" comment="64 bit architecture" id="oval:ssg-test_system_info_architecture_x86_64:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_system_info_architecture_x86_64:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_system_info_architecture_x86_64:ste:1"/>
-        </unix:uname_test>
-        <unix:file_test check="all" comment="Check /etc/tmux.conf is readable by others" id="oval:ssg-test_tmux_conf_readable_by_others:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_tmux_conf_readable_by_others:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_tmux_conf_readable_by_others:ste:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check_existence="at_least_one_exists" check="all" comment="Check the usbguard rules in either /etc/usbguard/rules.conf or /etc/usbguard/rules.d/ contain at least one non whitespace character and exists" id="oval:ssg-test_usbguard_rules_nonempty:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_usbguard_rules_nonempty:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:variable_test id="oval:ssg-test_existence_of_var_accounts_user_umask_as_number_variable:tst:1" comment="Verify the existence of var_accounts_user_umask_as_number variable" check="all" check_existence="at_least_one_exists" version="1">
-          <ind:object object_ref="oval:ssg-object_var_accounts_user_umask_umask_as_number:obj:1"/>
-        </ind:variable_test>
-        <ind:variable_test id="oval:ssg-test_var_removable_partition_is_cd_dvd_drive:tst:1" check="all" comment="Check if removable partition variable value represents CD/DVD drive" version="1">
-          <ind:object object_ref="oval:ssg-object_var_removable_partition_is_cd_dvd_drive:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_var_removable_partition_is_cd_dvd_drive:ste:1"/>
-        </ind:variable_test>
-        <ind:variable_test id="oval:ssg-test_existence_of_var_umask_for_daemons_as_number_variable:tst:1" comment="Verify the existence of var_umask_for_daemons_as_number variable" check="all" check_existence="at_least_one_exists" version="1">
-          <ind:object object_ref="oval:ssg-object_var_umask_for_daemons_umask_as_number:obj:1"/>
-        </ind:variable_test>
-      </oval-def:tests>
-      <oval-def:objects>
-        <unix:file_object id="oval:ssg-obj_kerberos_disable_no_keytab:obj:1" version="1" comment="Default Kerberos keytab file">
-          <unix:filepath operation="pattern match">^/etc/.+\.keytab$</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_root_mail_alias:obj:1" version="1">
-          <ind:filepath operation="equals">/etc/aliases</ind:filepath>
-          <ind:pattern operation="pattern match">^(?:[rR][oO][oO][tT]|"[rR][oO][oO][tT]")\s*:\s*(.+)$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_postmaster_mail_alias:obj:1" version="1">
-          <ind:filepath operation="equals">/etc/aliases</ind:filepath>
-          <ind:pattern operation="pattern match">^(?i)postmaster\s*:\s*(.+)$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_chronyd_port_value:obj:1" version="1">
-          <ind:filepath>/etc/chrony.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*port[\s]+(\S+)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_chronyd_cmdport_value:obj:1" version="1">
-          <ind:filepath>/etc/chrony.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*cmdport[\s]+(\S+)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ntp_set_maxpoll:obj:1" version="1">
-          <ind:filepath>/etc/ntp.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^server[\s]+[\S]+.*maxpoll[\s]+(\d+)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_chrony_set_maxpoll:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
-          <ind:pattern operation="pattern match">^(?:server|pool|peer)[\s]+[\S]+.*maxpoll[\s]+(\d+)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ntp_all_server_has_maxpoll:obj:1" version="1">
-          <ind:filepath>/etc/ntp.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^server[\s]+[\S]+[\s]+(.*)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_chrony_all_server_has_maxpoll:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
-          <ind:pattern operation="pattern match">^(?:server|pool|peer)[\s]+[\S]+[\s]+(.*)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_chrony_no_server_nor_pool:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
-          <ind:pattern operation="pattern match">^(?:server|pool).*</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ntp_no_server_nor_pool:obj:1" version="1">
-          <ind:filepath>/etc/ntp.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^server.*</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object comment="Matches server entries in Chrony conf files" id="oval:ssg-object_chronyd_server_directive:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*server.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object comment="Matches pool entires in Chrony conf files" id="oval:ssg-object_chronyd_no_pool_directive:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]+pool.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object comment="Ensure at least one NTP server is set" id="oval:ssg-object_chronyd_remote_server:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*(?:server|pool)[\s]+.+$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object comment="Ensure more than one ntpd NTP server is set" id="oval:ssg-obj_ntpd_multiple_servers:obj:1" version="1">
-          <ind:filepath>/etc/ntp.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^([\s]*server[\s]+.+$){2,}$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object comment="Ensure at least one ntpd NTP server is set" id="oval:ssg-obj_ntp_remote_server:obj:1" version="1">
-          <ind:filepath>/etc/ntp.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*server[\s]+.+$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object comment="look for .rhosts in /root" id="oval:ssg-object_no_rsh_trust_files_root:obj:1" version="1">
-          <unix:path operation="equals">/root</unix:path>
-          <unix:filename operation="pattern match">^\.rhosts$</unix:filename>
-        </unix:file_object>
-        <unix:file_object comment="look for .rhosts in /home" id="oval:ssg-object_no_rsh_trust_files_home:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1" recurse_file_system="all"/>
-          <unix:path operation="equals">/home</unix:path>
-          <unix:filename operation="pattern match">^\.rhosts$</unix:filename>
-        </unix:file_object>
-        <unix:file_object comment="look for /etc/hosts.equiv" id="oval:ssg-object_no_rsh_trust_files_etc:obj:1" version="1">
-          <unix:path operation="equals">/etc</unix:path>
-          <unix:filename operation="pattern match">^hosts\.equiv$</unix:filename>
-        </unix:file_object>
-        <unix:file_object comment="All keys in /etc/ssh with unsafe ownership/permission combination" id="oval:ssg-object_offending_keys:obj:1" version="1">
-          <unix:path>/etc/ssh</unix:path>
-          <unix:filename operation="pattern match">.*_key$</unix:filename>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__sshd_private_key:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-filter_ssh_key_owner_root:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-filter_ssh_key_owner_ssh_keys:ste:1</oval-def:filter>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_dedicated_group_gid:obj:1" version="1" comment="gid of the dedicated ssh key group">
-          <ind:filepath>/usr/lib/group</ind:filepath>
-          <ind:pattern operation="pattern match">^ssh_keys:\w+:(\w+):.*</ind:pattern>
-          <ind:instance datatype="int" operation="equals">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ssh_client_rekey_limit_main_config:obj:1" version="1">
-          <ind:filepath>/etc/ssh/ssh_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*RekeyLimit.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ssh_client_rekey_limit_include_configs:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/ssh/ssh_config\.d/.*\.conf$</ind:filepath>
-          <ind:pattern var_ref="oval:ssg-ssh_client_line_regex:var:1" operation="pattern match"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sshd_allow_only_protocol2:obj:1" version="3">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*(?i)Protocol[\s]+2[\s]*(?:|(?:#.*))?$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_disable_compression:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)Compression(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_disable_rhosts_rsa:obj:1" version="2">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*(?i)RhostsRSAAuthentication(?-i)[\s]+no[\s]*(?:#.*)?$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_rekey_limit:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern var_ref="oval:ssg-sshd_line_regex:var:1" operation="pattern match"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sshd_idle_timeout:obj:1" version="2">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveInterval[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_clientalivecountmax:obj:1" version="2">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*(?i)ClientAliveCountMax[\s]+([\d]+)[\s]*(?:#.*)?$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sshd_login_grace_time:obj:1" version="2">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*(?i)LoginGraceTime[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sshd_max_auth_tries:obj:1" version="2">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*(?i)MaxAuthTries[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sshd_max_sessions:obj:1" version="2">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*(?i)MaxSessions[\s]+(\d+)[\s]*(?:#.*)?$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_config_maxstartups_first_parameter:obj:1" version="1">
-          <ind:filepath operation="equals">/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match" datatype="string">(?i)^\s*MaxStartups\s+(\d+):\d+:\d+\s*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_config_maxstartups_second_parameter:obj:1" version="1">
-          <ind:filepath operation="equals">/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match" datatype="string">(?i)^\s*MaxStartups\s+\d+:(\d+):\d+\s*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_config_maxstartups_third_parameter:obj:1" version="1">
-          <ind:filepath operation="equals">/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match" datatype="string">(?i)^\s*MaxStartups\s+\d+:\d+:(\d+)\s*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_use_priv_separation:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)UsePrivilegeSeparation(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sssd_enable_smartcards:obj:1" version="1">
-          <ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*pam_cert_auth[\s]*=[\s]*(?i)true\s*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sssd_offline_cred_expiration:obj:1" version="1">
-          <ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*\[pam](?:[^\n\[]*\n+)+?[\s]*offline_credentials_expiration[\s]*=[\s]*1\s*(?:#.*)?$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sssd_user_value:obj:1" comment="get last user value from each [sssd] section" version="1">
-          <ind:filepath operation="pattern match">^/etc/sssd/(sssd|conf\.d/.*)\.conf$</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*user[ \t]*=[ \t]*(\S*)</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_configure_usbguard_auditbackend:obj:1" version="1">
-          <ind:filepath>/etc/usbguard/usbguard-daemon.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*AuditBackend=(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-obj_configure_usbguard_auditbackend_config_file:obj:1" comment="The configuration file /etc/usbguard/usbguard-daemon.conf for configure_usbguard_auditbackend" version="1">
-          <unix:filepath operation="pattern match">^/etc/usbguard/usbguard-daemon.conf</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_banner_etc_issue:obj:1" version="1">
-          <ind:behaviors singleline="true" multiline="false"/>
-          <ind:filepath operation="pattern match">^/etc/issue(\.d/.*)?$</ind:filepath>
-          <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_disallow_bypass_password_sudo:obj:1" version="1">
-          <ind:filepath>/etc/pam.d/sudo</ind:filepath>
-          <ind:pattern operation="pattern match">^.*pam_succeed_if.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_display_login_attempts:obj:1" version="1">
-          <ind:filepath>/etc/pam.d/postlogin</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*session\s+required\s+pam_lastlog\.so(?:\s+[\w=]+)*\s+showfailed(\s|$)</ind:pattern>
-          <ind:instance datatype="int" operation="equals">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_display_login_attempts_silent:obj:1" version="1">
-          <ind:filepath>/etc/pam.d/postlogin</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*session\s+.*\s+pam_lastlog\.so(?:\s+[\w=]+)*\s+silent(\s|$)</ind:pattern>
-          <ind:instance datatype="int" operation="equals">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_all_pam_faillock_audit_parameter_system_auth:obj:1" comment="Get the pam_faillock.so preauth audit parameter from system-auth file" version="1">
-          <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_pam_faillock_audit_parameter_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_all_pam_faillock_audit_parameter_password_auth:obj:1" comment="Get the pam_faillock.so preauth audit parameter from system-auth file" version="1">
-          <ind:filepath>/etc/pam.d/password-auth</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_pam_faillock_audit_parameter_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object version="1" id="oval:ssg-object_pam_faillock_audit_parameter_faillock_conf:obj:1" comment="Check the expected pam_faillock.so audit parameter in /etc/security/faillock.conf">
-          <ind:filepath>/etc/security/faillock.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*audit</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_disable_ctrlaltdel_burstaction:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/systemd/system.conf(\.d/.*\.conf)?$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*CtrlAltDelBurstAction[\s]*=[\s]*none$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:symlink_object comment="Disable Ctrl-Alt-Del key sequence override exists" id="oval:ssg-object_disable_ctrlaltdel_exists:obj:1" version="1">
-          <unix:filepath>/etc/systemd/system/ctrl-alt-del.target</unix:filepath>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(?:.*\s)?systemd\.confirm_spawn(?:=(?:1|yes|true|on))?(?:\s.*)?"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_disable_interactive_boot_grub_cmdline_linux_default:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT=".*systemd.confirm_spawn=(?:1|yes|true|on).*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_require_rescue_service:obj:1" version="1">
-          <ind:filepath>/usr/lib/systemd/system/rescue.service</ind:filepath>
-          <ind:pattern operation="pattern match">^ExecStart=\-.*/usr/lib/systemd/systemd-sulogin-shell[ ]+rescue</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_require_rescue_service_runlevel1:obj:1" version="1">
-          <ind:filepath>/usr/lib/systemd/system/runlevel1.target</ind:filepath>
-          <ind:pattern operation="pattern match">^Requires=.*rescue.service</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object comment="look for rescue.service in /etc/systemd/system" id="oval:ssg-object_no_custom_rescue_service:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="all"/>
-          <unix:path operation="equals">/etc/systemd/system</unix:path>
-          <unix:filename operation="pattern match">^rescue.service$</unix:filename>
-        </unix:file_object>
-        <unix:file_object comment="look for runlevel1.target in /etc/systemd/system" id="oval:ssg-object_no_custom_runlevel1_target:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="all"/>
-          <unix:path operation="equals">/etc/systemd/system</unix:path>
-          <unix:filename operation="pattern match">^runlevel1.target$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_configure_bashrc_exec_tmux:obj:1" version="1">
-          <ind:behaviors singleline="true" multiline="false"/>
-          <ind:filepath operation="pattern match">^/etc/bashrc$|^/etc/profile\.d/.*$</ind:filepath>
-          <ind:pattern operation="pattern match">if \[ "\$PS1" \]; then\n\s+parent=\$\(ps -o ppid= -p \$\$\)\n\s+name=\$\(ps -o comm= -p \$parent\)\n\s+case "\$name" in sshd\|login\) exec tmux ;; esac\nfi</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_configure_tmux_lock_after_time:obj:1" version="2">
-          <ind:filepath>/etc/tmux.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*set\s+-g\s+lock-after-time\s+(\d+)\s*(?:#.*)?$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_configure_tmux_lock_command:obj:1" version="1">
-          <ind:filepath>/etc/tmux.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*set\s+-g\s+lock-command\s+vlock\s*(?:#.*)?$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_no_tmux_in_shells:obj:1" version="1">
-          <ind:filepath>/etc/shells</ind:filepath>
-          <ind:pattern operation="pattern match">tmux\s*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_etc_default_useradd_inactive:obj:1" version="1">
-          <ind:filepath>/etc/default/useradd</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*INACTIVE\s*=\s*(\d+)\s*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_etc_passwd_content:obj:1" version="1">
-          <ind:filepath>/etc/passwd</ind:filepath>
-          <ind:pattern operation="pattern match">^([^:]+):.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_count_of_all_usernames_from_etc_passwd:obj:1" version="1">
-          <ind:var_ref>oval:ssg-variable_count_of_all_usernames_from_etc_passwd:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_last_pass_max_days_from_etc_login_defs:obj:1" version="1">
-          <ind:filepath>/etc/login.defs</ind:filepath>
-          <ind:pattern operation="pattern match">^(?:.*\n)*\s*[^#]*(PASS_MAX_DAYS\s+\d+)\s*\n</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_last_pass_max_days_instance_value:obj:1" version="1">
-          <ind:var_ref>oval:ssg-variable_last_pass_max_days_instance_value:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_last_pass_min_days_from_etc_login_defs:obj:1" version="1">
-          <ind:behaviors singleline="true"/>
-          <ind:filepath>/etc/login.defs</ind:filepath>
-          <ind:pattern operation="pattern match">.*\n[^#]*(PASS_MIN_DAYS\s+\d+)\s*\n</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_last_pass_min_days_instance_value:obj:1" version="1">
-          <ind:var_ref>oval:ssg-variable_last_pass_min_days_instance_value:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_last_pass_min_len_from_etc_login_defs:obj:1" version="1">
-          <ind:behaviors singleline="true"/>
-          <ind:filepath>/etc/login.defs</ind:filepath>
-          <ind:pattern operation="pattern match">.*\n[^#]*(PASS_MIN_LEN\s+\d+)\s*\n</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_last_pass_min_len_instance_value:obj:1" version="1">
-          <ind:var_ref>oval:ssg-variable_last_pass_min_len_instance_value:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_last_pass_warn_age_from_etc_login_defs:obj:1" version="1">
-          <ind:behaviors singleline="true"/>
-          <ind:filepath>/etc/login.defs</ind:filepath>
-          <ind:pattern operation="pattern match">.*\n[^#]*(PASS_WARN_AGE\s+\d+)\s*\n</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_last_pass_warn_age_instance_value:obj:1" version="1">
-          <ind:var_ref>oval:ssg-variable_last_pass_warn_age_instance_value:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:password_object id="oval:ssg-object_accounts_password_all_shadowed:obj:1" version="1">
-          <unix:username operation="pattern match">.*</unix:username>
-        </unix:password_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_gid_passwd_group_same_var:obj:1" version="1">
-          <ind:filepath>/etc/group</ind:filepath>
-          <ind:pattern operation="pattern match">^[^:]+:[^:]+:([0-9]+):</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_gid_passwd_group_same:obj:1" version="1">
-          <ind:filepath>/etc/passwd</ind:filepath>
-          <ind:pattern operation="pattern match">^[^:]+:[^:]+:[0-9]+:([0-9]+):</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_no_empty_passwords:obj:1" version="1">
-          <ind:filepath operation="pattern match">/etc/pam.d/(system|password)-auth</ind:filepath>
-          <ind:pattern operation="pattern match">^[^#]*\bnullok\b.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_no_empty_passwords_etc_shadow:obj:1" version="1">
-          <ind:filepath>/etc/shadow</ind:filepath>
-          <ind:pattern operation="pattern match">^[^:]+::.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object comment="lines starting with +" id="oval:ssg-object_no_legacy_plus_entries_etc_group:obj:1" version="1">
-          <ind:filepath>/etc/group</ind:filepath>
-          <ind:pattern operation="pattern match">^\+.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object comment="lines starting with +" id="oval:ssg-object_no_legacy_plus_entries_etc_passwd:obj:1" version="1">
-          <ind:filepath>/etc/passwd</ind:filepath>
-          <ind:pattern operation="pattern match">^\+.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object comment="lines starting with +" id="oval:ssg-object_no_legacy_plus_entries_etc_shadow:obj:1" version="1">
-          <ind:filepath>/etc/shadow</ind:filepath>
-          <ind:pattern operation="pattern match">^\+.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object comment="look for .netrc in /home" id="oval:ssg-object_no_netrc_files_home:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="1" recurse_file_system="all"/>
-          <unix:path operation="equals">/home</unix:path>
-          <unix:filename operation="pattern match">^\.netrc$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_accounts_no_uid_except_root:obj:1" version="1">
-          <ind:filepath>/etc/passwd</ind:filepath>
-          <ind:pattern operation="pattern match">^(?!root:)[^:]*:[^:]*:0</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_accounts_root_gid_zero:obj:1" version="1">
-          <ind:filepath>/etc/passwd</ind:filepath>
-          <ind:pattern operation="pattern match">^root:.+:\d+:(\d+).+</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object comment="/etc/securetty file exists" id="oval:ssg-object_etc_securetty_exists:obj:1" version="1">
-          <ind:filepath>/etc/securetty</ind:filepath>
-          <ind:pattern operation="pattern match">^.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object comment="no entries /etc/securetty" id="oval:ssg-object_no_direct_root_logins:obj:1" version="1">
-          <ind:filepath>/etc/securetty</ind:filepath>
-          <ind:pattern operation="pattern match">^$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_last_uid_min_from_etc_login_defs:obj:1" version="1">
-          <ind:behaviors singleline="true"/>
-          <ind:filepath>/etc/login.defs</ind:filepath>
-          <ind:pattern operation="pattern match">.*(?:^|\n)\s*(UID_MIN[\s]+[\d]+)\s*(?:$|\n)</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_last_sys_uid_min_from_etc_login_defs:obj:1" version="1">
-          <ind:behaviors singleline="true"/>
-          <ind:filepath>/etc/login.defs</ind:filepath>
-          <ind:pattern operation="pattern match">.*(?:^|\n)\s*(SYS_UID_MIN[\s]+[\d]+)\s*(?:$|\n)</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_last_sys_uid_max_from_etc_login_defs:obj:1" version="1">
-          <ind:behaviors singleline="true"/>
-          <ind:filepath>/etc/login.defs</ind:filepath>
-          <ind:pattern operation="pattern match">.*(?:^|\n)\s*(SYS_UID_MAX[\s]+[\d]+)\s*(?:$|\n)</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_etc_passwd_entries:obj:1" version="1">
-          <ind:filepath>/etc/passwd</ind:filepath>
-          <ind:pattern operation="pattern match">^(?!root).*:x:([\d]+):[\d]+:[^:]*:[^:]*:(?!\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/sync|\/sbin\/shutdown|\/sbin\/halt|\/bin\/false|\/usr\/bin\/false).*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object comment="serial ports /etc/securetty" id="oval:ssg-object_serial_ports_etc_securetty:obj:1" version="1">
-          <ind:filepath>/etc/securetty</ind:filepath>
-          <ind:pattern operation="pattern match">^ttyS[0-9]+$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object comment="virtual consoles /etc/securetty" id="oval:ssg-object_virtual_consoles_etc_securetty:obj:1" version="1">
-          <ind:filepath>/etc/securetty</ind:filepath>
-          <ind:pattern operation="pattern match">^vc/[0-9]+$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_accounts_logon_fail_delay:obj:1" comment="FAIL_DELAY value from /etc/login.defs" version="1">
-          <ind:filepath>/etc/login.defs</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*(?i)FAIL_DELAY(?-i)[\s]+([^#\s]*)</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_etc_security_limits_conf_maxlogins:obj:1" version="1">
-          <ind:filepath>/etc/security/limits.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_etc_security_limitsd_conf_maxlogins:obj:1" version="1">
-          <ind:path>/etc/security/limits.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins[\s]+(\d+)\s*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_etc_security_limitsd_conf_maxlogins_exists:obj:1" version="1">
-          <ind:path>/etc/security/limits.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*\*[\s]+(?:(?:hard)|(?:-))[\s]+maxlogins</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-obj_tmp_inst:obj:1" version="1">
-          <unix:path>/tmp/tmp-inst</unix:path>
-          <unix:filename xsi:nil="true"/>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_tmp_in_namespace_conf:obj:1" version="1">
-          <ind:filepath>/etc/security/namespace.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*/tmp\s+/tmp/tmp-inst/\s+level\s+root,adm$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-obj_var_tmp_tmp_inst:obj:1" version="1">
-          <unix:path>/var/tmp/tmp-inst</unix:path>
-          <unix:filename xsi:nil="true"/>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_var_tmp_in_namespace_conf:obj:1" version="1">
-          <ind:filepath>/etc/security/namespace.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*/var/tmp\s+/var/tmp/tmp-inst/\s+level\s+root,adm$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_etc_profile_tmout:obj:1" version="3">
-          <ind:filepath>/etc/profile</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*declare[\s]+-xr[\s]+TMOUT=([\w$]+).*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_etc_profiled_tmout:obj:1" version="3">
-          <ind:path>/etc/profile.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.sh$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*declare[\s]+-xr[\s]+TMOUT=([\w$]+).*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:password_object id="oval:ssg-object_file_permissions_home_dirs_objects:obj:1" version="1">
-          <unix:username datatype="string" operation="not equal">nobody</unix:username>
-          <oval-def:filter action="include">oval:ssg-state_file_permissions_home_dirs_interactive_uids:ste:1</oval-def:filter>
-        </unix:password_object>
-        <unix:file_object id="oval:ssg-object_file_permissions_home_dirs_dirs:obj:1" version="1">
-          <unix:path var_ref="oval:ssg-var_file_permissions_home_dirs_dirs:var:1" var_check="at least one"/>
-          <unix:filename xsi:nil="true"/>
-        </unix:file_object>
-        <ind:environmentvariable58_object id="oval:ssg-object_accounts_root_path_dirs_no_write_pathenv:obj:1" version="1">
-          <ind:pid xsi:nil="true" datatype="int"/>
-          <ind:name>PATH</ind:name>
-        </ind:environmentvariable58_object>
-        <unix:file_object comment="root's path directories with wrong group / other write permissions" id="oval:ssg-object_accounts_root_path_dirs_no_group_other_write:obj:1" version="1">
-          <unix:path var_ref="oval:ssg-var_accounts_root_path_dirs_no_write:var:1" var_check="at least one"/>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="include">oval:ssg-state_accounts_root_path_dirs_wrong_perms:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_accounts_root_path_dirs_symlink:ste:1</oval-def:filter>
-        </unix:file_object>
-        <ind:environmentvariable58_object id="oval:ssg-object_root_path_no_dot:obj:1" version="1">
-          <ind:pid xsi:nil="true" datatype="int"/>
-          <ind:name>PATH</ind:name>
-        </ind:environmentvariable58_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_umask_from_etc_bashrc:obj:1" comment="Umask value from /etc/bashrc" version="1">
-          <ind:filepath>/etc/bashrc</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*umask[\s]+([^#\s]*)</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-obj_accounts_umask_etc_bashrc:obj:1" version="1">
-          <ind:var_ref>oval:ssg-var_etc_bashrc_umask_as_number:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_umask_from_etc_csh_cshrc:obj:1" comment="Umask value from /etc/csh.cshrc" version="1">
-          <ind:filepath>/etc/csh.cshrc</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*(?i)UMASK(?-i)[\s]+([^#\s]*)</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-obj_accounts_umask_etc_csh_cshrc:obj:1" version="1">
-          <ind:var_ref>oval:ssg-var_etc_csh_cshrc_umask_as_number:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_umask_from_etc_login_defs:obj:1" comment="Umask value from /etc/login.defs" version="1">
-          <ind:filepath>/etc/login.defs</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*UMASK[\s]+([^#\s]*)</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-obj_accounts_umask_etc_login_defs:obj:1" version="1">
-          <ind:var_ref>oval:ssg-var_etc_login_defs_umask_as_number:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_umask_from_etc_profile:obj:1" comment="Umask value from /etc/profile" version="1">
-          <ind:filepath>/etc/profile</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*umask[\s]+([^#\s]*)</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-obj_accounts_umask_etc_profile:obj:1" version="1">
-          <ind:var_ref>oval:ssg-var_etc_profile_umask_as_number:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_enable_syscall_audit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+task,never[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_enable_syscall_audit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+task,never[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_ari_locked_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-e\s+2\s*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_ari_locked_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-e\s+2\s*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_armm_selinux_watch_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_armm_selinux_watch_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/selinux/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arnm_etc_issue_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arnm_etc_issue_net_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arnm_etc_hosts_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arnm_etc_sysconfig_network_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arnm_etc_issue_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/issue[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arnm_etc_issue_net_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/issue\.net[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arnm_etc_hosts_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/hosts[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arnm_etc_sysconfig_network_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/sysconfig/network[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arse_utmp_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w\s+/var/run/utmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arse_btmp_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w\s+/var/log/btmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arse_wtmp_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arse_utmp_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w\s+/var/run/utmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arse_btmp_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w\s+/var/log/btmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arse_wtmp_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w\s+/var/log/wtmp\s+\-p\s+wa\s+(-k[\s]+|-F[\s]+key=)[-\w]+\s*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_sysadmin_actions_sudoers_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_sysadmin_actions_sudoers_d_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_sysadmin_actions_sudoers_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_sysadmin_actions_sudoers_d_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/sudoers\.d/[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)[-\w]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_etc_group_augen:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s+]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_etc_passwd_augen:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_etc_gshadow_augen:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_etc_shadow_augen:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_etc_security_opasswd_augen:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_etc_group_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_etc_passwd_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_etc_gshadow_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_etc_shadow_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_etc_security_opasswd_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+/etc/security/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_directory_acccess_var_log_audit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_access_var_log_audit_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_directory_acccess_var_log_audit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_access_var_log_audit_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object comment="audit log files" id="oval:ssg-object_audit_log_directory:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path operation="equals" var_ref="oval:ssg-audit_log_dir:var:1"/>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="include">oval:ssg-state_not_mode_0700:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/log/audit files" id="oval:ssg-object_var_log_audit_directory:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path operation="equals">/var/log/audit</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="include">oval:ssg-state_not_mode_0700:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/log/audit files" id="oval:ssg-object_var_log_audit_directory-non_root:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path operation="equals">/var/log/audit</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="include">oval:ssg-state_not_mode_0750:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="audit log files" id="oval:ssg-object_audit_log_directory-non_root:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path operation="equals" var_ref="oval:ssg-audit_log_dir:var:1"/>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="include">oval:ssg-state_not_mode_0750:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/log/audit directories" id="oval:ssg-object_ownership_var_log_audit_directories:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all"/>
-          <unix:path operation="equals">/var/log/audit</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="include">oval:ssg-state_owner_not_root_root_var_log_audit:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/log/audit files" id="oval:ssg-object_ownership_var_log_audit_files:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all"/>
-          <unix:path operation="equals">/var/log/audit</unix:path>
-          <unix:filename operation="pattern match">^.*$</unix:filename>
-          <oval-def:filter action="include">oval:ssg-state_owner_not_root_root_var_log_audit:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/log/audit directories" id="oval:ssg-object_ownership_var_log_audit_directories-non_root:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all"/>
-          <unix:path operation="equals">/var/log/audit</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="include">oval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/log/audit files" id="oval:ssg-object_ownership_var_log_audit_files-non_root:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="all"/>
-          <unix:path operation="equals">/var/log/audit</unix:path>
-          <unix:filename operation="pattern match">^.*$</unix:filename>
-          <oval-def:filter action="include">oval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/log/audit files" id="oval:ssg-object_audit_log_files:obj:1" version="1">
-          <unix:filepath operation="pattern match" var_ref="oval:ssg-audit_log_file_path:var:1"/>
-          <oval-def:filter action="include">oval:ssg-state_not_mode_0600:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/log/audit files" id="oval:ssg-object_var_log_audit_files:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path operation="equals">/var/log/audit</unix:path>
-          <unix:filename operation="pattern match">^.*$</unix:filename>
-          <oval-def:filter action="include">oval:ssg-state_not_mode_0600:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="audit log files" id="oval:ssg-object_audit_log_files-non_root:obj:1" version="1">
-          <unix:filepath operation="pattern match" var_ref="oval:ssg-audit_log_file_path:var:1"/>
-          <oval-def:filter action="include">oval:ssg-state_not_mode_0640:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/log/audit files" id="oval:ssg-object_var_log_audit_files-non_root:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path operation="equals">/var/log/audit</unix:path>
-          <unix:filename operation="pattern match">^.*$</unix:filename>
-          <oval-def:filter action="include">oval:ssg-state_not_mode_0640:ste:1</oval-def:filter>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_umount_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount[\s]+|([\s]+|[,])umount([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_umount_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount[\s]+|([\s]+|[,])umount([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_delete_module_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_delete_module_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_delete_module_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_delete_module_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+delete_module[\s]+|([\s]+|[,])delete_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_finit_module_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_finit_module_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_finit_module_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_finit_module_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+finit_module[\s]+|([\s]+|[,])finit_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_init_module_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_init_module_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_init_module_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_init_module_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+init_module[\s]+|([\s]+|[,])init_module([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-object_system_privileged_commands:obj:1" comment="system files with setuid or setgid permission set" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" recurse_file_system="local" max_depth="-1"/>
-          <unix:path operation="equals">/</unix:path>
-          <unix:filename operation="pattern match">[a-z]+</unix:filename>
-          <oval-def:filter action="include">oval:ssg-state_setuid_or_setgid_set:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_dev_proc_sys_dirs:ste:1</oval-def:filter>
-        </unix:file_object>
-        <ind:variable_object id="oval:ssg-object_count_of_suid_sgid_binaries_on_system:obj:1" version="1">
-          <ind:var_ref>oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arpc_suid_sgid_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a always,exit (?:-F path=([\S]+) )+-F auid&gt;=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-          <oval-def:filter action="exclude">oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1</oval-def:filter>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arpc_suid_sgid_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a always,exit (?:-F path=([\S]+) )+-F auid&gt;=1000 -F auid!=(?:4294967295|unset)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-          <oval-def:filter action="exclude">oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1</oval-def:filter>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_art_adjtimex_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_art_adjtimex_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_art_adjtimex_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_art_adjtimex_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+adjtimex[\s]+|([\s]+|[,])adjtimex([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_art_clock_settime_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_art_clock_settime_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_art_clock_settime_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_art_clock_settime_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64[\s]+(-S[\s]+clock_settime[\s]+|([\s]+|[,])clock_settime([\s]+|[,]))-F[\s]+a0=(?:0x)?0[\s]+(?:-F[\s]+key=|-k[\s]+)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_art_settimeofday_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_art_settimeofday_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_art_settimeofday_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_art_settimeofday_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b64.*(-S[\s]+settimeofday[\s]+|([\s]+|[,])settimeofday([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_art_stime_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_art_stime_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+arch=b32.*(-S[\s]+stime[\s]+|([\s]+|[,])stime([\s]+|[,])).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_artw_etc_localtime_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_artw_etc_localtime_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_audispd_configure_remote_server:obj:1" version="1">
-          <ind:filepath>/etc/audit/audisp-remote.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*remote_server[ ]+=[ ]+(\S+)[ ]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_audispd_disk_full_action:obj:1" version="1">
-          <ind:filepath>/etc/audit/audisp-remote.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*disk_full_action[ ]+=[ ]+(\S+)[ ]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_audispd_encrypt_sent_records:obj:1" version="1">
-          <ind:filepath>/etc/audit/audisp-remote.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*enable_krb5[ ]+=[ ]+yes[ ]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_audispd_network_failure_action:obj:1" version="1">
-          <ind:filepath>/etc/audit/audisp-remote.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*network_failure_action[ ]+=[ ]+(\S+)[ ]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_audispd_syslog_plugin_activated:obj:1" version="1">
-          <ind:filepath>/etc/audit/plugins.d/syslog.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*active[ ]+=[ ]+yes[ ]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_data_disk_error_action:obj:1" version="3">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*disk_error_action[ ]+=[ ]+(\S+)[ ]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_data_disk_error_action_stig:obj:1" version="2">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*disk_error_action[ ]+=[ ]+(\S+)[ ]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_data_disk_full_action:obj:1" version="3">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*disk_full_action[ ]+=[ ]+(\S+)[ ]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_data_disk_full_action_stig:obj:1" version="2">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*disk_full_action[ ]+=[ ]+(\S+)[ ]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_data_retention_action_mail_acct:obj:1" version="2">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*action_mail_acct[ ]+=[ ]+(\S+)[ ]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_data_retention_admin_space_left_action:obj:1" version="2">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*admin_space_left_action[ ]+=[ ]+(\S+)[ ]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_data_retention_flush:obj:1" version="1">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*flush[ ]+=[ ]+(\S+)[ ]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_data_retention_max_log_file:obj:1" version="2">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*max_log_file[ ]+=[ ]+(\d+)[ ]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_data_retention_max_log_file_action:obj:1" version="2">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*max_log_file_action[ ]+=[ ]+(\S+)[ ]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_data_retention_max_log_file_action_stig:obj:1" version="2">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*max_log_file_action[ ]+=[ ]+(\S+)[ ]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_data_retention_num_logs:obj:1" version="2">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*num_logs[ ]+=[ ]+(\d+)[ ]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_data_retention_space_left:obj:1" version="2">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*space_left[\s]+=[\s]+(\d+)[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_data_retention_space_left_action:obj:1" version="2">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*space_left_action[ ]+=[ ]+(\S+)[ ]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_auditd_overflow_action:obj:1" version="1">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)overflow_action(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_etc_10-base-config_old:obj:1" version="1">
-          <ind:filepath>/etc/audit/rules.d/10-base-config.rules</ind:filepath>
-          <ind:pattern operation="pattern match">(?:.*\n)*</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_doc_10-base-config:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/usr/share/doc/audit(?:-\d.\d.\d)?/rules/10-base-config.rules</ind:filepath>
-          <ind:pattern operation="pattern match">(?:.*\n)*</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_etc_11-loginuid_old:obj:1" version="1">
-          <ind:filepath>/etc/audit/rules.d/11-loginuid.rules</ind:filepath>
-          <ind:pattern operation="pattern match">(?:.*\n)*</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_doc_11-loginuid:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/usr/share/doc/audit(?:-\d.\d.\d)?/rules/11-loginuid.rules</ind:filepath>
-          <ind:pattern operation="pattern match">(?:.*\n)*</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_etc_30-ospp-v42_old:obj:1" version="1">
-          <ind:filepath>/etc/audit/rules.d/30-ospp-v42.rules</ind:filepath>
-          <ind:pattern operation="pattern match">(?:.*\n)*</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_doc_30-ospp-v42:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/usr/share/doc/audit(?:-\d.\d.\d)?/rules/30-ospp-v42.rules</ind:filepath>
-          <ind:pattern operation="pattern match">(?:.*\n)*</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_etc_43-module-load_old:obj:1" version="1">
-          <ind:filepath>/etc/audit/rules.d/43-module-load.rules</ind:filepath>
-          <ind:pattern operation="pattern match">(?:.*\n)*</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_doc_43-module-load:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/usr/share/doc/audit(?:-\d.\d.\d)?/rules/43-module-load.rules</ind:filepath>
-          <ind:pattern operation="pattern match">(?:.*\n)*</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:password_object id="oval:ssg-object_uefi_user_accounts:obj:1" version="1">
-          <unix:username datatype="string" operation="pattern match">.*</unix:username>
-        </unix:password_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_bootloader_uefi_unique_superuser:obj:1" version="1">
-          <ind:filepath>/boot/grub2/grub.cfg</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*set[\s]+superusers="(?i)\b(?!(?:root|admin|administrator)\b)(\w+)"$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_uefi_password_usercfg:obj:1" version="1">
-          <ind:filepath>/boot/grub2/user.cfg</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_zipl_bls_entries_only:obj:1" version="1">
-          <ind:filepath operation="equals">/etc/zipl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*image\s*=.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-object_zipl_boot_bootmap_file:obj:1" comment="current bootmap state" version="1">
-          <unix:filepath>/boot/bootmap</unix:filepath>
-        </unix:file_object>
-        <unix:file_object id="oval:ssg-zipl_conf_file:obj:1" comment="/etc/zipl.conf state" version="1">
-          <unix:filepath datatype="string">/etc/zipl.conf</unix:filepath>
-        </unix:file_object>
-        <unix:file_object id="oval:ssg-boot_entry_files:obj:1" comment="/boot/loader/entries/*.conf states" version="1">
-          <unix:filepath datatype="string" operation="pattern match">^/boot/loader/entries/.*\.conf$</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
-          <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode:obj:1" comment="Check if  $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.conf" version="1">
-          <ind:filepath>/etc/rsyslog.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\$ActionSendStreamDriverAuthMode x509/name$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action_send_stream_driver_auth_mode_dir:obj:1" comment="Check if $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.d" version="1">
-          <ind:path>/etc/rsyslog.d</ind:path>
-          <ind:filename operation="pattern match">^.*conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\$ActionSendStreamDriverAuthMode x509/name$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog:obj:1" comment="Check if  $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.conf" version="1">
-          <ind:filepath>/etc/rsyslog.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\$ActionSendStreamDriverMode 1$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rsyslog_encrypt_offload_actionsendstreamdrivermode_action_send_stream_driver_mode_rsyslog_dir:obj:1" comment="Check if $ActionSendStreamDriverMode 1 is set in /etc/rsyslog.d" version="1">
-          <ind:path>/etc/rsyslog.d</ind:path>
-          <ind:filename operation="pattern match">^.*conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\$ActionSendStreamDriverMode 1$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog:obj:1" comment="Check if  $DefaultNetstreamDriver gtls is set in /etc/rsyslog.conf" version="1">
-          <ind:filepath>/etc/rsyslog.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\$DefaultNetstreamDriver gtls$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rsyslog_encrypt_offload_defaultnetstreamdriver_default_netstream_rsyslog_dir:obj:1" comment="Check if $DefaultNetstreamDriver gtls is set in /etc/rsyslog.d" version="1">
-          <ind:path>/etc/rsyslog.d</ind:path>
-          <ind:filename operation="pattern match">^.*conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\$DefaultNetstreamDriver gtls$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_rfg_rsyslog_include_config_value:obj:1" comment="rsyslog's $IncludeConfig directive and include() object values" version="1">
-          <ind:filepath>/etc/rsyslog.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_rfg_include_config_regex:obj:1" comment="Make variable object from regex variable" version="1">
-          <ind:var_ref>oval:ssg-var_rfg_include_config_regex:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-object_var_rfg_syslog_config:obj:1" comment="Make variable object for use" version="1">
-          <ind:var_ref>oval:ssg-var_rfg_syslog_config:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-object_var_rfg_all_log_files:obj:1" comment="Filter out empty string" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_var_rfg_include_config_regex:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_var_rfg_syslog_config:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_rfg_log_files_paths:obj:1" comment="All rsyslog configuration files" version="1">
-          <ind:filepath operation="pattern match" var_ref="oval:ssg-var_rfg_all_log_files:var:1" var_check="at least one"/>
-          <ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-          <oval-def:filter action="exclude">oval:ssg-state_groupownership_ignore_include_paths:ste:1</oval-def:filter>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-object_rsyslog_files_groupownership:obj:1" comment="Various system log files" version="1">
-          <unix:filepath datatype="string" var_ref="oval:ssg-var_rfg_log_files_paths:var:1" var_check="at least one"/>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_rfo_rsyslog_include_config_value:obj:1" comment="rsyslog's $IncludeConfig directive and include() object values" version="1">
-          <ind:filepath>/etc/rsyslog.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_rfo_include_config_regex:obj:1" comment="Make variable object from regex variable" version="1">
-          <ind:var_ref>oval:ssg-var_rfo_include_config_regex:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-object_var_rfo_syslog_config:obj:1" comment="Make variable object for use" version="1">
-          <ind:var_ref>oval:ssg-var_rfo_syslog_config:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-object_var_rfo_all_log_files:obj:1" comment="Filter out empty string" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_var_rfo_include_config_regex:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_var_rfo_syslog_config:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_rfo_log_files_paths:obj:1" comment="All rsyslog configuration files" version="1">
-          <ind:filepath operation="pattern match" var_ref="oval:ssg-var_rfo_all_log_files:var:1" var_check="at least one"/>
-          <ind:pattern operation="pattern match">^[^(#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-          <oval-def:filter action="exclude">oval:ssg-state_owner_ignore_include_paths:ste:1</oval-def:filter>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-object_rsyslog_files_ownership:obj:1" comment="Various system log files" version="1">
-          <unix:filepath datatype="string" var_ref="oval:ssg-var_rfo_log_files_paths:var:1" var_check="at least one"/>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_rfp_rsyslog_include_config_value:obj:1" comment="rsyslog's $IncludeConfig directive and include() object values" version="1">
-          <ind:filepath>/etc/rsyslog.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^(?:include\([\n\s]*file="([^\s;]+)".*|\$IncludeConfig[\s]+([^\s;]+))$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_rfp_include_config_regex:obj:1" comment="Make variable object from regex variable" version="1">
-          <ind:var_ref>oval:ssg-var_rfp_include_config_regex:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-object_var_rfp_syslog_config:obj:1" comment="Make variable object for use" version="1">
-          <ind:var_ref>oval:ssg-var_rfp_syslog_config:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-object_var_rfp_all_log_files:obj:1" comment="Filter out empty string" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_var_rfp_include_config_regex:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_var_rfp_syslog_config:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_rfp_log_files_paths:obj:1" comment="All rsyslog configuration files" version="1">
-          <ind:filepath operation="pattern match" var_ref="oval:ssg-var_rfp_all_log_files:var:1" var_check="at least one"/>
-          <ind:pattern operation="pattern match">^[^(\s|#|\$)]+[\s]+.*[\s]+-?(/+[^:;\s]+);*\.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-          <oval-def:filter action="exclude">oval:ssg-state_permissions_ignore_include_paths:ste:1</oval-def:filter>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-object_rsyslog_files_permissions:obj:1" comment="Various system log files" version="1">
-          <unix:filepath datatype="string" var_ref="oval:ssg-var_rfp_log_files_paths:var:1" var_check="at least one"/>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_logrotate_conf_daily_setting:obj:1" version="2">
-          <ind:filepath>/etc/logrotate.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*daily[\s#]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_logrotate_conf_no_other_keyword:obj:1" version="2">
-          <ind:filepath>/etc/logrotate.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*(weekly|monthly|yearly)[\s#]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_cron_daily_logrotate_existence:obj:1" version="1">
-          <ind:filepath>/etc/cron.daily/logrotate</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*/usr/sbin/logrotate[\s\S]*/etc/logrotate.conf$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_remote_loghost_rsyslog_conf:obj:1" version="1">
-          <ind:filepath>/etc/rsyslog.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\*\.\*[\s]+(?:@|\:omrelp\:)</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_remote_loghost_rsyslog_d:obj:1" version="1">
-          <ind:path>/etc/rsyslog.d</ind:path>
-          <ind:filename operation="pattern match">^.+\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\*\.\*[\s]+(?:@|\:omrelp\:)</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_network_nmcli_permissions:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/polkit-1/localauthority/20-org.d/.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^\[.*\]\n\s*Identity=default\n\s*Action=org\.freedesktop\.NetworkManager\.\*\n\s*ResultAny=no\n\s*ResultInactive=no\n\s*(ResultActive=auth_admin)\n*\s*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_module_ipv6_option_disabled:obj:1" version="1" comment="ipv6 disabled any modprobe conf file">
-          <ind:path>/etc/modprobe.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*options\s+ipv6\s+.*disable=1.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:interface_object id="oval:ssg-object_active_wifi_interfaces:obj:1" version="1">
-          <unix:name operation="pattern match">^wl.*$</unix:name>
-        </unix:interface_object>
-        <unix:file_object comment="only local directories" id="oval:ssg-object_only_local_directories:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path operation="equals">/</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="include">oval:ssg-state_world_writable_and_not_sticky:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="system.mapfiles" id="oval:ssg-object_file_permissions_systemmap_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^System\.map.*$</unix:filename>
-        </unix:file_object>
-        <unix:file_object comment="world writable" id="oval:ssg-object_file_permissions_unauthorized_world_write:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path operation="equals">/</unix:path>
-          <unix:filename operation="pattern match">^.*$</unix:filename>
-          <oval-def:filter action="include">oval:ssg-state_file_permissions_unauthorized_world_write:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_unauthorized_world_write_exclude_special_selinux_files:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_unauthorized_world_write_exclude_proc:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_unauthorized_world_write_exclude_sys:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="binary directories" id="oval:ssg-object_file_ownership_binary_directories:obj:1" version="1">
-          <unix:path operation="pattern match">^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="include">oval:ssg-state_owner_binaries_not_root:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="binary files" id="oval:ssg-object_file_ownership_binary_files:obj:1" version="1">
-          <unix:path operation="pattern match">^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec</unix:path>
-          <unix:filename operation="pattern match">^.*$</unix:filename>
-          <oval-def:filter action="include">oval:ssg-state_owner_binaries_not_root:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="binary files" id="oval:ssg-object_file_permissions_binary_files:obj:1" version="1">
-          <unix:path operation="pattern match">^\/(|s)bin|^\/usr\/(|local\/)(|s)bin|^\/usr\/libexec</unix:path>
-          <unix:filename operation="pattern match">^.*$</unix:filename>
-          <oval-def:filter action="include">oval:ssg-state_perms_binary_files_nogroupwrite_noworldwrite:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_perms_binary_files_symlink:ste:1</oval-def:filter>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_grub2_nousb_argument:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*GRUB_CMDLINE_LINUX=([^#]*).*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:partition_object id="oval:ssg-object_non_root_partitions:obj:1" version="1">
-          <linux:mount_point operation="pattern match">^/\w.*$</linux:mount_point>
-          <oval-def:filter action="include">oval:ssg-state_local_nodev:ste:1</oval-def:filter>
-        </linux:partition_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_coredump_disable_backtraces:obj:1" version="1">
-          <ind:filepath>/etc/systemd/coredump.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)ProcessSizeMax(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_coredump_disable_storage:obj:1" version="1">
-          <ind:filepath>/etc/systemd/coredump.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*\[Coredump\].*(?:\n\s*[^[\s].*)*\n^[ \t]*(?i)Storage(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_core_dumps_limitsconf:obj:1" version="1">
-          <ind:filepath>/etc/security/limits.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+)</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_core_dumps_limits_d:obj:1" version="1">
-          <ind:path>/etc/security/limits.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*\*[\s]+(?:hard|-)[\s]+core[\s]+([\d]+)</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_core_dumps_limits_d_exists:obj:1" version="1">
-          <ind:path>/etc/security/limits.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*\*[\s]+(?:hard|-)[\s]+core</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_selinux_default_grub:obj:1" comment="check value selinux|enforcing=0 in /etc/default/grub, fail if found" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*GRUB_CMDLINE_LINUX.*(selinux|enforcing)=0.*$</ind:pattern>
-          <ind:instance datatype="int" operation="equals">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_selinux_grub2_cfg:obj:1" comment="check value selinux|enforcing=0 in /etc/grub2.cfg, fail if found" version="1">
-          <ind:filepath>/etc/grub2.cfg</ind:filepath>
-          <ind:pattern operation="pattern match">^.*(selinux|enforcing)=0.*$</ind:pattern>
-          <ind:instance datatype="int" operation="equals">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_selinux_grub_dir:obj:1" comment="check value selinux|enforcing=0 in /etc/grub.d, fail if found" version="1">
-          <ind:path>/etc/grub.d</ind:path>
-          <ind:filename operation="pattern match">^.*$</ind:filename>
-          <ind:pattern operation="pattern match">^.*(selinux|enforcing)=0.*$</ind:pattern>
-          <ind:instance datatype="int" operation="equals">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:selinuxsecuritycontext_object comment="find unconfined_service_t in /proc" id="oval:ssg-object_selinux_confinement_of_daemons:obj:1" version="1">
-          <linux:behaviors max_depth="1" recurse_direction="down"/>
-          <linux:path>/proc</linux:path>
-          <linux:filename operation="pattern match">^.*$</linux:filename>
-          <oval-def:filter action="include">oval:ssg-state_selinux_confinement_of_daemons:ste:1</oval-def:filter>
-        </linux:selinuxsecuritycontext_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_selinux_policy:obj:1" version="1">
-          <ind:filepath>/etc/selinux/config</ind:filepath>
-          <ind:pattern operation="pattern match">^SELINUXTYPE=([\w]*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_etc_selinux_config:obj:1" version="1">
-          <ind:filepath>/etc/selinux/config</ind:filepath>
-          <ind:pattern operation="pattern match">^SELINUX=(.*)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_proc_cpuinfo_64_bit:obj:1" version="1">
-          <ind:filepath>/proc/cpuinfo</ind:filepath>
-          <ind:pattern operation="pattern match">^flags\s+:\s+(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_proc_sys_kernel_osrelease_64_bit:obj:1" version="1">
-          <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-          <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_gnome_gdm_disable_xdmcp:obj:1" version="1">
-          <ind:filepath>/etc/gdm/custom.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*\[xdmcp\].*(?:\n\s*[^[\s].*)*\n^\s*Enable[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-obj_gnome_gdm_disable_xdmcp_config_file:obj:1" comment="The configuration file /etc/gdm/custom.conf for gnome_gdm_disable_xdmcp" version="1">
-          <unix:filepath operation="pattern match">^/etc/gdm/custom.conf</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_prelinking_disabled:obj:1" version="2">
-          <ind:filepath>/etc/sysconfig/prelink</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*PRELINKING=no[\s]*</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_configure_bind_crypto_policy:obj:1" version="1">
-          <ind:filepath>/etc/named.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*include\s+"/etc/crypto-policies/back-ends/bind.config"\s*;\s*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-crypto_policies_current_file:obj:1" comment="crypto-policies current state" version="1">
-          <unix:filepath>/etc/crypto-policies/state/current</unix:filepath>
-        </unix:file_object>
-        <unix:file_object id="oval:ssg-crypto_policies_config_file:obj:1" comment="crypto-policies config state" version="1">
-          <unix:filepath datatype="string">/etc/crypto-policies/config</unix:filepath>
-        </unix:file_object>
-        <ind:variable_object comment="Crypto policy current file timestamp" id="oval:ssg-object_crypto_policies_config_file_modified_time:obj:1" version="1">
-          <ind:var_ref>oval:ssg-variable_crypto_policies_config_file_timestamp:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_configure_crypto_policy:obj:1" version="1">
-          <ind:filepath>/etc/crypto-policies/config</ind:filepath>
-          <ind:pattern operation="pattern match">^(?!#)(\S+)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_configure_crypto_policy_current:obj:1" version="1">
-          <ind:filepath>/etc/crypto-policies/state/current</ind:filepath>
-          <ind:pattern operation="pattern match">^(?!#)(\S+)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-object_crypto_policy_nss_config:obj:1" version="1">
-          <unix:filepath>/etc/crypto-policies/back-ends/nss.config</unix:filepath>
-        </unix:file_object>
-        <ind:variable_object id="oval:ssg-object_symlink_kerberos_crypto_policy_configuration:obj:1" version="1">
-          <ind:var_ref>oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="kerberos crypto-policy configuration softlink" id="oval:ssg-object_kerberos_crypto_policy_configuration:obj:1" version="1">
-          <unix:filepath>/etc/krb5.conf.d/crypto-policies</unix:filepath>
-        </unix:symlink_object>
-        <unix:symlink_object comment="kerberos crypto-policy backend softlink" id="oval:ssg-object_kerberos_crypto_policy_backend:obj:1" version="1">
-          <unix:filepath>/etc/crypto-policies/back-ends/krb5.config</unix:filepath>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_configure_libreswan_crypto_policy:obj:1" version="1">
-          <ind:filepath>/etc/ipsec.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*include\s+/etc/crypto-policies/back-ends/libreswan.config\s*(?:#.*)?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_configure_openssl_crypto_policy:obj:1" version="1">
-          <ind:filepath>/etc/pki/tls/openssl.cnf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*\[\s*crypto_policy\s*\]\s*\n*\s*\.include\s*(?:=\s*)?/etc/crypto-policies/back-ends/opensslcnf.config\s*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_configure_ssh_crypto_policy:obj:1" version="1">
-          <ind:filepath>/etc/sysconfig/sshd</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*(?i)CRYPTO_POLICY\s*=.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_harden_openssl_crypto_policy:obj:1" version="1">
-          <ind:filepath>/etc/crypto-policies/back-ends/opensslcnf.config</ind:filepath>
-          <ind:pattern operation="pattern match">^(?:.*\n)*\s*Ciphersuites\s*=\s*(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_harden_ssh_client_crypto_policy_Match:obj:1" version="1">
-          <ind:filepath>/etc/ssh/ssh_config.d/02-ospp.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*Match[\s]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_harden_ssh_client_crypto_policy_RekeyLimit:obj:1" version="1">
-          <ind:filepath>/etc/ssh/ssh_config.d/02-ospp.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^Match final all(?:.*
-)*?\s*RekeyLimit[\s]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_harden_ssh_client_crypto_policy_GSSAPIAuthentication:obj:1" version="1">
-          <ind:filepath>/etc/ssh/ssh_config.d/02-ospp.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^Match final all(?:.*
-)*?\s*GSSAPIAuthentication[\s]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_harden_ssh_client_crypto_policy_Ciphers:obj:1" version="1">
-          <ind:filepath>/etc/ssh/ssh_config.d/02-ospp.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^Match final all(?:.*
-)*?\s*Ciphers[\s]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_harden_ssh_client_crypto_policy_PubkeyAcceptedKeyTypes:obj:1" version="1">
-          <ind:filepath>/etc/ssh/ssh_config.d/02-ospp.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^Match final all(?:.*
-)*?\s*PubkeyAcceptedKeyTypes[\s]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_harden_ssh_client_crypto_policy_MACs:obj:1" version="1">
-          <ind:filepath>/etc/ssh/ssh_config.d/02-ospp.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^Match final all(?:.*
-)*?\s*MACs[\s]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_harden_ssh_client_crypto_policy_KexAlgorithms:obj:1" version="1">
-          <ind:filepath>/etc/ssh/ssh_config.d/02-ospp.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^Match final all(?:.*
-)*?\s*KexAlgorithms[\s]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_harden_sshd_crypto_policy:obj:1" version="1">
-          <ind:filepath>/etc/crypto-policies/back-ends/opensshserver.config</ind:filepath>
-          <ind:pattern operation="pattern match">^(?:.*\n)*\s*CRYPTO_POLICY=(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-obj_linuxshield_install_antivirus:obj:1" version="1">
-          <linux:name>McAfeeVSEForLinux</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_mcafee_runtime_installed:obj:1" version="1">
-          <linux:name>MFErt</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_mcafee_management_agent:obj:1" version="1">
-          <linux:name>MFEcma</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object id="oval:ssg-object_mcafee_accm_exists:obj:1" version="1">
-          <unix:path>/opt/McAfee/accm/bin</unix:path>
-          <unix:filename>accm</unix:filename>
-        </unix:file_object>
-        <unix:file_object id="oval:ssg-object_mcafee_auditengine_exists:obj:1" version="1">
-          <unix:path>/opt/McAfee/auditengine/bin</unix:path>
-          <unix:filename>auditmanager</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_enable_dracut_fips_module:obj:1" version="1">
-          <ind:filepath>/etc/dracut.conf.d/40-fips.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*add_dracutmodules\+="\s*(\w*)\s*"\s*(?:#.*)?$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-obj_system_crypto_policy_value:obj:1" version="1">
-          <ind:var_ref>oval:ssg-var_system_crypto_policy:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object version="1" id="oval:ssg-object_etc_system_fips:obj:1">
-          <unix:filepath>/etc/system-fips</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_enable_fips_mode:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(.*)"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_enable_fips_mode_default:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_processor_aes_instruction:obj:1" version="1">
-          <ind:filepath>/proc/cpuinfo</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*flags[\s]*:[\s]*.*aes.*$</ind:pattern>
-          <ind:instance datatype="int" operation="equals">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-obj_package_dracut-fips-aesni_installed:obj:1" version="1">
-          <linux:name>dracut-fips-aesni</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_package_dracut-fips_installed:obj:1" version="1">
-          <linux:name>dracut-fips</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_proc_sys_crypto_fips_enabled:obj:1" version="1">
-          <ind:filepath>/proc/sys/crypto/fips_enabled</ind:filepath>
-          <ind:pattern operation="pattern match">^1$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_aide_build_database_dirpath:obj:1" version="1">
-          <ind:filepath>/etc/aide.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^@@define[\s]DBDIR[\s]+(/.*)$</ind:pattern>
-          <ind:instance operation="equals" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_aide_build_new_database_filename:obj:1" version="1">
-          <ind:filepath>/etc/aide.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^database_out=file:@@{DBDIR}/([a-z.]+)$</ind:pattern>
-          <ind:instance operation="equals" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_aide_operational_database_filename:obj:1" version="1">
-          <ind:filepath>/etc/aide.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^database=file:@@{DBDIR}/([a-z.]+)$</ind:pattern>
-          <ind:instance operation="equals" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-object_aide_build_new_database_absolute_path:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-variable_aide_build_new_database_absolute_path:var:1" var_check="at least one"/>
-        </unix:file_object>
-        <unix:file_object id="oval:ssg-object_aide_operational_database_absolute_path:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-variable_aide_operational_database_absolute_path:var:1" var_check="at least one"/>
-        </unix:file_object>
-        <linux:rpmverifyfile_object id="oval:ssg-object_files_fail_user_ownership:obj:1" version="1" comment="rpm verify of all files">
-          <linux:behaviors nomd5="true" noghostfiles="true"/>
-          <linux:name operation="pattern match">.*</linux:name>
-          <linux:epoch operation="pattern match">.*</linux:epoch>
-          <linux:version operation="pattern match">.*</linux:version>
-          <linux:release operation="pattern match">.*</linux:release>
-          <linux:arch operation="pattern match">.*</linux:arch>
-          <linux:filepath operation="pattern match">.*</linux:filepath>
-          <oval-def:filter action="include">oval:ssg-state_files_fail_user_ownership:ste:1</oval-def:filter>
-        </linux:rpmverifyfile_object>
-        <linux:rpmverifyfile_object id="oval:ssg-object_files_fail_group_ownership:obj:1" version="1" comment="rpm verify of all files">
-          <linux:behaviors nomd5="true" noghostfiles="true"/>
-          <linux:name operation="pattern match">.*</linux:name>
-          <linux:epoch operation="pattern match">.*</linux:epoch>
-          <linux:version operation="pattern match">.*</linux:version>
-          <linux:release operation="pattern match">.*</linux:release>
-          <linux:arch operation="pattern match">.*</linux:arch>
-          <linux:filepath operation="pattern match">.*</linux:filepath>
-          <oval-def:filter action="include">oval:ssg-state_files_fail_group_ownership:ste:1</oval-def:filter>
-        </linux:rpmverifyfile_object>
-        <linux:rpmverifyfile_object id="oval:ssg-object_files_fail_mode:obj:1" version="1" comment="rpm verify of all files">
-          <linux:behaviors nomd5="true" noghostfiles="true"/>
-          <linux:name operation="pattern match">.*</linux:name>
-          <linux:epoch operation="pattern match">.*</linux:epoch>
-          <linux:version operation="pattern match">.*</linux:version>
-          <linux:release operation="pattern match">.*</linux:release>
-          <linux:arch operation="pattern match">.*</linux:arch>
-          <linux:filepath operation="pattern match">.*</linux:filepath>
-          <oval-def:filter action="include">oval:ssg-state_files_fail_mode:ste:1</oval-def:filter>
-        </linux:rpmverifyfile_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_no_authenticate_etc_sudoers:obj:1" version="1">
-          <ind:filepath>/etc/sudoers</ind:filepath>
-          <ind:pattern operation="pattern match">^(?!#).*[\s]+\!authenticate.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_no_authenticate_etc_sudoers_d:obj:1" version="1">
-          <ind:path>/etc/sudoers.d</ind:path>
-          <ind:filename operation="pattern match">^.*$</ind:filename>
-          <ind:pattern operation="pattern match">^(?!#).*[\s]+\!authenticate.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_nopasswd_etc_sudoers:obj:1" version="1">
-          <ind:filepath>/etc/sudoers</ind:filepath>
-          <ind:pattern operation="pattern match">^(?!#).*[\s]+NOPASSWD[\s]*\:.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_nopasswd_etc_sudoers_d:obj:1" version="1">
-          <ind:path>/etc/sudoers.d</ind:path>
-          <ind:filename operation="pattern match">^.*$</ind:filename>
-          <ind:pattern operation="pattern match">^(?!#).*[\s]+NOPASSWD[\s]*\:.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_vdsm_nopasswd_etc_sudoers:obj:1" version="1">
-          <ind:filepath>/etc/sudoers</ind:filepath>
-          <ind:pattern operation="pattern match">^(?!(#|vdsm.*)).*[\s]+NOPASSWD[\s]*\:.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_vdsm_nopasswd_etc_sudoers_d:obj:1" version="1">
-          <ind:path>/etc/sudoers.d</ind:path>
-          <ind:filename operation="pattern match">^.*$</ind:filename>
-          <ind:pattern operation="pattern match">^(?!(#|vdsm.*)).*[\s]+NOPASSWD[\s]*\:.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sudoers_explicit_command_args:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
-          <ind:pattern operation="pattern match">^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sudoers_no_command_negation:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
-          <ind:pattern operation="pattern match">^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,!\n][^,\n]+,)*\s*(?:\([^\)]+\))?\s*(?!\s*\()(!\S+).*</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-root_or_ALL_in_runas_spec:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*\([\w\s]*\b(root|ALL)\b[\w\s]*\)</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_no_runas_spec:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/sudoers(\.d/.*)?$</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*[^\(\s]</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-object_package_gpg-pubkey:obj:1" version="1">
-          <linux:name>gpg-pubkey</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-audit_access_failed_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_failed_rules:obj:1" version="1">
-          <ind:behaviors singleline="true" multiline="false"/>
-          <ind:filepath>/etc/audit/rules.d/30-ospp-v42-3-access-failed.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-audit_access_success_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_success_rules:obj:1" version="1">
-          <ind:behaviors singleline="true" multiline="false"/>
-          <ind:filepath>/etc/audit/rules.d/30-ospp-v42-3-access-success.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-audit_basic_configuration_object_whole_file_contents_tc_audit_rules_d_10_base_config_rules:obj:1" version="1">
-          <ind:behaviors singleline="true" multiline="false"/>
-          <ind:filepath>/etc/audit/rules.d/10-base-config.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-audit_create_failed_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_1_create_failed_rules:obj:1" version="1">
-          <ind:behaviors singleline="true" multiline="false"/>
-          <ind:filepath>/etc/audit/rules.d/30-ospp-v42-1-create-failed.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-audit_create_success_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_1_create_success_rules:obj:1" version="1">
-          <ind:behaviors singleline="true" multiline="false"/>
-          <ind:filepath>/etc/audit/rules.d/30-ospp-v42-1-create-success.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-audit_delete_failed_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_4_delete_failed_rules:obj:1" version="1">
-          <ind:behaviors singleline="true" multiline="false"/>
-          <ind:filepath>/etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-audit_delete_success_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_4_delete_success_rules:obj:1" version="1">
-          <ind:behaviors singleline="true" multiline="false"/>
-          <ind:filepath>/etc/audit/rules.d/30-ospp-v42-4-delete-success.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-audit_immutable_login_uids_object_whole_file_contents_tc_audit_rules_d_11_loginuid_rules:obj:1" version="1">
-          <ind:behaviors singleline="true" multiline="false"/>
-          <ind:filepath>/etc/audit/rules.d/11-loginuid.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-audit_modify_failed_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_2_modify_failed_rules:obj:1" version="1">
-          <ind:behaviors singleline="true" multiline="false"/>
-          <ind:filepath>/etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-audit_modify_success_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_2_modify_success_rules:obj:1" version="1">
-          <ind:behaviors singleline="true" multiline="false"/>
-          <ind:filepath>/etc/audit/rules.d/30-ospp-v42-2-modify-success.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-audit_module_load_object_whole_file_contents_tc_audit_rules_d_43_module_load_rules:obj:1" version="1">
-          <ind:behaviors singleline="true" multiline="false"/>
-          <ind:filepath>/etc/audit/rules.d/43-module-load.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-audit_ospp_general_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_rules:obj:1" version="1">
-          <ind:behaviors singleline="true" multiline="false"/>
-          <ind:filepath>/etc/audit/rules.d/30-ospp-v42.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-audit_owner_change_failed_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_6_owner_change_failed_rules:obj:1" version="1">
-          <ind:behaviors singleline="true" multiline="false"/>
-          <ind:filepath>/etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-audit_owner_change_success_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_6_owner_change_success_rules:obj:1" version="1">
-          <ind:behaviors singleline="true" multiline="false"/>
-          <ind:filepath>/etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-audit_perm_change_failed_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_5_perm_change_failed_rules:obj:1" version="1">
-          <ind:behaviors singleline="true" multiline="false"/>
-          <ind:filepath>/etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-audit_perm_change_success_object_whole_file_contents_tc_audit_rules_d_30_ospp_v42_5_perm_change_success_rules:obj:1" version="1">
-          <ind:behaviors singleline="true" multiline="false"/>
-          <ind:filepath>/etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_privileged_commands_init_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/init[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_privileged_commands_init_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/init[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_privileged_commands_poweroff_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/poweroff[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_privileged_commands_poweroff_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/poweroff[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_privileged_commands_reboot_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/reboot[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_privileged_commands_reboot_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/reboot[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_privileged_commands_shutdown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/shutdown[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_privileged_commands_shutdown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/shutdown[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_chmod_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_chmod_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_chmod_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_chmod_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_chown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_chown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_chown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_chown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_fchmod_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_fchmod_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_fchmod_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_fchmod_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_fchmodat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_fchmodat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_fchmodat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_fchmodat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_fchown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_fchown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_fchown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_fchown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_fchownat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_fchownat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_fchownat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_fchownat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_fremovexattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_fremovexattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_fremovexattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_fremovexattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_fsetxattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_fsetxattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_fsetxattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_fsetxattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_lchown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_lchown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_lchown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_lchown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_lremovexattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_lremovexattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_lremovexattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_lremovexattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_lsetxattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_lsetxattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_lsetxattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_lsetxattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_removexattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_removexattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_removexattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_removexattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_setxattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_setxattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_setxattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_setxattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_umount2_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_umount2_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_umount2_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_umount2_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+umount2[\s]+|([\s]+|[,])umount2([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_group_open_32bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_open_write_tc_group_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_group_open_64bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_open_write_tc_group_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_group_open_32bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_open_write_tc_group_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_group_open_64bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_open_write_tc_group_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_group_open_by_handle_at_32bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_open_by_handle_at_write_tc_group_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_group_open_by_handle_at_64bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_open_by_handle_at_write_tc_group_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_group_open_by_handle_at_32bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_open_by_handle_at_write_tc_group_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_group_open_by_handle_at_64bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_open_by_handle_at_write_tc_group_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_group_openat_32bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_openat_write_tc_group_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_group_openat_64bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_openat_write_tc_group_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_group_openat_32bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_openat_write_tc_group_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_group_openat_64bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_openat_write_tc_group_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_gshadow_open_32bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_open_write_tc_gshadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_gshadow_open_64bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_open_write_tc_gshadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_gshadow_open_32bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_open_write_tc_gshadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_gshadow_open_64bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_open_write_tc_gshadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_32bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_open_by_handle_at_write_tc_gshadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_64bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_open_by_handle_at_write_tc_gshadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_32bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_open_by_handle_at_write_tc_gshadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_gshadow_open_by_handle_at_64bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_open_by_handle_at_write_tc_gshadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_gshadow_openat_32bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_openat_write_tc_gshadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_gshadow_openat_64bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_openat_write_tc_gshadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_gshadow_openat_32bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_openat_write_tc_gshadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_gshadow_openat_64bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_openat_write_tc_gshadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_passwd_open_32bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_open_write_tc_passwd_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_passwd_open_64bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_open_write_tc_passwd_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_passwd_open_32bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_open_write_tc_passwd_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_passwd_open_64bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_open_write_tc_passwd_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_32bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_open_by_handle_at_write_tc_passwd_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_64bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_open_by_handle_at_write_tc_passwd_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_32bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_open_by_handle_at_write_tc_passwd_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_passwd_open_by_handle_at_64bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_open_by_handle_at_write_tc_passwd_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_passwd_openat_32bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_openat_write_tc_passwd_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_passwd_openat_64bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_openat_write_tc_passwd_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_passwd_openat_32bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_openat_write_tc_passwd_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_passwd_openat_64bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_openat_write_tc_passwd_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_shadow_open_32bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_open_write_tc_shadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_shadow_open_64bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_open_write_tc_shadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_shadow_open_32bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_open_write_tc_shadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_shadow_open_64bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_open_write_tc_shadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_32bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_open_by_handle_at_write_tc_shadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_64bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_open_by_handle_at_write_tc_shadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_32bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_open_by_handle_at_write_tc_shadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_shadow_open_by_handle_at_64bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_open_by_handle_at_write_tc_shadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_shadow_openat_32bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_openat_write_tc_shadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_shadow_openat_64bit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_openat_write_tc_shadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_shadow_openat_32bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_32bit_openat_write_tc_shadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_tc_shadow_openat_64bit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_64bit_openat_write_tc_shadow_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_execution_chcon_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_execution_chcon_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chcon[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_execution_restorecon_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_execution_restorecon_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/restorecon[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_execution_semanage_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_execution_semanage_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/semanage[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_execution_setfiles_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_execution_setfiles_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setfiles[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_execution_setsebool_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_execution_setsebool_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/setsebool[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_execution_seunshare_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_execution_seunshare_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/seunshare[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_rename_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_rename_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_rename_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_rename_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_renameat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_renameat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_renameat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_renameat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_rmdir_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_rmdir_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_rmdir_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_rmdir_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rmdir[\s]+|([\s]+|[,])rmdir([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_unlink_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_unlink_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_unlink_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_unlink_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_unlinkat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_unlinkat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_unlinkat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_unlinkat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arle_faillock_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+\/var\/run\/faillock[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arle_faillock_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+\/var\/run\/faillock[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arle_lastlog_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+\/var\/log\/lastlog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arle_lastlog_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+\/var\/log\/lastlog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arle_tallylog_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+\/var\/log\/tallylog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arle_tallylog_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+\/var\/log\/tallylog[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_mount_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_mount_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_mount_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_mount_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+mount[\s]+|([\s]+|[,])mount([\s]+|[,])))(?:.*-F\s+auid&gt;=1000[\s]+)(?:.*-F\s+auid!=(?:4294967295|unset)[\s]+).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_at_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_at_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/at[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_chage_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_chage_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chage[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_chsh_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_chsh_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/chsh[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_crontab_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_crontab_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/crontab[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_gpasswd_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_gpasswd_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/gpasswd[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_mount_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_mount_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/mount[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_newgidmap_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_newgidmap_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgidmap[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_newgrp_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_newgrp_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newgrp[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_newuidmap_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_newuidmap_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/newuidmap[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_pam_timestamp_check_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/pam_timestamp_check[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_passwd_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_passwd_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/passwd[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_postdrop_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_postdrop_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postdrop[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_postqueue_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_postqueue_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/postqueue[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_pt_chown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_pt_chown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/pt_chown[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_ssh_keysign_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/libexec\/openssh\/ssh-keysign[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_su_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_su_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/su[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_sudo_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_sudo_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudo[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_sudoedit_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_sudoedit_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/sudoedit[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_umount_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_umount_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/bin\/umount[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_unix_chkpwd_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/unix_chkpwd[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_userhelper_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_userhelper_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/userhelper[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_usernetctl_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_privileged_commands_usernetctl_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+-F[\s]+path=\/usr\/sbin\/usernetctl[\s]+-F[\s]+auid&gt;=1000[\s]+-F[\s]+auid!=(?:4294967295|unset|-1)[\s]+(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_chmod_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_chmod_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_chmod_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_chmod_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_chmod_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_chmod_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_chmod_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_chmod_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_chmod_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_chmod_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_chmod_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_chmod_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_chmod_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_chmod_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_chmod_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_chmod_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_chown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_chown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_chown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_chown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_chown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_chown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_chown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_chown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_chown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_chown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_chown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_chown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_chown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_chown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_chown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_chown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_creat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_creat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_creat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_creat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_creat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_creat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_creat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_creat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_creat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_creat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_creat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_creat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_creat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_creat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_creat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_creat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_fchmod_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_fchmod_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_fchmod_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_fchmod_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_fchmod_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_fchmod_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_fchmod_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_fchmod_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_fchmod_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_fchmod_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_fchmod_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_fchmod_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_fchmod_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_fchmod_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_fchmod_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_fchmod_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_fchmodat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_fchmodat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_fchmodat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_fchmodat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_fchmodat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_fchmodat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_fchmodat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_fchmodat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_fchmodat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_fchmodat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_fchmodat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_fchmodat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_fchmodat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_fchmodat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_fchmodat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_fchmodat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_fchown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_fchown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_fchown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_fchown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_fchown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_fchown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_fchown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_fchown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_fchown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_fchown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_fchown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_fchown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_fchown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_fchown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_fchown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_fchown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_fchownat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_fchownat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_fchownat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_fchownat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_fchownat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_fchownat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_fchownat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_fchownat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_fchownat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_fchownat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_fchownat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_fchownat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_fchownat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_fchownat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_fchownat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_fchownat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_fremovexattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_fremovexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_fremovexattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_fremovexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_fremovexattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_fremovexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_fremovexattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_fremovexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_fremovexattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_fremovexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_fremovexattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_fremovexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_fremovexattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_fremovexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_fremovexattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_fremovexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_fsetxattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_fsetxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_fsetxattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_fsetxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_fsetxattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_fsetxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_fsetxattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_fsetxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_fsetxattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_fsetxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_fsetxattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_fsetxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_fsetxattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_fsetxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_fsetxattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_fsetxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_ftruncate_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_ftruncate_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_ftruncate_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_ftruncate_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_ftruncate_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_ftruncate_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_ftruncate_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_ftruncate_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_ftruncate_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_ftruncate_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_ftruncate_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_ftruncate_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_ftruncate_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_ftruncate_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_ftruncate_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_ftruncate_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_lchown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_lchown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_lchown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_lchown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_lchown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_lchown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_lchown_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_lchown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_lchown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_lchown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_lchown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_lchown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_lchown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_lchown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_lchown_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_lchown_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_lremovexattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_lremovexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_lremovexattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_lremovexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_lremovexattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_lremovexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_lremovexattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_lremovexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_lremovexattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_lremovexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_lremovexattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_lremovexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_lremovexattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_lremovexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_lremovexattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_lremovexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_lsetxattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_lsetxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_lsetxattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_lsetxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_lsetxattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_lsetxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_lsetxattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_lsetxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_lsetxattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_lsetxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_lsetxattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_lsetxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_lsetxattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_lsetxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_lsetxattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_lsetxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_open_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_open_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_open_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_open_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_open_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_open_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_open_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_open_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_open_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_open_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_open_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_open_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_open_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_open_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_open_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_open_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_open_by_handle_at_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_open_by_handle_at_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_open_by_handle_at_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_open_by_handle_at_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_open_by_handle_at_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_open_by_handle_at_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_open_by_handle_at_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_open_by_handle_at_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_open_by_handle_at_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_open_by_handle_at_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_open_by_handle_at_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_open_by_handle_at_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_32bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_32bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_64bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_64bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_32bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_o_creat_32bit_a20100_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_32bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_64bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_o_creat_64bit_a20100_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_64bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_32bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_32bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_64bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_64bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_32bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_o_trunc_32bit_a201003_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_32bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_64bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_o_trunc_64bit_a201003_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_64bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a20100_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a201003_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_32bit_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_32bit_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_eacces_augenrules_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a20100_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a201003_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_32bit_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_32bit_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_eperm_augenrules_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a20100_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a201003_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_64bit_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_64bit_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_eacces_augenrules_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a20100_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a201003_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_64bit_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_64bit_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_eperm_augenrules_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a20100_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a201003_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_32bit_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_32bit_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_auditctl_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a20100_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a201003_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_32bit_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_32bit_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_auditctl_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a20100_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a201003_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_64bit_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_64bit_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_open_by_handle_at_order_64bit_auditctl_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a20100_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a201003_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_64bit_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_by_handle_at_order_64bit_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_auditctl_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_o_creat_32bit_a20100_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_o_creat_32bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_o_creat_32bit_a20100_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_o_creat_32bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_o_creat_64bit_a20100_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_o_creat_64bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_o_creat_64bit_a20100_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_o_creat_64bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_o_creat_32bit_a20100_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_o_creat_32bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_o_creat_32bit_a20100_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_o_creat_32bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_o_creat_64bit_a20100_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_o_creat_64bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_o_creat_64bit_a20100_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_o_creat_64bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_o_trunc_32bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_o_trunc_32bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_o_trunc_64bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_o_trunc_64bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_o_trunc_32bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_o_trunc_32bit_a201003_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_o_trunc_32bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_o_trunc_64bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_o_trunc_64bit_a201003_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_o_trunc_64bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_32bit_a20100_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_32bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_32bit_a201003_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_32bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_nofilter_32bit_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_32bit_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_32bit_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_32bit_open_eacces_augenrules_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_32bit_a20100_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_32bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_32bit_a201003_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_32bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_nofilter_32bit_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_32bit_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_32bit_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_32bit_open_eperm_augenrules_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_64bit_a20100_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_64bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_64bit_a201003_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_64bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_nofilter_64bit_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_64bit_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_64bit_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_64bit_open_eacces_augenrules_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_64bit_a20100_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_64bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_64bit_a201003_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_64bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_nofilter_64bit_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_64bit_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_64bit_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_64bit_open_eperm_augenrules_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_32bit_a20100_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_32bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_32bit_a201003_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_32bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_nofilter_32bit_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_32bit_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_32bit_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_32bit_open_auditctl_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_32bit_a20100_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_32bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_32bit_a201003_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_32bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_nofilter_32bit_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_32bit_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_32bit_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_32bit_open_auditctl_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_64bit_a20100_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_64bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_64bit_a201003_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_64bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_nofilter_64bit_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_64bit_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_64bit_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_open_order_64bit_auditctl_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_64bit_a20100_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_64bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_64bit_a201003_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_64bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_nofilter_64bit_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_open_order_64bit_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_open_order_64bit_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_64bit_open_auditctl_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_openat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_openat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_openat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_openat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_openat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_openat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_openat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_openat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_openat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_openat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_openat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_openat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_openat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_openat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_openat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_openat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_o_creat_32bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_o_creat_32bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_o_creat_64bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_o_creat_64bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_o_creat_32bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_o_creat_32bit_a20100_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_o_creat_32bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_o_creat_64bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_o_creat_64bit_a20100_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_o_creat_64bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_o_trunc_32bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_o_trunc_32bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_o_trunc_64bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_o_trunc_64bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_o_trunc_32bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_o_trunc_32bit_a201003_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_o_trunc_32bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_o_trunc_64bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_o_trunc_64bit_a201003_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_o_trunc_64bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_32bit_a20100_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_32bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_32bit_a201003_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_32bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_nofilter_32bit_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_32bit_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_32bit_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_32bit_openat_eacces_augenrules_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_32bit_a20100_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_32bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_32bit_a201003_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_32bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_nofilter_32bit_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_32bit_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_32bit_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_32bit_openat_eperm_augenrules_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_64bit_a20100_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_64bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_64bit_a201003_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_64bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_nofilter_64bit_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_64bit_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_64bit_eacces_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_64bit_openat_eacces_augenrules_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_64bit_a20100_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_64bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_64bit_a201003_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_64bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_nofilter_64bit_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_64bit_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_64bit_eperm_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_64bit_openat_eperm_augenrules_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_32bit_a20100_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_32bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_32bit_a201003_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_32bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_nofilter_32bit_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_32bit_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_32bit_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_32bit_openat_auditctl_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_32bit_a20100_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_32bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_32bit_a201003_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_32bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_nofilter_32bit_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_32bit_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_32bit_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_32bit_openat_auditctl_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_64bit_a20100_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_64bit_a20100_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_64bit_a201003_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_64bit_a201003_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_nofilter_64bit_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_64bit_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_64bit_eacces_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_openat_order_64bit_auditctl_eacces_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_64bit_a20100_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_64bit_a20100_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_64bit_a201003_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_64bit_a201003_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_nofilter_64bit_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_audit_rule_openat_order_64bit_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_arufm_openat_order_64bit_eperm_auditctl:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_arufm_rule_order_64bit_openat_auditctl_eperm_regex:var:1"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_removexattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_removexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_removexattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_removexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_removexattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_removexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_removexattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_removexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_removexattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_removexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_removexattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_removexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_removexattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_removexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_removexattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_removexattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_rename_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_rename_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_rename_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_rename_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_rename_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_rename_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_rename_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_rename_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_rename_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_rename_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_rename_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_rename_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_rename_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_rename_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_rename_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_rename_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_renameat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_renameat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_renameat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_renameat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_renameat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_renameat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_renameat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_renameat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_renameat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_renameat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_renameat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_renameat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_renameat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_renameat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_renameat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_renameat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_setxattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_setxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_setxattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_setxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_setxattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_setxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_setxattr_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_setxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_setxattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_setxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_setxattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_setxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_setxattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_setxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_setxattr_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_setxattr_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_truncate_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_truncate_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_truncate_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_truncate_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_truncate_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_truncate_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_truncate_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_truncate_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_truncate_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_truncate_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_truncate_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_truncate_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_truncate_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_truncate_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_truncate_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_truncate_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_unlink_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_unlink_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_unlink_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_unlink_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_unlink_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_unlink_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_unlink_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_unlink_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_unlink_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_unlink_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_unlink_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_unlink_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_unlink_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_unlink_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_unlink_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_unlink_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_unlinkat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_unlinkat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_unlinkat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_unlinkat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_unlinkat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_unlinkat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_unlinkat_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_unlinkat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eacces_unlinkat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eacces_unlinkat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_arufm_eperm_unlinkat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_32bit_arufm_eperm_unlinkat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eacces_unlinkat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eacces_unlinkat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_arufm_eperm_unlinkat_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match" var_ref="oval:ssg-var_64bit_arufm_eperm_unlinkat_regex:var:1"/>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_group_augen:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_group_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+\/etc\/group[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_gshadow_augen:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_gshadow_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+\/etc\/gshadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_opasswd_augen:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_opasswd_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+\/etc\/security\/opasswd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_passwd_augen:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_passwd_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+\/etc\/passwd[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_shadow_augen:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_usergroup_modification_shadow_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^\-w[\s]+\/etc\/shadow[\s]+\-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b[\s]+(-k[\s]+|-F[\s]+key=)\w+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_auditd_freq:obj:1" version="1">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)freq(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_auditd_local_events:obj:1" version="1">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)local_events(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_auditd_log_format:obj:1" version="1">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)log_format(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_auditd_name_format:obj:1" version="1">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)name_format(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_auditd_write_logs:obj:1" version="1">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)write_logs(?-i)[ \t]*=[ \t]*(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_auditd_write_logs_default_not_overriden:obj:1" version="1">
-          <ind:filepath>/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)write_logs(?-i)[ \t]*=[ \t]*</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-object_coreos_audit_backlog_limit_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1" version="1">
-          <unix:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*.conf</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_ostree_1_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-1-.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_ostree_2_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_proc_cmdline:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/proc/cmdline</ind:filepath>
-          <ind:pattern operation="pattern match">^BOOT_IMAGE(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-object_coreos_audit_option_file_boot_loader_entries_ostree_2_conf_absent:obj:1" version="1">
-          <unix:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*.conf</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_audit_option_audit_1_argument_in_boot_loader_entries_ostree_1_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-1-.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_audit_option_audit_1_argument_in_boot_loader_entries_ostree_2_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_audit_option_audit_1_argument_in_proc_cmdline:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/proc/cmdline</ind:filepath>
-          <ind:pattern operation="pattern match">^BOOT_IMAGE(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-object_coreos_disable_interactive_boot_file_boot_loader_entries_ostree_2_conf_absent:obj:1" version="1">
-          <unix:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*.conf</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_boot_loader_entries_ostree_1_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-1-.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_boot_loader_entries_ostree_2_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_proc_cmdline:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/proc/cmdline</ind:filepath>
-          <ind:pattern operation="pattern match">^BOOT_IMAGE(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-object_coreos_enable_selinux_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1" version="1">
-          <unix:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*.conf</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_boot_loader_entries_ostree_1_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-1-.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_boot_loader_entries_ostree_2_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_proc_cmdline:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/proc/cmdline</ind:filepath>
-          <ind:pattern operation="pattern match">^BOOT_IMAGE(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-object_coreos_nousb_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1" version="1">
-          <unix:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*.conf</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_nousb_kernel_argument_nousb_argument_in_boot_loader_entries_ostree_1_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-1-.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_nousb_kernel_argument_nousb_argument_in_boot_loader_entries_ostree_2_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_nousb_kernel_argument_nousb_argument_in_proc_cmdline:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/proc/cmdline</ind:filepath>
-          <ind:pattern operation="pattern match">^BOOT_IMAGE(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-object_coreos_page_poison_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1" version="1">
-          <unix:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*.conf</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_page_poison_kernel_argument_page_poison_1_argument_in_boot_loader_entries_ostree_1_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-1-.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_page_poison_kernel_argument_page_poison_1_argument_in_boot_loader_entries_ostree_2_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_page_poison_kernel_argument_page_poison_1_argument_in_proc_cmdline:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/proc/cmdline</ind:filepath>
-          <ind:pattern operation="pattern match">^BOOT_IMAGE(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-object_coreos_pti_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1" version="1">
-          <unix:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*.conf</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_pti_kernel_argument_pti_on_argument_in_boot_loader_entries_ostree_1_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-1-.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_pti_kernel_argument_pti_on_argument_in_boot_loader_entries_ostree_2_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_pti_kernel_argument_pti_on_argument_in_proc_cmdline:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/proc/cmdline</ind:filepath>
-          <ind:pattern operation="pattern match">^BOOT_IMAGE(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-object_coreos_slub_debug_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1" version="1">
-          <unix:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*.conf</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_slub_debug_kernel_argument_slub_debug_P_argument_in_boot_loader_entries_ostree_1_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-1-.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_slub_debug_kernel_argument_slub_debug_P_argument_in_boot_loader_entries_ostree_2_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_slub_debug_kernel_argument_slub_debug_P_argument_in_proc_cmdline:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/proc/cmdline</ind:filepath>
-          <ind:pattern operation="pattern match">^BOOT_IMAGE(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-object_coreos_vsyscall_kernel_argument_file_boot_loader_entries_ostree_2_conf_absent:obj:1" version="1">
-          <unix:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*.conf</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_boot_loader_entries_ostree_1_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-1-.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_boot_loader_entries_ostree_2_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/ostree-2-.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_proc_cmdline:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/proc/cmdline</ind:filepath>
-          <ind:pattern operation="pattern match">^BOOT_IMAGE(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object comment="/bin/" id="oval:ssg-object_file_ownerdir_ownership_binary_dirs_0:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/bin</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/sbin/" id="oval:ssg-object_file_ownerdir_ownership_binary_dirs_1:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/sbin</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_1:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/usr/bin/" id="oval:ssg-object_file_ownerdir_ownership_binary_dirs_2:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/usr/bin</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_2:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/usr/sbin/" id="oval:ssg-object_file_ownerdir_ownership_binary_dirs_3:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/usr/sbin</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_3:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/usr/local/bin/" id="oval:ssg-object_file_ownerdir_ownership_binary_dirs_4:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/usr/local/bin</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_4:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/usr/local/sbin/" id="oval:ssg-object_file_ownerdir_ownership_binary_dirs_5:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/usr/local/sbin</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_5:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/lib/" id="oval:ssg-object_file_ownerdir_ownership_library_dirs_0:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/lib</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/lib64/" id="oval:ssg-object_file_ownerdir_ownership_library_dirs_1:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/lib64</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_1:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/usr/lib/" id="oval:ssg-object_file_ownerdir_ownership_library_dirs_2:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/usr/lib</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_2:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/usr/lib64/" id="oval:ssg-object_file_ownerdir_ownership_library_dirs_3:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/usr/lib64</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_3:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/bin/" id="oval:ssg-object_file_permissionsdir_permissions_binary_dirs_0:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/bin</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissionsdir_permissions_binary_dirs_0_mode_0755or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/sbin/" id="oval:ssg-object_file_permissionsdir_permissions_binary_dirs_1:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/sbin</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissionsdir_permissions_binary_dirs_1_mode_0755or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/usr/bin/" id="oval:ssg-object_file_permissionsdir_permissions_binary_dirs_2:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/usr/bin</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissionsdir_permissions_binary_dirs_2_mode_0755or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/usr/sbin/" id="oval:ssg-object_file_permissionsdir_permissions_binary_dirs_3:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/usr/sbin</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissionsdir_permissions_binary_dirs_3_mode_0755or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/usr/local/bin/" id="oval:ssg-object_file_permissionsdir_permissions_binary_dirs_4:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/usr/local/bin</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissionsdir_permissions_binary_dirs_4_mode_0755or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/usr/local/sbin/" id="oval:ssg-object_file_permissionsdir_permissions_binary_dirs_5:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/usr/local/sbin</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissionsdir_permissions_binary_dirs_5_mode_0755or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/lib/" id="oval:ssg-object_file_permissionsdir_permissions_library_dirs_0:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/lib</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissionsdir_permissions_library_dirs_0_mode_7755or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/lib64/" id="oval:ssg-object_file_permissionsdir_permissions_library_dirs_1:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/lib64</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissionsdir_permissions_library_dirs_1_mode_7755or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/usr/lib/" id="oval:ssg-object_file_permissionsdir_permissions_library_dirs_2:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/usr/lib</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissionsdir_permissions_library_dirs_2_mode_7755or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/usr/lib64/" id="oval:ssg-object_file_permissionsdir_permissions_library_dirs_3:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/usr/lib64</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissionsdir_permissions_library_dirs_3_mode_7755or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_disable_host_auth:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)HostbasedAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object comment="/etc/group-" id="oval:ssg-object_file_groupowner_backup_etc_group_0:obj:1" version="1">
-          <unix:filepath>/etc/group-</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_groupowner_backup_etc_group_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_groupowner_backup_etc_group_gid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/gshadow-" id="oval:ssg-object_file_groupowner_backup_etc_gshadow_0:obj:1" version="1">
-          <unix:filepath>/etc/gshadow-</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_groupowner_backup_etc_gshadow_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_groupowner_backup_etc_gshadow_gid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/passwd-" id="oval:ssg-object_file_groupowner_backup_etc_passwd_0:obj:1" version="1">
-          <unix:filepath>/etc/passwd-</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_groupowner_backup_etc_passwd_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_groupowner_backup_etc_passwd_gid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/shadow-" id="oval:ssg-object_file_groupowner_backup_etc_shadow_0:obj:1" version="1">
-          <unix:filepath>/etc/shadow-</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_groupowner_backup_etc_shadow_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_groupowner_backup_etc_shadow_gid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/group" id="oval:ssg-object_file_groupowner_etc_group_0:obj:1" version="1">
-          <unix:filepath>/etc/group</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_groupowner_etc_group_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_groupowner_etc_group_gid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/gshadow" id="oval:ssg-object_file_groupowner_etc_gshadow_0:obj:1" version="1">
-          <unix:filepath>/etc/gshadow</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_groupowner_etc_gshadow_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_groupowner_etc_gshadow_gid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/issue" id="oval:ssg-object_file_groupowner_etc_issue_0:obj:1" version="1">
-          <unix:filepath>/etc/issue</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_groupowner_etc_issue_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_groupowner_etc_issue_gid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/passwd" id="oval:ssg-object_file_groupowner_etc_passwd_0:obj:1" version="1">
-          <unix:filepath>/etc/passwd</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_groupowner_etc_passwd_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_groupowner_etc_passwd_gid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/shadow" id="oval:ssg-object_file_groupowner_etc_shadow_0:obj:1" version="1">
-          <unix:filepath>/etc/shadow</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_groupowner_etc_shadow_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_groupowner_etc_shadow_gid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/ssh/sshd_config" id="oval:ssg-object_file_groupowner_sshd_config_0:obj:1" version="1">
-          <unix:filepath>/etc/ssh/sshd_config</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_groupowner_sshd_config_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_groupowner_sshd_config_gid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/log/" id="oval:ssg-object_file_groupowner_var_log_0:obj:1" version="1">
-          <unix:path>/var/log</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_groupowner_var_log_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_groupowner_var_log_gid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/log/messages" id="oval:ssg-object_file_groupowner_var_log_messages_0:obj:1" version="1">
-          <unix:filepath>/var/log/messages</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_groupowner_var_log_messages_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_groupowner_var_log_messages_gid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/log/syslog" id="oval:ssg-object_file_groupowner_var_log_syslog_0:obj:1" version="1">
-          <unix:filepath>/var/log/syslog</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_groupowner_var_log_syslog_uid_4:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_groupowner_var_log_syslog_gid_4_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/audit/" id="oval:ssg-object_file_groupownership_audit_configuration_0:obj:1" version="1">
-          <unix:path>/etc/audit</unix:path>
-          <unix:filename operation="pattern match">^audit(\.rules|d\.conf)$</unix:filename>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_groupownership_audit_configuration_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_groupownership_audit_configuration_gid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/audit/rules.d/" id="oval:ssg-object_file_groupownership_audit_configuration_1:obj:1" version="1">
-          <unix:path>/etc/audit/rules.d</unix:path>
-          <unix:filename operation="pattern match">^.*\.rules$</unix:filename>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_groupownership_audit_configuration_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_groupownership_audit_configuration_gid_0_1:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/group-" id="oval:ssg-object_file_owner_backup_etc_group_0:obj:1" version="1">
-          <unix:filepath>/etc/group-</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_owner_backup_etc_group_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_owner_backup_etc_group_uid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/gshadow-" id="oval:ssg-object_file_owner_backup_etc_gshadow_0:obj:1" version="1">
-          <unix:filepath>/etc/gshadow-</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_owner_backup_etc_gshadow_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_owner_backup_etc_gshadow_uid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/passwd-" id="oval:ssg-object_file_owner_backup_etc_passwd_0:obj:1" version="1">
-          <unix:filepath>/etc/passwd-</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_owner_backup_etc_passwd_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_owner_backup_etc_passwd_uid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/shadow-" id="oval:ssg-object_file_owner_backup_etc_shadow_0:obj:1" version="1">
-          <unix:filepath>/etc/shadow-</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_owner_backup_etc_shadow_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_owner_backup_etc_shadow_uid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/group" id="oval:ssg-object_file_owner_etc_group_0:obj:1" version="1">
-          <unix:filepath>/etc/group</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_owner_etc_group_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_owner_etc_group_uid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/gshadow" id="oval:ssg-object_file_owner_etc_gshadow_0:obj:1" version="1">
-          <unix:filepath>/etc/gshadow</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_owner_etc_gshadow_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_owner_etc_gshadow_uid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/issue" id="oval:ssg-object_file_owner_etc_issue_0:obj:1" version="1">
-          <unix:filepath>/etc/issue</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_owner_etc_issue_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_owner_etc_issue_uid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/passwd" id="oval:ssg-object_file_owner_etc_passwd_0:obj:1" version="1">
-          <unix:filepath>/etc/passwd</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_owner_etc_passwd_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_owner_etc_passwd_uid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/shadow" id="oval:ssg-object_file_owner_etc_shadow_0:obj:1" version="1">
-          <unix:filepath>/etc/shadow</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_owner_etc_shadow_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_owner_etc_shadow_uid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/ssh/sshd_config" id="oval:ssg-object_file_owner_sshd_config_0:obj:1" version="1">
-          <unix:filepath>/etc/ssh/sshd_config</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_owner_sshd_config_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_owner_sshd_config_uid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/log/" id="oval:ssg-object_file_owner_var_log_0:obj:1" version="1">
-          <unix:path>/var/log</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_owner_var_log_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_owner_var_log_uid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/log/messages" id="oval:ssg-object_file_owner_var_log_messages_0:obj:1" version="1">
-          <unix:filepath>/var/log/messages</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_owner_var_log_messages_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_owner_var_log_messages_uid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/log/syslog" id="oval:ssg-object_file_owner_var_log_syslog_0:obj:1" version="1">
-          <unix:filepath>/var/log/syslog</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_owner_var_log_syslog_uid_104:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_owner_var_log_syslog_uid_104_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/audit/" id="oval:ssg-object_file_ownership_audit_configuration_0:obj:1" version="1">
-          <unix:path>/etc/audit</unix:path>
-          <unix:filename operation="pattern match">^audit(\.rules|d\.conf)$</unix:filename>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_ownership_audit_configuration_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_ownership_audit_configuration_uid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/audit/rules.d/" id="oval:ssg-object_file_ownership_audit_configuration_1:obj:1" version="1">
-          <unix:path>/etc/audit/rules.d</unix:path>
-          <unix:filename operation="pattern match">^.*\.rules$</unix:filename>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_ownership_audit_configuration_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_ownership_audit_configuration_uid_0_1:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/lib/" id="oval:ssg-object_file_ownership_library_dirs_0:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/lib</unix:path>
-          <unix:filename operation="pattern match">^.*$</unix:filename>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_ownership_library_dirs_uid_0_0:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/lib64/" id="oval:ssg-object_file_ownership_library_dirs_1:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/lib64</unix:path>
-          <unix:filename operation="pattern match">^.*$</unix:filename>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_ownership_library_dirs_uid_0_1:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/usr/lib/" id="oval:ssg-object_file_ownership_library_dirs_2:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/usr/lib</unix:path>
-          <unix:filename operation="pattern match">^.*$</unix:filename>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_ownership_library_dirs_uid_0_2:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/usr/lib64/" id="oval:ssg-object_file_ownership_library_dirs_3:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/usr/lib64</unix:path>
-          <unix:filename operation="pattern match">^.*$</unix:filename>
-          <oval-def:filter action="exclude">oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_ownership_library_dirs_uid_0_3:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/group-" id="oval:ssg-object_file_permissions_backup_etc_group_0:obj:1" version="1">
-          <unix:filepath>/etc/group-</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__backup_etc_group:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_backup_etc_group_0_mode_0644or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/gshadow-" id="oval:ssg-object_file_permissions_backup_etc_gshadow_0:obj:1" version="1">
-          <unix:filepath>/etc/gshadow-</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__backup_etc_gshadow:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_backup_etc_gshadow_0_mode_0000or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/passwd-" id="oval:ssg-object_file_permissions_backup_etc_passwd_0:obj:1" version="1">
-          <unix:filepath>/etc/passwd-</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__backup_etc_passwd:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_backup_etc_passwd_0_mode_0644or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/shadow-" id="oval:ssg-object_file_permissions_backup_etc_shadow_0:obj:1" version="1">
-          <unix:filepath>/etc/shadow-</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__backup_etc_shadow:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_backup_etc_shadow_0_mode_0000or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/group" id="oval:ssg-object_file_permissions_etc_group_0:obj:1" version="1">
-          <unix:filepath>/etc/group</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__etc_group:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_etc_group_0_mode_0644or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/gshadow" id="oval:ssg-object_file_permissions_etc_gshadow_0:obj:1" version="1">
-          <unix:filepath>/etc/gshadow</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__etc_gshadow:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_etc_gshadow_0_mode_0000or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/issue" id="oval:ssg-object_file_permissions_etc_issue_0:obj:1" version="1">
-          <unix:filepath>/etc/issue</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__etc_issue:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_etc_issue_0_mode_0644or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/passwd" id="oval:ssg-object_file_permissions_etc_passwd_0:obj:1" version="1">
-          <unix:filepath>/etc/passwd</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__etc_passwd:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_etc_passwd_0_mode_0644or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/shadow" id="oval:ssg-object_file_permissions_etc_shadow_0:obj:1" version="1">
-          <unix:filepath>/etc/shadow</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__etc_shadow:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_etc_shadow_0_mode_0000or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/lib/" id="oval:ssg-object_file_permissions_library_dirs_0:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/lib</unix:path>
-          <unix:filename operation="pattern match">^.*$</unix:filename>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__library_dirs:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_library_dirs_0_mode_7755or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/lib64/" id="oval:ssg-object_file_permissions_library_dirs_1:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/lib64</unix:path>
-          <unix:filename operation="pattern match">^.*$</unix:filename>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__library_dirs:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_library_dirs_1_mode_7755or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/usr/lib/" id="oval:ssg-object_file_permissions_library_dirs_2:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/usr/lib</unix:path>
-          <unix:filename operation="pattern match">^.*$</unix:filename>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__library_dirs:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_library_dirs_2_mode_7755or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/usr/lib64/" id="oval:ssg-object_file_permissions_library_dirs_3:obj:1" version="1">
-          <unix:behaviors recurse="directories" recurse_direction="down" max_depth="-1" recurse_file_system="local"/>
-          <unix:path>/usr/lib64</unix:path>
-          <unix:filename operation="pattern match">^.*$</unix:filename>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__library_dirs:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_library_dirs_3_mode_7755or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/ssh/sshd_config" id="oval:ssg-object_file_permissions_sshd_config_0:obj:1" version="1">
-          <unix:filepath>/etc/ssh/sshd_config</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__sshd_config:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_sshd_config_0_mode_0600or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/etc/ssh/" id="oval:ssg-object_file_permissions_sshd_pub_key_0:obj:1" version="1">
-          <unix:path>/etc/ssh</unix:path>
-          <unix:filename operation="pattern match">^.*.pub$</unix:filename>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__sshd_pub_key:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_sshd_pub_key_0_mode_0644or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/log/" id="oval:ssg-object_file_permissions_var_log_0:obj:1" version="1">
-          <unix:path>/var/log</unix:path>
-          <unix:filename xsi:nil="true"/>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__var_log:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_var_log_0_mode_0755or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/log/messages" id="oval:ssg-object_file_permissions_var_log_messages_0:obj:1" version="1">
-          <unix:filepath>/var/log/messages</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__var_log_messages:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_var_log_messages_0_mode_0640or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <unix:file_object comment="/var/log/syslog" id="oval:ssg-object_file_permissions_var_log_syslog_0:obj:1" version="1">
-          <unix:filepath>/var/log/syslog</unix:filepath>
-          <oval-def:filter action="exclude">oval:ssg-exclude_symlinks__var_log_syslog:ste:1</oval-def:filter>
-          <oval-def:filter action="exclude">oval:ssg-state_file_permissions_var_log_syslog_0_mode_0640or_stricter_:ste:1</oval-def:filter>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_iommu_argument:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(.*)"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_iommu_argument_default:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_ipv6_disable_argument:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(.*)"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_ipv6_disable_argument_default:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_l1tf_argument:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(.*)"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_l1tf_argument_default:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_mce_argument:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(.*)"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_mce_argument_default:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_nosmap_argument_absent:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(?!.*\bnosmap\b.*).*"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_nosmap_argument_absent_default:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(?!.*\bnosmap\b).*"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_nosmep_argument_absent:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(?!.*\bnosmep\b.*).*"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_nosmep_argument_absent_default:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(?!.*\bnosmep\b).*"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_rng_core_default_quality_argument:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(.*)"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_rng_core_default_quality_argument_default:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_slab_nomerge_argument:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(.*)"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_slab_nomerge_argument_default:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_spec_store_bypass_disable_argument:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(.*)"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_spec_store_bypass_disable_argument_default:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_spectre_v2_argument:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(.*)"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_spectre_v2_argument_default:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(.*)"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_systemd_debug_shell_argument_absent:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX="(?!.*\bsystemd.debug-shell\b.*).*"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_systemd_debug_shell_argument_absent_default:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT="(?!.*\bsystemd.debug-shell\b).*"$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_acpi_custom_method:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_ACPI_CUSTOM_METHOD="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_acpi_custom_method_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_acpi_custom_method_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_acpi_custom_method_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_binfmt_misc:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_BINFMT_MISC="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_binfmt_misc_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_binfmt_misc_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_binfmt_misc_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_bug:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_BUG="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_bug_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_bug_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_bug_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_compat_brk:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_COMPAT_BRK="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_compat_brk_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_compat_brk_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_compat_brk_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_compat_vdso:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_COMPAT_VDSO="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_compat_vdso_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_compat_vdso_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_compat_vdso_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_debug_credentials:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_DEBUG_CREDENTIALS="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_debug_credentials_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_debug_credentials_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_debug_credentials_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_debug_fs:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_DEBUG_FS="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_debug_fs_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_debug_fs_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_debug_fs_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_debug_list:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_DEBUG_LIST="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_debug_list_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_debug_list_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_debug_list_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_debug_notifiers:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_DEBUG_NOTIFIERS="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_debug_notifiers_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_debug_notifiers_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_debug_notifiers_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_debug_sg:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_DEBUG_SG="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_debug_sg_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_debug_sg_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_debug_sg_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_default_mmap_min_addr:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_DEFAULT_MMAP_MIN_ADDR="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_default_mmap_min_addr_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_default_mmap_min_addr_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_default_mmap_min_addr_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_devkmem:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_DEVKMEM="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_devkmem_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_devkmem_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_devkmem_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_hibernation:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_HIBERNATION="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_hibernation_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_hibernation_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_hibernation_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_ia32_emulation:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_IA32_EMULATION="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_ia32_emulation_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_ia32_emulation_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_ia32_emulation_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_ipv6:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_IPV6="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_ipv6_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_ipv6_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_ipv6_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_kexec:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_KEXEC="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_kexec_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_kexec_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_kexec_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_legacy_ptys:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_LEGACY_PTYS="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_legacy_ptys_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_legacy_ptys_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_legacy_ptys_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_module_sig:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_MODULE_SIG="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_module_sig_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_module_sig_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_module_sig_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_module_sig_all:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_MODULE_SIG_ALL="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_module_sig_all_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_module_sig_all_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_module_sig_all_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_module_sig_force:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_MODULE_SIG_FORCE="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_module_sig_force_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_module_sig_force_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_module_sig_force_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_module_sig_hash:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_MODULE_SIG_HASH="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_module_sig_hash_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_module_sig_hash_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_module_sig_hash_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_module_sig_key:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_MODULE_SIG_KEY="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_module_sig_key_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_module_sig_key_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_module_sig_key_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_module_sig_sha512:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_MODULE_SIG_SHA512="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_module_sig_sha512_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_module_sig_sha512_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_module_sig_sha512_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_page_poisoning_no_sanity:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_PAGE_POISONING_NO_SANITY="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_page_poisoning_no_sanity_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_page_poisoning_no_sanity_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_page_poisoning_no_sanity_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_page_poisoning_zero:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_PAGE_POISONING_ZERO="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_page_poisoning_zero_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_page_poisoning_zero_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_page_poisoning_zero_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_page_table_isolation:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_PAGE_TABLE_ISOLATION="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_page_table_isolation_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_page_table_isolation_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_page_table_isolation_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_panic_on_oops:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_PANIC_ON_OOPS="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_panic_on_oops_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_panic_on_oops_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_panic_on_oops_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_panic_timeout:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_PANIC_TIMEOUT="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_panic_timeout_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_panic_timeout_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_panic_timeout_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_proc_kcore:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_PROC_KCORE="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_proc_kcore_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_proc_kcore_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_proc_kcore_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_randomize_base:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_RANDOMIZE_BASE="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_randomize_base_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_randomize_base_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_randomize_base_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_randomize_memory:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_RANDOMIZE_MEMORY="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_randomize_memory_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_randomize_memory_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_randomize_memory_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_retpoline:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_RETPOLINE="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_retpoline_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_retpoline_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_retpoline_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_seccomp:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_SECCOMP="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_seccomp_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_seccomp_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_seccomp_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_seccomp_filter:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_SECCOMP_FILTER="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_seccomp_filter_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_seccomp_filter_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_seccomp_filter_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_security:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_SECURITY="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_security_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_security_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_security_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_security_dmesg_restrict:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_SECURITY_DMESG_RESTRICT="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_security_dmesg_restrict_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_security_dmesg_restrict_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_security_dmesg_restrict_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_security_writable_hooks:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_SECURITY_WRITABLE_HOOKS="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_security_writable_hooks_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_security_writable_hooks_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_security_writable_hooks_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_security_yama:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_SECURITY_YAMA="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_security_yama_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_security_yama_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_security_yama_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_slub_debug:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_SLUB_DEBUG="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_slub_debug_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_slub_debug_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_slub_debug_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_syn_cookies:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_SYN_COOKIES="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_syn_cookies_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_syn_cookies_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_syn_cookies_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_unmap_kernel_at_el0:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_UNMAP_KERNEL_AT_EL0="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_unmap_kernel_at_el0_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_unmap_kernel_at_el0_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_unmap_kernel_at_el0_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_kernel_config_x86_vsyscall_emulation:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/config-.*$</ind:filepath>
-          <ind:pattern operation="pattern match">^CONFIG_X86_VSYSCALL_EMULATION="?(.*?)"?$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_kernel_config_x86_vsyscall_emulation_count:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_config_x86_vsyscall_emulation_count_kernels_installed:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:file_object comment="Collect the kernel config files" id="oval:ssg-object_kernel_config_x86_vsyscall_emulation_files:obj:1" version="1">
-          <unix:path>/boot</unix:path>
-          <unix:filename operation="pattern match">^config-.*$</unix:filename>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_atm_disabled:obj:1" version="1" comment="kernel module atm disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_atm_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+atm\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_atm_blacklisted:obj:1" version="1" comment="kernel module atm blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_atm_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+atm$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_atm_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of atm">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+atm\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_bluetooth_disabled:obj:1" version="1" comment="kernel module bluetooth disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_bluetooth_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_bluetooth_blacklisted:obj:1" version="1" comment="kernel module bluetooth blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_bluetooth_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+bluetooth$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_bluetooth_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of bluetooth">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+bluetooth\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_can_disabled:obj:1" version="1" comment="kernel module can disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_can_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+can\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_can_blacklisted:obj:1" version="1" comment="kernel module can blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_can_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+can$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_can_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of can">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+can\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_cfg80211_disabled:obj:1" version="1" comment="kernel module cfg80211 disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_cfg80211_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+cfg80211\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_cfg80211_blacklisted:obj:1" version="1" comment="kernel module cfg80211 blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_cfg80211_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+cfg80211$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_cfg80211_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of cfg80211">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+cfg80211\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_cramfs_disabled:obj:1" version="1" comment="kernel module cramfs disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_cramfs_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+cramfs\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_cramfs_blacklisted:obj:1" version="1" comment="kernel module cramfs blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_cramfs_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+cramfs$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_cramfs_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of cramfs">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+cramfs\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_firewire-core_disabled:obj:1" version="1" comment="kernel module firewire-core disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_firewire-core_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_firewire-core_blacklisted:obj:1" version="1" comment="kernel module firewire-core blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_firewire-core_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+firewire-core$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_firewire-core_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of firewire-core">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+firewire-core\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_freevxfs_disabled:obj:1" version="1" comment="kernel module freevxfs disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_freevxfs_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_freevxfs_blacklisted:obj:1" version="1" comment="kernel module freevxfs blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_freevxfs_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+freevxfs$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_freevxfs_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of freevxfs">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+freevxfs\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_hfs_disabled:obj:1" version="1" comment="kernel module hfs disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_hfs_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+hfs\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_hfs_blacklisted:obj:1" version="1" comment="kernel module hfs blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_hfs_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+hfs$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_hfs_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of hfs">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+hfs\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_hfsplus_disabled:obj:1" version="1" comment="kernel module hfsplus disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_hfsplus_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_hfsplus_blacklisted:obj:1" version="1" comment="kernel module hfsplus blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_hfsplus_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+hfsplus$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_hfsplus_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of hfsplus">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+hfsplus\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_iwlmvm_disabled:obj:1" version="1" comment="kernel module iwlmvm disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_iwlmvm_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+iwlmvm\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_iwlmvm_blacklisted:obj:1" version="1" comment="kernel module iwlmvm blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_iwlmvm_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+iwlmvm$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_iwlmvm_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of iwlmvm">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+iwlmvm\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_iwlwifi_disabled:obj:1" version="1" comment="kernel module iwlwifi disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_iwlwifi_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+iwlwifi\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_iwlwifi_blacklisted:obj:1" version="1" comment="kernel module iwlwifi blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_iwlwifi_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+iwlwifi$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_iwlwifi_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of iwlwifi">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+iwlwifi\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_jffs2_disabled:obj:1" version="1" comment="kernel module jffs2 disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_jffs2_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+jffs2\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_jffs2_blacklisted:obj:1" version="1" comment="kernel module jffs2 blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_jffs2_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+jffs2$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_jffs2_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of jffs2">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+jffs2\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_mac80211_disabled:obj:1" version="1" comment="kernel module mac80211 disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_mac80211_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+mac80211\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_mac80211_blacklisted:obj:1" version="1" comment="kernel module mac80211 blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_mac80211_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+mac80211$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_mac80211_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of mac80211">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+mac80211\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_rds_disabled:obj:1" version="1" comment="kernel module rds disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_rds_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+rds\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_rds_blacklisted:obj:1" version="1" comment="kernel module rds blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_rds_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+rds$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_rds_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of rds">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+rds\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_sctp_disabled:obj:1" version="1" comment="kernel module sctp disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_sctp_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+sctp\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_sctp_blacklisted:obj:1" version="1" comment="kernel module sctp blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_sctp_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+sctp$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_sctp_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of sctp">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+sctp\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_squashfs_disabled:obj:1" version="1" comment="kernel module squashfs disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_squashfs_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+squashfs\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_squashfs_blacklisted:obj:1" version="1" comment="kernel module squashfs blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_squashfs_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+squashfs$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_squashfs_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of squashfs">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+squashfs\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_tipc_disabled:obj:1" version="1" comment="kernel module tipc disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_tipc_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+tipc\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_tipc_blacklisted:obj:1" version="1" comment="kernel module tipc blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_tipc_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+tipc$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_tipc_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of tipc">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+tipc\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_udf_disabled:obj:1" version="1" comment="kernel module udf disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_udf_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+udf\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_udf_blacklisted:obj:1" version="1" comment="kernel module udf blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_udf_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+udf$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_udf_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of udf">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+udf\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_usb-storage_disabled:obj:1" version="1" comment="kernel module usb-storage disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_usb-storage_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_usb-storage_blacklisted:obj:1" version="1" comment="kernel module usb-storage blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_usb-storage_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+usb-storage$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_usb-storage_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of usb-storage">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+usb-storage\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_uvcvideo_disabled:obj:1" version="1" comment="kernel module uvcvideo disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_uvcvideo_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+uvcvideo\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_uvcvideo_blacklisted:obj:1" version="1" comment="kernel module uvcvideo blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_uvcvideo_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+uvcvideo$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_uvcvideo_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of uvcvideo">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+uvcvideo\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_vfat_disabled:obj:1" version="1" comment="kernel module vfat disabled">
-          <ind:path var_ref="oval:ssg-var_kernel_module_vfat_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^\s*install\s+vfat\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_vfat_blacklisted:obj:1" version="1" comment="kernel module vfat blacklisted">
-          <ind:path var_ref="oval:ssg-var_kernel_module_vfat_paths:var:1" var_check="at least one"/>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^blacklist\s+vfat$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_kernmod_vfat_modprobeconf:obj:1" version="1" comment="Check deprecated /etc/modprobe.conf for disablement of vfat">
-          <ind:filepath>/etc/modprobe.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*install\s+vfat\s+(/bin/false|/bin/true)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:partition_object version="1" id="oval:ssg-object_boot_partition_nodev_optional_yes:obj:1">
-          <linux:mount_point>/boot</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_boot_partition_nosuid_optional_yes:obj:1">
-          <linux:mount_point>/boot</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_dev_shm_partition_nodev_optional_no:obj:1">
-          <linux:mount_point>/dev/shm</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_dev_shm_partition_noexec_optional_no:obj:1">
-          <linux:mount_point>/dev/shm</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_dev_shm_partition_nosuid_optional_no:obj:1">
-          <linux:mount_point>/dev/shm</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_home_partition_nodev_optional_yes:obj:1">
-          <linux:mount_point>/home</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_home_partition_nosuid_optional_yes:obj:1">
-          <linux:mount_point>/home</linux:mount_point>
-        </linux:partition_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_nodev_etc_fstab_cd_dvd_drive:obj:1" version="1">
-          <ind:filepath>/etc/fstab</ind:filepath>
-          <ind:pattern operation="pattern match" datatype="string" var_ref="oval:ssg-variable_cd_dvd_drive_regex_pattern_nodev:var:1" var_check="at least one"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_nodev_etc_fstab_not_cd_dvd_drive:obj:1" version="1">
-          <ind:filepath>/etc/fstab</ind:filepath>
-          <ind:pattern operation="pattern match" datatype="string" var_ref="oval:ssg-variable_not_cd_dvd_drive_regex_pattern_nodev:var:1" var_check="at least one"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_noexec_etc_fstab_cd_dvd_drive:obj:1" version="1">
-          <ind:filepath>/etc/fstab</ind:filepath>
-          <ind:pattern operation="pattern match" datatype="string" var_ref="oval:ssg-variable_cd_dvd_drive_regex_pattern_noexec:var:1" var_check="at least one"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_noexec_etc_fstab_not_cd_dvd_drive:obj:1" version="1">
-          <ind:filepath>/etc/fstab</ind:filepath>
-          <ind:pattern operation="pattern match" datatype="string" var_ref="oval:ssg-variable_not_cd_dvd_drive_regex_pattern_noexec:var:1" var_check="at least one"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_nosuid_etc_fstab_cd_dvd_drive:obj:1" version="1">
-          <ind:filepath>/etc/fstab</ind:filepath>
-          <ind:pattern operation="pattern match" datatype="string" var_ref="oval:ssg-variable_cd_dvd_drive_regex_pattern_nosuid:var:1" var_check="at least one"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_nosuid_etc_fstab_not_cd_dvd_drive:obj:1" version="1">
-          <ind:filepath>/etc/fstab</ind:filepath>
-          <ind:pattern operation="pattern match" datatype="string" var_ref="oval:ssg-variable_not_cd_dvd_drive_regex_pattern_nosuid:var:1" var_check="at least one"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:partition_object version="1" id="oval:ssg-object_tmp_partition_nodev_optional_yes:obj:1">
-          <linux:mount_point>/tmp</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_tmp_partition_noexec_optional_yes:obj:1">
-          <linux:mount_point>/tmp</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_tmp_partition_nosuid_optional_yes:obj:1">
-          <linux:mount_point>/tmp</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_var_log_audit_partition_nodev_optional_yes:obj:1">
-          <linux:mount_point>/var/log/audit</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_var_log_audit_partition_noexec_optional_yes:obj:1">
-          <linux:mount_point>/var/log/audit</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_var_log_audit_partition_nosuid_optional_yes:obj:1">
-          <linux:mount_point>/var/log/audit</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_var_log_partition_nodev_optional_yes:obj:1">
-          <linux:mount_point>/var/log</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_var_log_partition_noexec_optional_yes:obj:1">
-          <linux:mount_point>/var/log</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_var_log_partition_nosuid_optional_yes:obj:1">
-          <linux:mount_point>/var/log</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_var_partition_nodev_optional_yes:obj:1">
-          <linux:mount_point>/var</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_var_partition_nosuid_optional_yes:obj:1">
-          <linux:mount_point>/var</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_var_tmp_partition_nodev_optional_yes:obj:1">
-          <linux:mount_point>/var/tmp</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_var_tmp_partition_noexec_optional_yes:obj:1">
-          <linux:mount_point>/var/tmp</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object version="1" id="oval:ssg-object_var_tmp_partition_nosuid_optional_yes:obj:1">
-          <linux:mount_point>/var/tmp</linux:mount_point>
-        </linux:partition_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_GConf2_installed:obj:1" version="1">
-          <linux:name>GConf2</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_MFEhiplsm_installed:obj:1" version="1">
-          <linux:name>MFEhiplsm</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_aide_installed:obj:1" version="1">
-          <linux:name>aide</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_audispd-plugins_installed:obj:1" version="1">
-          <linux:name>audispd-plugins</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_audit-audispd-plugins_installed:obj:1" version="1">
-          <linux:name>audit-audispd-plugins</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_audit_installed:obj:1" version="1">
-          <linux:name>audit</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_avahi_installed:obj:1" version="1">
-          <linux:name>avahi</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_bind_removed:obj:1" version="1">
-          <linux:name>bind</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_chrony_installed:obj:1" version="1">
-          <linux:name>chrony</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_cron_installed:obj:1" version="1">
-          <linux:name>cron</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_dconf_installed:obj:1" version="1">
-          <linux:name>dconf</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_esc_installed:obj:1" version="1">
-          <linux:name>esc</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_fapolicyd_installed:obj:1" version="1">
-          <linux:name>fapolicyd</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_firewalld_installed:obj:1" version="1">
-          <linux:name>firewalld</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_gdm_installed:obj:1" version="1">
-          <linux:name>gdm</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_gnutls-utils_installed:obj:1" version="1">
-          <linux:name>gnutls-utils</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_inetutils-telnetd_removed:obj:1" version="1">
-          <linux:name>inetutils-telnetd</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_iptables_installed:obj:1" version="1">
-          <linux:name>iptables</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_libreswan_installed:obj:1" version="1">
-          <linux:name>libreswan</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_libselinux_installed:obj:1" version="1">
-          <linux:name>libselinux</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_net-snmp_removed:obj:1" version="1">
-          <linux:name>net-snmp</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_nis_removed:obj:1" version="1">
-          <linux:name>nis</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_nss-tools_installed:obj:1" version="1">
-          <linux:name>nss-tools</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_ntp_installed:obj:1" version="1">
-          <linux:name>ntp</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_ntpdate_removed:obj:1" version="1">
-          <linux:name>ntpdate</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_openldap-clients_removed:obj:1" version="1">
-          <linux:name>openldap-clients</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_openssh-server_installed:obj:1" version="1">
-          <linux:name>openssh-server</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_openssh-server_removed:obj:1" version="1">
-          <linux:name>openssh-server</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_pam_ldap_removed:obj:1" version="1">
-          <linux:name>pam_ldap</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_postfix_installed:obj:1" version="1">
-          <linux:name>postfix</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_prelink_removed:obj:1" version="1">
-          <linux:name>prelink</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_rsyslog_installed:obj:1" version="1">
-          <linux:name>rsyslog</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_samba-common_installed:obj:1" version="1">
-          <linux:name>samba-common</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_samba-common_removed:obj:1" version="1">
-          <linux:name>samba-common</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_sendmail_removed:obj:1" version="1">
-          <linux:name>sendmail</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_setroubleshoot-plugins_removed:obj:1" version="1">
-          <linux:name>setroubleshoot-plugins</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_setroubleshoot-server_removed:obj:1" version="1">
-          <linux:name>setroubleshoot-server</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_sudo_installed:obj:1" version="1">
-          <linux:name>sudo</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_syslog-ng_installed:obj:1" version="1">
-          <linux:name>syslog-ng</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_telnetd-ssl_removed:obj:1" version="1">
-          <linux:name>telnetd-ssl</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_telnetd_removed:obj:1" version="1">
-          <linux:name>telnetd</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_tmux_installed:obj:1" version="1">
-          <linux:name>tmux</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_package_usbguard_installed:obj:1" version="1">
-          <linux:name>usbguard</linux:name>
-        </linux:rpminfo_object>
-        <linux:partition_object id="oval:ssg-object_mounthome_own_partition:obj:1" version="1">
-          <linux:mount_point>/home</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object id="oval:ssg-object_mountsrv_own_partition:obj:1" version="1">
-          <linux:mount_point>/srv</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object id="oval:ssg-object_mounttmp_own_partition:obj:1" version="1">
-          <linux:mount_point>/tmp</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object id="oval:ssg-object_mountvar_own_partition:obj:1" version="1">
-          <linux:mount_point>/var</linux:mount_point>
-        </linux:partition_object>
-        <linux:partition_object id="oval:ssg-object_mountvar_tmp_own_partition:obj:1" version="1">
-          <linux:mount_point>/var/tmp</linux:mount_point>
-        </linux:partition_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_auditd_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_auditd_socket_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_running_auditd:obj:1" comment="Retrieve the ActiveState property of auditd" version="1">
-          <linux:unit operation="pattern match">^auditd\.(socket|service)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_auditd_package_audit_installed:obj:1" version="1">
-          <linux:name>audit</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_not_running_autofs:obj:1" comment="Retrieve the ActiveState property of autofs" version="1">
-          <linux:unit operation="pattern match">^autofs\.(service|socket)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_loadstate_is_masked_autofs:obj:1" comment="Retrieve the LoadState property of autofs" version="1">
-          <linux:unit operation="pattern match">^autofs\.(service|socket)$</linux:unit>
-          <linux:property>LoadState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_autofs_package_autofs_removed:obj:1" version="1">
-          <linux:name>autofs</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_not_running_bluetooth:obj:1" comment="Retrieve the ActiveState property of bluetooth" version="1">
-          <linux:unit operation="pattern match">^bluetooth\.(service|socket)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_loadstate_is_masked_bluetooth:obj:1" comment="Retrieve the LoadState property of bluetooth" version="1">
-          <linux:unit operation="pattern match">^bluetooth\.(service|socket)$</linux:unit>
-          <linux:property>LoadState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_bluetooth_package_bluez_removed:obj:1" version="1">
-          <linux:name>bluez</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_chronyd_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_chronyd_socket_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_running_chronyd:obj:1" comment="Retrieve the ActiveState property of chronyd" version="1">
-          <linux:unit operation="pattern match">^chronyd\.(socket|service)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_chronyd_package_chrony_installed:obj:1" version="1">
-          <linux:name>chrony</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_cron_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_cron_socket_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_running_cron:obj:1" comment="Retrieve the ActiveState property of cron" version="1">
-          <linux:unit operation="pattern match">^cron\.(socket|service)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_cron_package_cron_installed:obj:1" version="1">
-          <linux:name>cron</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_not_running_debug-shell:obj:1" comment="Retrieve the ActiveState property of debug-shell" version="1">
-          <linux:unit operation="pattern match">^debug-shell\.(service|socket)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_loadstate_is_masked_debug-shell:obj:1" comment="Retrieve the LoadState property of debug-shell" version="1">
-          <linux:unit operation="pattern match">^debug-shell\.(service|socket)$</linux:unit>
-          <linux:property>LoadState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_debug-shell_package_systemd_removed:obj:1" version="1">
-          <linux:name>systemd</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_fapolicyd_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_fapolicyd_socket_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_running_fapolicyd:obj:1" comment="Retrieve the ActiveState property of fapolicyd" version="1">
-          <linux:unit operation="pattern match">^fapolicyd\.(socket|service)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_fapolicyd_package_fapolicyd_installed:obj:1" version="1">
-          <linux:name>fapolicyd</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_firewalld_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_firewalld_socket_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_running_firewalld:obj:1" comment="Retrieve the ActiveState property of firewalld" version="1">
-          <linux:unit operation="pattern match">^firewalld\.(socket|service)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_firewalld_package_firewalld_installed:obj:1" version="1">
-          <linux:name>firewalld</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_ip6tables_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_ip6tables_socket_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_running_ip6tables:obj:1" comment="Retrieve the ActiveState property of ip6tables" version="1">
-          <linux:unit operation="pattern match">^ip6tables\.(socket|service)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_ip6tables_package_iptables-ipv6_installed:obj:1" version="1">
-          <linux:name>iptables-ipv6</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_iptables_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_iptables_socket_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_running_iptables:obj:1" comment="Retrieve the ActiveState property of iptables" version="1">
-          <linux:unit operation="pattern match">^iptables\.(socket|service)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_iptables_package_iptables_installed:obj:1" version="1">
-          <linux:name>iptables</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_not_running_netfs:obj:1" comment="Retrieve the ActiveState property of netfs" version="1">
-          <linux:unit operation="pattern match">^netfs\.(service|socket)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_loadstate_is_masked_netfs:obj:1" comment="Retrieve the LoadState property of netfs" version="1">
-          <linux:unit operation="pattern match">^netfs\.(service|socket)$</linux:unit>
-          <linux:property>LoadState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_netfs_package_netfs_removed:obj:1" version="1">
-          <linux:name>netfs</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_ntp_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_ntp_socket_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_running_ntp:obj:1" comment="Retrieve the ActiveState property of ntp" version="1">
-          <linux:unit operation="pattern match">^ntp\.(socket|service)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_ntp_package_ntp_installed:obj:1" version="1">
-          <linux:name>ntp</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_ntpd_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_ntpd_socket_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_running_ntpd:obj:1" comment="Retrieve the ActiveState property of ntpd" version="1">
-          <linux:unit operation="pattern match">^ntpd\.(socket|service)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_ntpd_package_ntp_installed:obj:1" version="1">
-          <linux:name>ntp</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_rngd_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_rngd_socket_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_running_rngd:obj:1" comment="Retrieve the ActiveState property of rngd" version="1">
-          <linux:unit operation="pattern match">^rngd\.(socket|service)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_rngd_package_rng-tools_installed:obj:1" version="1">
-          <linux:name>rng-tools</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_rsyslog_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_rsyslog_socket_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_running_rsyslog:obj:1" comment="Retrieve the ActiveState property of rsyslog" version="1">
-          <linux:unit operation="pattern match">^rsyslog\.(socket|service)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_rsyslog_package_rsyslog_installed:obj:1" version="1">
-          <linux:name>rsyslog</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_not_running_sshd:obj:1" comment="Retrieve the ActiveState property of sshd" version="1">
-          <linux:unit operation="pattern match">^sshd\.(service|socket)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_loadstate_is_masked_sshd:obj:1" comment="Retrieve the LoadState property of sshd" version="1">
-          <linux:unit operation="pattern match">^sshd\.(service|socket)$</linux:unit>
-          <linux:property>LoadState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_sshd_package_openssh-server_removed:obj:1" version="1">
-          <linux:name>openssh-server</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_not_running_syslog:obj:1" comment="Retrieve the ActiveState property of syslog" version="1">
-          <linux:unit operation="pattern match">^syslog\.(service|socket)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_loadstate_is_masked_syslog:obj:1" comment="Retrieve the LoadState property of syslog" version="1">
-          <linux:unit operation="pattern match">^syslog\.(service|socket)$</linux:unit>
-          <linux:property>LoadState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_syslog_package_rsyslog_removed:obj:1" version="1">
-          <linux:name>rsyslog</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_syslog-ng_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_syslog-ng_socket_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_running_syslog-ng:obj:1" comment="Retrieve the ActiveState property of syslog-ng" version="1">
-          <linux:unit operation="pattern match">^syslog-ng\.(socket|service)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_syslog-ng_package_syslog-ng_installed:obj:1" version="1">
-          <linux:name>syslog-ng</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_not_running_systemd-coredump:obj:1" comment="Retrieve the ActiveState property of systemd-coredump" version="1">
-          <linux:unit operation="pattern match">^systemd-coredump\.(service|socket)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_loadstate_is_masked_systemd-coredump:obj:1" comment="Retrieve the LoadState property of systemd-coredump" version="1">
-          <linux:unit operation="pattern match">^systemd-coredump\.(service|socket)$</linux:unit>
-          <linux:property>LoadState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_systemd-coredump_package_systemd_removed:obj:1" version="1">
-          <linux:name>systemd</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_systemd-journald_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_systemd-journald_socket_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_running_systemd-journald:obj:1" comment="Retrieve the ActiveState property of systemd-journald" version="1">
-          <linux:unit operation="pattern match">^systemd-journald\.(socket|service)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_systemd-journald_package_systemd_installed:obj:1" version="1">
-          <linux:name>systemd</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_ufw_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_ufw_socket_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_running_ufw:obj:1" comment="Retrieve the ActiveState property of ufw" version="1">
-          <linux:unit operation="pattern match">^ufw\.(socket|service)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_ufw_package_ufw_installed:obj:1" version="1">
-          <linux:name>ufw</linux:name>
-        </linux:rpminfo_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_usbguard_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitdependency_object id="oval:ssg-object_multi_user_target_for_usbguard_socket_enabled:obj:1" comment="list of dependencies of multi-user.target" version="1">
-          <linux:unit>multi-user.target</linux:unit>
-        </linux:systemdunitdependency_object>
-        <linux:systemdunitproperty_object id="oval:ssg-obj_service_running_usbguard:obj:1" comment="Retrieve the ActiveState property of usbguard" version="1">
-          <linux:unit operation="pattern match">^usbguard\.(socket|service)$</linux:unit>
-          <linux:property>ActiveState</linux:property>
-        </linux:systemdunitproperty_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_service_usbguard_package_usbguard_installed:obj:1" version="1">
-          <linux:name>usbguard</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_disable_empty_passwords:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)PermitEmptyPasswords(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_disable_gssapi_auth:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_disable_kerb_auth:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)KerberosAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_disable_pubkey_auth:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)PubkeyAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_disable_rhosts:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)IgnoreRhosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_disable_root_login:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_disable_root_password_login:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)PermitRootLogin(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_disable_tcp_forwarding:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)AllowTcpForwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_disable_user_known_hosts:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)IgnoreUserKnownHosts(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_disable_x11_forwarding:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)X11Forwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_do_not_permit_user_env:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)PermitUserEnvironment(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_enable_gssapi_auth:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)GSSAPIAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_enable_pam:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)UsePAM(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_enable_pubkey_auth:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)PubkeyAuthentication(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_enable_strictmodes:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)StrictModes(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_enable_warning_banner:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_enable_warning_banner_net:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)Banner(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_enable_x11_forwarding:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)X11Forwarding(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_includes_config_files:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*Include /etc/ssh/sshd_config\.d/\*\.conf[\s]*$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_print_last_log:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)PrintLastLog(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_set_keepalive_0:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)ClientAliveCountMax(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_set_loglevel_info:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_sshd_set_loglevel_verbose:obj:1" version="1">
-          <ind:filepath>/etc/ssh/sshd_config</ind:filepath>
-          <ind:pattern operation="pattern match">^[ \t]*(?i)LogLevel(?-i)[ \t]+(.+?)[ \t]*(?:$|#)</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_noexec_sudoers:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/sudoers(|\.d/.*)$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*Defaults[\s]*\bnoexec.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_requiretty_sudoers:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/sudoers(|\.d/.*)$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*Defaults[\s]*\brequiretty.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_use_pty_sudoers:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/sudoers(|\.d/.*)$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*Defaults[\s]*\buse_pty.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_logfile_sudoers:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/sudoers(|\.d/.*)$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*Defaults[\s]*\blogfile=("(?:\\"|\\\\|[^"\\\n])*"\B|[^"](?:(?:\\,|\\"|\\ |\\\\|[^", \\\n])*)\b).*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_fs_protected_hardlinks_runtime:obj:1" version="1">
-          <unix:name>fs.protected_hardlinks</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_fs_protected_hardlinks_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_fs_protected_hardlinks_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_fs_protected_hardlinks_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_fs_protected_hardlinks_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_fs_protected_hardlinks_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_fs_protected_hardlinks:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_fs_protected_hardlinks:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_fs_protected_hardlinks:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_fs_protected_hardlinks:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_fs_protected_hardlinks:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_fs_protected_hardlinks:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_fs_protected_hardlinks:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_fs_protected_hardlinks_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_fs_protected_hardlinks:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_fs_protected_hardlinks:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_fs_protected_hardlinks_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_fs_protected_hardlinks:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_fs_protected_hardlinks:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_fs_protected_hardlinks:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_fs_protected_hardlinks:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_fs_protected_hardlinks:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_fs_protected_hardlinks:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_fs_protected_hardlinks:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_fs_protected_hardlinks:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*fs.protected_hardlinks[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_fs_protected_hardlinks:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*fs.protected_hardlinks[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_fs_protected_hardlinks:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*fs.protected_hardlinks[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_fs_protected_symlinks_runtime:obj:1" version="1">
-          <unix:name>fs.protected_symlinks</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_fs_protected_symlinks_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_fs_protected_symlinks_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_fs_protected_symlinks_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_fs_protected_symlinks_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_fs_protected_symlinks_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_fs_protected_symlinks:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_fs_protected_symlinks:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_fs_protected_symlinks:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_fs_protected_symlinks:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_fs_protected_symlinks:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_fs_protected_symlinks:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_fs_protected_symlinks:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_fs_protected_symlinks_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_fs_protected_symlinks:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_fs_protected_symlinks:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_fs_protected_symlinks_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_fs_protected_symlinks:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_fs_protected_symlinks:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_fs_protected_symlinks:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_fs_protected_symlinks:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_fs_protected_symlinks:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_fs_protected_symlinks:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_fs_protected_symlinks:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_fs_protected_symlinks:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*fs.protected_symlinks[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_fs_protected_symlinks:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*fs.protected_symlinks[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_fs_protected_symlinks:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*fs.protected_symlinks[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_fs_suid_dumpable_runtime:obj:1" version="1">
-          <unix:name>fs.suid_dumpable</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_fs_suid_dumpable_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_fs_suid_dumpable_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_fs_suid_dumpable_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_fs_suid_dumpable_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_fs_suid_dumpable_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_fs_suid_dumpable:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_fs_suid_dumpable:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_fs_suid_dumpable:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_fs_suid_dumpable:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_fs_suid_dumpable:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_fs_suid_dumpable:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_fs_suid_dumpable:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_fs_suid_dumpable_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_fs_suid_dumpable:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_fs_suid_dumpable:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_fs_suid_dumpable_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_fs_suid_dumpable:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_fs_suid_dumpable:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_fs_suid_dumpable:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_fs_suid_dumpable:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_fs_suid_dumpable:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_fs_suid_dumpable:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_fs_suid_dumpable:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_fs_suid_dumpable:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*fs.suid_dumpable[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_fs_suid_dumpable:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*fs.suid_dumpable[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_fs_suid_dumpable:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*fs.suid_dumpable[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_kernel_core_pattern_runtime:obj:1" version="1">
-          <unix:name>kernel.core_pattern</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_kernel_core_pattern_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_kernel_core_pattern_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_core_pattern_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_kernel_core_pattern_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_kernel_core_pattern_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_kernel_core_pattern:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_kernel_core_pattern:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_kernel_core_pattern:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_kernel_core_pattern:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_kernel_core_pattern:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_kernel_core_pattern:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_kernel_core_pattern:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_kernel_core_pattern_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_kernel_core_pattern:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_core_pattern_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_kernel_core_pattern:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_core_pattern:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_kernel_core_pattern:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_kernel_core_pattern:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_kernel_core_pattern:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_core_pattern:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_kernel_core_pattern:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_kernel_core_pattern:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*kernel.core_pattern[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_kernel_core_pattern:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.core_pattern[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_kernel_core_pattern:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.core_pattern[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_kernel_core_pattern_empty_string_runtime:obj:1" version="1">
-          <unix:name>kernel.core_pattern</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_kernel_core_pattern_empty_string_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_kernel_core_pattern_empty_string_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_kernel_core_pattern_empty_string:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_kernel_core_pattern_empty_string:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_kernel_core_pattern_empty_string:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_kernel_core_pattern_empty_string:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_kernel_core_pattern_empty_string:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_kernel_core_pattern_empty_string:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_kernel_core_pattern_empty_string:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_kernel_core_pattern_empty_string_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_kernel_core_pattern_empty_string:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_kernel_core_pattern_empty_string:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_kernel_core_pattern_empty_string:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_core_pattern_empty_string:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_kernel_core_pattern_empty_string:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*kernel.core_pattern[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_kernel_core_pattern_empty_string:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.core_pattern[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_kernel_core_pattern_empty_string:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.core_pattern[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_kernel_core_uses_pid_runtime:obj:1" version="1">
-          <unix:name>kernel.core_uses_pid</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_kernel_core_uses_pid_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_kernel_core_uses_pid_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_core_uses_pid_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_kernel_core_uses_pid_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_kernel_core_uses_pid_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_kernel_core_uses_pid:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_kernel_core_uses_pid:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_kernel_core_uses_pid:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_kernel_core_uses_pid:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_kernel_core_uses_pid:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_kernel_core_uses_pid:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_kernel_core_uses_pid:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_kernel_core_uses_pid_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_kernel_core_uses_pid:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_core_uses_pid:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_core_uses_pid_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_kernel_core_uses_pid:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_core_uses_pid:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_kernel_core_uses_pid:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_kernel_core_uses_pid:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_kernel_core_uses_pid:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_core_uses_pid:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_kernel_core_uses_pid:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_kernel_core_uses_pid:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*kernel.core_uses_pid[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_kernel_core_uses_pid:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.core_uses_pid[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_kernel_core_uses_pid:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.core_uses_pid[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_kernel_dmesg_restrict_runtime:obj:1" version="1">
-          <unix:name>kernel.dmesg_restrict</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_kernel_dmesg_restrict_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_kernel_dmesg_restrict_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_dmesg_restrict_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_kernel_dmesg_restrict_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_kernel_dmesg_restrict_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_kernel_dmesg_restrict:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_kernel_dmesg_restrict:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_kernel_dmesg_restrict:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_kernel_dmesg_restrict:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_kernel_dmesg_restrict:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_kernel_dmesg_restrict:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_kernel_dmesg_restrict:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_kernel_dmesg_restrict_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_kernel_dmesg_restrict:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_dmesg_restrict:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_dmesg_restrict_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_kernel_dmesg_restrict:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_dmesg_restrict:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_kernel_dmesg_restrict:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_kernel_dmesg_restrict:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_kernel_dmesg_restrict:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_dmesg_restrict:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_kernel_dmesg_restrict:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_kernel_dmesg_restrict:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_kernel_dmesg_restrict:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_kernel_dmesg_restrict:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.dmesg_restrict[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_kernel_kexec_load_disabled_runtime:obj:1" version="1">
-          <unix:name>kernel.kexec_load_disabled</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_kernel_kexec_load_disabled_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_kernel_kexec_load_disabled_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_kexec_load_disabled_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_kernel_kexec_load_disabled_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_kernel_kexec_load_disabled_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_kernel_kexec_load_disabled:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_kernel_kexec_load_disabled:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_kernel_kexec_load_disabled:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_kernel_kexec_load_disabled:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_kernel_kexec_load_disabled:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_kernel_kexec_load_disabled:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_kernel_kexec_load_disabled:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_kernel_kexec_load_disabled_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_kernel_kexec_load_disabled:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_kexec_load_disabled:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_kexec_load_disabled_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_kernel_kexec_load_disabled:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_kexec_load_disabled:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_kernel_kexec_load_disabled:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_kernel_kexec_load_disabled:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_kernel_kexec_load_disabled:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_kexec_load_disabled:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_kernel_kexec_load_disabled:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_kernel_kexec_load_disabled:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_kernel_kexec_load_disabled:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_kernel_kexec_load_disabled:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.kexec_load_disabled[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_kernel_kptr_restrict_runtime:obj:1" version="1">
-          <unix:name>kernel.kptr_restrict</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_kernel_kptr_restrict_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_kernel_kptr_restrict_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_kptr_restrict_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_kernel_kptr_restrict_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_kernel_kptr_restrict_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_kernel_kptr_restrict:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_kernel_kptr_restrict:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_kernel_kptr_restrict:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_kernel_kptr_restrict:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_kernel_kptr_restrict:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_kernel_kptr_restrict:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_kernel_kptr_restrict:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_kernel_kptr_restrict_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_kernel_kptr_restrict:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_kptr_restrict:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_kptr_restrict_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_kernel_kptr_restrict:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_kptr_restrict:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_kernel_kptr_restrict:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_kernel_kptr_restrict:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_kernel_kptr_restrict:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_kptr_restrict:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_kernel_kptr_restrict:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_kernel_kptr_restrict:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*kernel.kptr_restrict[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_kernel_kptr_restrict:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.kptr_restrict[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_kernel_kptr_restrict:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.kptr_restrict[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_kernel_panic_on_oops_runtime:obj:1" version="1">
-          <unix:name>kernel.panic_on_oops</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_kernel_panic_on_oops_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_kernel_panic_on_oops_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_panic_on_oops_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_kernel_panic_on_oops_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_kernel_panic_on_oops_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_kernel_panic_on_oops:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_kernel_panic_on_oops:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_kernel_panic_on_oops:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_kernel_panic_on_oops:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_kernel_panic_on_oops:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_kernel_panic_on_oops:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_kernel_panic_on_oops:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_kernel_panic_on_oops_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_kernel_panic_on_oops:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_panic_on_oops:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_panic_on_oops_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_kernel_panic_on_oops:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_panic_on_oops:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_kernel_panic_on_oops:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_kernel_panic_on_oops:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_kernel_panic_on_oops:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_panic_on_oops:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_kernel_panic_on_oops:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_kernel_panic_on_oops:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*kernel.panic_on_oops[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_kernel_panic_on_oops:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.panic_on_oops[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_kernel_panic_on_oops:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.panic_on_oops[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_kernel_perf_event_paranoid_runtime:obj:1" version="1">
-          <unix:name>kernel.perf_event_paranoid</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_kernel_perf_event_paranoid_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_kernel_perf_event_paranoid_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_perf_event_paranoid_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_kernel_perf_event_paranoid_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_kernel_perf_event_paranoid_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_kernel_perf_event_paranoid:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_kernel_perf_event_paranoid:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_kernel_perf_event_paranoid:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_kernel_perf_event_paranoid:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_kernel_perf_event_paranoid:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_kernel_perf_event_paranoid:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_kernel_perf_event_paranoid:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_kernel_perf_event_paranoid_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_kernel_perf_event_paranoid:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_perf_event_paranoid:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_perf_event_paranoid_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_kernel_perf_event_paranoid:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_perf_event_paranoid:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_kernel_perf_event_paranoid:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_kernel_perf_event_paranoid:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_kernel_perf_event_paranoid:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_perf_event_paranoid:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_kernel_perf_event_paranoid:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_kernel_perf_event_paranoid:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_kernel_perf_event_paranoid:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_kernel_perf_event_paranoid:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.perf_event_paranoid[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_kernel_randomize_va_space_runtime:obj:1" version="1">
-          <unix:name>kernel.randomize_va_space</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_kernel_randomize_va_space_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_kernel_randomize_va_space_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_randomize_va_space_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_kernel_randomize_va_space_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_kernel_randomize_va_space_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_kernel_randomize_va_space:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_kernel_randomize_va_space:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_kernel_randomize_va_space:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_kernel_randomize_va_space:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_kernel_randomize_va_space:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_kernel_randomize_va_space:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_kernel_randomize_va_space:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_kernel_randomize_va_space_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_kernel_randomize_va_space:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_randomize_va_space:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_randomize_va_space_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_kernel_randomize_va_space:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_randomize_va_space:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_kernel_randomize_va_space:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_kernel_randomize_va_space:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_kernel_randomize_va_space:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_randomize_va_space:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_kernel_randomize_va_space:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_kernel_randomize_va_space:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_kernel_randomize_va_space:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_kernel_randomize_va_space:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.randomize_va_space[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_kernel_unprivileged_bpf_disabled_runtime:obj:1" version="1">
-          <unix:name>kernel.unprivileged_bpf_disabled</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_kernel_unprivileged_bpf_disabled_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_kernel_unprivileged_bpf_disabled_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_unprivileged_bpf_disabled_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_kernel_unprivileged_bpf_disabled_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_kernel_unprivileged_bpf_disabled_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_kernel_unprivileged_bpf_disabled:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_kernel_unprivileged_bpf_disabled:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_kernel_unprivileged_bpf_disabled:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_kernel_unprivileged_bpf_disabled:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_kernel_unprivileged_bpf_disabled:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_kernel_unprivileged_bpf_disabled:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_kernel_unprivileged_bpf_disabled:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_kernel_unprivileged_bpf_disabled_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_kernel_unprivileged_bpf_disabled:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_unprivileged_bpf_disabled:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_unprivileged_bpf_disabled_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_kernel_unprivileged_bpf_disabled:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_kernel_unprivileged_bpf_disabled:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_unprivileged_bpf_disabled:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_kernel_unprivileged_bpf_disabled:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_kernel_unprivileged_bpf_disabled:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_kernel_unprivileged_bpf_disabled:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_kernel_unprivileged_bpf_disabled:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.unprivileged_bpf_disabled[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_kernel_yama_ptrace_scope_runtime:obj:1" version="1">
-          <unix:name>kernel.yama.ptrace_scope</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_kernel_yama_ptrace_scope_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_kernel_yama_ptrace_scope_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_yama_ptrace_scope_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_kernel_yama_ptrace_scope_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_kernel_yama_ptrace_scope_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_kernel_yama_ptrace_scope:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_kernel_yama_ptrace_scope:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_kernel_yama_ptrace_scope:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_kernel_yama_ptrace_scope:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_kernel_yama_ptrace_scope:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_kernel_yama_ptrace_scope:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_kernel_yama_ptrace_scope:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_kernel_yama_ptrace_scope_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_kernel_yama_ptrace_scope:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_yama_ptrace_scope:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_kernel_yama_ptrace_scope_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_kernel_yama_ptrace_scope:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_kernel_yama_ptrace_scope:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_kernel_yama_ptrace_scope:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_kernel_yama_ptrace_scope:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_kernel_yama_ptrace_scope:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_kernel_yama_ptrace_scope:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_kernel_yama_ptrace_scope:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*kernel.yama.ptrace_scope[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_core_bpf_jit_harden_runtime:obj:1" version="1">
-          <unix:name>net.core.bpf_jit_harden</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_core_bpf_jit_harden_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_core_bpf_jit_harden_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_core_bpf_jit_harden_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_core_bpf_jit_harden_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_core_bpf_jit_harden_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_core_bpf_jit_harden:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_core_bpf_jit_harden:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_core_bpf_jit_harden:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_core_bpf_jit_harden:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_core_bpf_jit_harden:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_core_bpf_jit_harden:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_core_bpf_jit_harden:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_core_bpf_jit_harden_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_core_bpf_jit_harden:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_core_bpf_jit_harden:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_core_bpf_jit_harden_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_core_bpf_jit_harden:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_core_bpf_jit_harden:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_core_bpf_jit_harden:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_core_bpf_jit_harden:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_core_bpf_jit_harden:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_core_bpf_jit_harden:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_core_bpf_jit_harden:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_core_bpf_jit_harden:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_core_bpf_jit_harden:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_core_bpf_jit_harden:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.core.bpf_jit_harden[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_local_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.conf.all.accept_local</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_local_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_conf_all_accept_local_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_local_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_conf_all_accept_local_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_conf_all_accept_local_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_accept_local:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_accept_local:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_accept_local:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_accept_local:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_accept_local:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_accept_local:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_accept_local:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_local_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_accept_local:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_accept_local:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_local_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_accept_local:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_accept_local:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_accept_local:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_accept_local:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_accept_local:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_accept_local:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_local:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_accept_local:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.accept_local[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_accept_local:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.accept_local[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_local:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.accept_local[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_redirects_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.conf.all.accept_redirects</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_redirects_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_conf_all_accept_redirects_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_redirects_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_conf_all_accept_redirects_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_conf_all_accept_redirects_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_accept_redirects:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_accept_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_accept_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_accept_redirects:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_accept_redirects:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_accept_redirects:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_accept_redirects:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_redirects_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_accept_redirects:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_accept_redirects:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_redirects_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_accept_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_accept_redirects:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_accept_redirects:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_source_route_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.conf.all.accept_source_route</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_source_route_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_conf_all_accept_source_route_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_source_route_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_conf_all_accept_source_route_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_conf_all_accept_source_route_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_accept_source_route:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_accept_source_route:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_accept_source_route:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_accept_source_route:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_accept_source_route:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_accept_source_route:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_accept_source_route:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_source_route_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_accept_source_route:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_accept_source_route:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_source_route_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_accept_source_route:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_accept_source_route:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_accept_source_route:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_filter_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.conf.all.arp_filter</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_filter_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_conf_all_arp_filter_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_filter_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_conf_all_arp_filter_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_conf_all_arp_filter_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_arp_filter:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_arp_filter:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_arp_filter:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_arp_filter:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_arp_filter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_arp_filter:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_arp_filter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_filter_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_arp_filter:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_arp_filter:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_filter_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_arp_filter:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_arp_filter:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_arp_filter:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_arp_filter:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_arp_filter:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_arp_filter:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_arp_filter:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_arp_filter:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.arp_filter[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_arp_filter:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.arp_filter[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_arp_filter:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.arp_filter[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_ignore_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.conf.all.arp_ignore</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_ignore_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_conf_all_arp_ignore_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_ignore_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_conf_all_arp_ignore_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_conf_all_arp_ignore_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_arp_ignore:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_arp_ignore:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_arp_ignore:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_arp_ignore:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_arp_ignore:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_arp_ignore:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_arp_ignore:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_ignore_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_arp_ignore:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_arp_ignore:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_ignore_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_arp_ignore:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_arp_ignore:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_arp_ignore:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_arp_ignore:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_arp_ignore:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_arp_ignore:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_arp_ignore:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_arp_ignore:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.arp_ignore[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_arp_ignore:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.arp_ignore[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_arp_ignore:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.arp_ignore[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_log_martians_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.conf.all.log_martians</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_log_martians_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_conf_all_log_martians_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_log_martians_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_conf_all_log_martians_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_conf_all_log_martians_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_log_martians:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_log_martians:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_log_martians:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_log_martians:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_log_martians:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_log_martians:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_log_martians:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_conf_all_log_martians_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_log_martians:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_log_martians:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_log_martians_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_log_martians:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_log_martians:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_log_martians:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_log_martians:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_route_localnet_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.conf.all.route_localnet</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_route_localnet_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_conf_all_route_localnet_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_route_localnet_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_conf_all_route_localnet_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_conf_all_route_localnet_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_route_localnet:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_route_localnet:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_route_localnet:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_route_localnet:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_route_localnet:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_route_localnet:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_route_localnet:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_conf_all_route_localnet_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_route_localnet:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_route_localnet:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_route_localnet_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_route_localnet:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_route_localnet:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_route_localnet:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_route_localnet:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_route_localnet:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_route_localnet:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_route_localnet:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_route_localnet:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.route_localnet[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_route_localnet:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.route_localnet[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_route_localnet:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.route_localnet[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_rp_filter_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.conf.all.rp_filter</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_rp_filter_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_conf_all_rp_filter_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_rp_filter_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_conf_all_rp_filter_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_conf_all_rp_filter_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_rp_filter:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_rp_filter:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_rp_filter:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_rp_filter:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_rp_filter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_rp_filter:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_rp_filter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_conf_all_rp_filter_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_rp_filter:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_rp_filter:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_rp_filter_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_rp_filter:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_rp_filter:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_rp_filter:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_rp_filter:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_secure_redirects_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.conf.all.secure_redirects</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_secure_redirects_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_conf_all_secure_redirects_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_secure_redirects_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_conf_all_secure_redirects_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_conf_all_secure_redirects_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_secure_redirects:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_secure_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_secure_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_secure_redirects:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_secure_redirects:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_secure_redirects:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_secure_redirects:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_conf_all_secure_redirects_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_secure_redirects:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_secure_redirects:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_secure_redirects_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_secure_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_secure_redirects:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_secure_redirects:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_send_redirects_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.conf.all.send_redirects</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_send_redirects_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_conf_all_send_redirects_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_send_redirects_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_conf_all_send_redirects_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_conf_all_send_redirects_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_send_redirects:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_send_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_send_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_send_redirects:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_send_redirects:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_send_redirects:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_send_redirects:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_conf_all_send_redirects_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_send_redirects:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_send_redirects:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_send_redirects_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_send_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_send_redirects:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_send_redirects:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_send_redirects:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_shared_media_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.conf.all.shared_media</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_shared_media_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_conf_all_shared_media_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_shared_media_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_conf_all_shared_media_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_conf_all_shared_media_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_shared_media:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_shared_media:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_shared_media:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_all_shared_media:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_shared_media:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_all_shared_media:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_shared_media:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_conf_all_shared_media_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_shared_media:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_shared_media:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_all_shared_media_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_shared_media:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_shared_media:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_all_shared_media:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_shared_media:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_shared_media:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_all_shared_media:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_shared_media:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_all_shared_media:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.shared_media[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_all_shared_media:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.shared_media[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_all_shared_media:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.all.shared_media[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_redirects_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.conf.default.accept_redirects</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_redirects_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_conf_default_accept_redirects_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_redirects_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_conf_default_accept_redirects_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_conf_default_accept_redirects_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_default_accept_redirects:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_default_accept_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_default_accept_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_default_accept_redirects:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_default_accept_redirects:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_default_accept_redirects:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_default_accept_redirects:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_redirects_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_default_accept_redirects:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_default_accept_redirects:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_redirects_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_accept_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_default_accept_redirects:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_accept_redirects:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_source_route_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.conf.default.accept_source_route</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_source_route_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_conf_default_accept_source_route_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_source_route_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_conf_default_accept_source_route_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_conf_default_accept_source_route_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_default_accept_source_route:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_default_accept_source_route:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_default_accept_source_route:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_default_accept_source_route:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_default_accept_source_route:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_default_accept_source_route:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_default_accept_source_route:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_source_route_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_default_accept_source_route:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_default_accept_source_route:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_source_route_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_accept_source_route:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_default_accept_source_route:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_accept_source_route:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_log_martians_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.conf.default.log_martians</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_log_martians_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_conf_default_log_martians_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_log_martians_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_conf_default_log_martians_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_conf_default_log_martians_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_default_log_martians:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_default_log_martians:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_default_log_martians:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_default_log_martians:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_default_log_martians:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_default_log_martians:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_default_log_martians:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_conf_default_log_martians_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_default_log_martians:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_default_log_martians:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_log_martians_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_log_martians:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_default_log_martians:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_log_martians:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_log_martians:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.log_martians[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_rp_filter_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.conf.default.rp_filter</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_rp_filter_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_conf_default_rp_filter_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_rp_filter_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_conf_default_rp_filter_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_conf_default_rp_filter_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_default_rp_filter:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_default_rp_filter:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_default_rp_filter:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_default_rp_filter:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_default_rp_filter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_default_rp_filter:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_default_rp_filter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_conf_default_rp_filter_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_default_rp_filter:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_default_rp_filter:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_rp_filter_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_rp_filter:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_rp_filter:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_default_rp_filter:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_rp_filter:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_rp_filter:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_rp_filter:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_rp_filter:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_secure_redirects_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.conf.default.secure_redirects</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_secure_redirects_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_conf_default_secure_redirects_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_secure_redirects_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_conf_default_secure_redirects_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_conf_default_secure_redirects_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_default_secure_redirects:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_default_secure_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_default_secure_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_default_secure_redirects:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_default_secure_redirects:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_default_secure_redirects:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_default_secure_redirects:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_conf_default_secure_redirects_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_default_secure_redirects:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_default_secure_redirects:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_secure_redirects_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_secure_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_default_secure_redirects:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_secure_redirects:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_send_redirects_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.conf.default.send_redirects</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_send_redirects_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_conf_default_send_redirects_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_send_redirects_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_conf_default_send_redirects_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_conf_default_send_redirects_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_default_send_redirects:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_default_send_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_default_send_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_default_send_redirects:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_default_send_redirects:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_default_send_redirects:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_default_send_redirects:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_conf_default_send_redirects_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_default_send_redirects:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_default_send_redirects:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_send_redirects_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_send_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_default_send_redirects:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_send_redirects:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_send_redirects:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_shared_media_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.conf.default.shared_media</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_shared_media_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_conf_default_shared_media_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_shared_media_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_conf_default_shared_media_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_conf_default_shared_media_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_default_shared_media:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_default_shared_media:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_default_shared_media:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_conf_default_shared_media:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_default_shared_media:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_conf_default_shared_media:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_default_shared_media:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_conf_default_shared_media_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_default_shared_media:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_default_shared_media:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_conf_default_shared_media_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_shared_media:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_default_shared_media:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_conf_default_shared_media:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_shared_media:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_shared_media:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_conf_default_shared_media:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_shared_media:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_conf_default_shared_media:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.shared_media[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_conf_default_shared_media:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.shared_media[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_conf_default_shared_media:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.conf.default.shared_media[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.icmp_echo_ignore_broadcasts</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.icmp_ignore_bogus_error_responses</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_ip_forward_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.ip_forward</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_ip_forward_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_ip_forward_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_ip_forward_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_ip_forward_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_ip_forward_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_ip_forward:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_ip_forward:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_ip_forward:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_ip_forward:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_ip_forward:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_ip_forward:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_ip_forward:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_ip_forward_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_ip_forward:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_ip_forward:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_ip_forward_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_ip_forward:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_ip_forward:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_ip_forward:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_ip_forward:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_ip_forward:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_ip_forward:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_ip_forward:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_ip_forward:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.ip_forward[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_ip_forward:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.ip_forward[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_ip_forward:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.ip_forward[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_tcp_invalid_ratelimit_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.tcp_invalid_ratelimit</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_tcp_invalid_ratelimit_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_tcp_invalid_ratelimit_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_tcp_invalid_ratelimit_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_tcp_invalid_ratelimit_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_tcp_invalid_ratelimit_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_tcp_invalid_ratelimit:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_tcp_invalid_ratelimit:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_tcp_invalid_ratelimit_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_tcp_invalid_ratelimit:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_tcp_invalid_ratelimit:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_tcp_invalid_ratelimit_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.tcp_invalid_ratelimit[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.tcp_invalid_ratelimit[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.tcp_invalid_ratelimit[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv4_tcp_syncookies_runtime:obj:1" version="1">
-          <unix:name>net.ipv4.tcp_syncookies</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv4_tcp_syncookies_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv4_tcp_syncookies_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_tcp_syncookies_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv4_tcp_syncookies_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv4_tcp_syncookies_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv4_tcp_syncookies:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv4_tcp_syncookies:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv4_tcp_syncookies:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv4_tcp_syncookies:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv4_tcp_syncookies:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv4_tcp_syncookies:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv4_tcp_syncookies:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv4_tcp_syncookies_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv4_tcp_syncookies:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_tcp_syncookies:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv4_tcp_syncookies_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv4_tcp_syncookies:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_tcp_syncookies:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv4_tcp_syncookies:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_tcp_syncookies:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv4_tcp_syncookies:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv4_tcp_syncookies:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv4_tcp_syncookies:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_ra_runtime:obj:1" version="1">
-          <unix:name>net.ipv6.conf.all.accept_ra</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_ra_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv6_conf_all_accept_ra_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_ra_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv6_conf_all_accept_ra_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv6_conf_all_accept_ra_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv6_conf_all_accept_ra:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv6_conf_all_accept_ra:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv6_conf_all_accept_ra:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv6_conf_all_accept_ra:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv6_conf_all_accept_ra:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv6_conf_all_accept_ra:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv6_conf_all_accept_ra:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_ra_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv6_conf_all_accept_ra:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv6_conf_all_accept_ra:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_ra_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_accept_ra:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv6_conf_all_accept_ra:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_accept_ra:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_ra:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.all.accept_ra[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_redirects_runtime:obj:1" version="1">
-          <unix:name>net.ipv6.conf.all.accept_redirects</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_redirects_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv6_conf_all_accept_redirects_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_redirects_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv6_conf_all_accept_redirects_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv6_conf_all_accept_redirects_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv6_conf_all_accept_redirects:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv6_conf_all_accept_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv6_conf_all_accept_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv6_conf_all_accept_redirects:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv6_conf_all_accept_redirects:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv6_conf_all_accept_redirects:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv6_conf_all_accept_redirects:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_redirects_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv6_conf_all_accept_redirects:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv6_conf_all_accept_redirects:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_redirects_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_accept_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv6_conf_all_accept_redirects:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_accept_redirects:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.all.accept_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_source_route_runtime:obj:1" version="1">
-          <unix:name>net.ipv6.conf.all.accept_source_route</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_source_route_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv6_conf_all_accept_source_route_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_source_route_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv6_conf_all_accept_source_route_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv6_conf_all_accept_source_route_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv6_conf_all_accept_source_route:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv6_conf_all_accept_source_route:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv6_conf_all_accept_source_route:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv6_conf_all_accept_source_route:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv6_conf_all_accept_source_route:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv6_conf_all_accept_source_route:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv6_conf_all_accept_source_route:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_source_route_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv6_conf_all_accept_source_route:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv6_conf_all_accept_source_route:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_source_route_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_accept_source_route:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv6_conf_all_accept_source_route:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_accept_source_route:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.all.accept_source_route[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:obj:1" version="1">
-          <unix:name>net.ipv6.conf.all.disable_ipv6</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv6_conf_all_disable_ipv6_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv6_conf_all_disable_ipv6_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv6_conf_all_disable_ipv6:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv6_conf_all_disable_ipv6:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv6_conf_all_disable_ipv6:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv6_conf_all_disable_ipv6:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.all.disable_ipv6[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_ra_runtime:obj:1" version="1">
-          <unix:name>net.ipv6.conf.default.accept_ra</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_ra_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv6_conf_default_accept_ra_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_ra_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv6_conf_default_accept_ra_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv6_conf_default_accept_ra_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv6_conf_default_accept_ra:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv6_conf_default_accept_ra:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv6_conf_default_accept_ra:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv6_conf_default_accept_ra:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv6_conf_default_accept_ra:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv6_conf_default_accept_ra:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv6_conf_default_accept_ra:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_ra_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv6_conf_default_accept_ra:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv6_conf_default_accept_ra:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_ra_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_default_accept_ra:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv6_conf_default_accept_ra:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_default_accept_ra:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_ra:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.default.accept_ra[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_redirects_runtime:obj:1" version="1">
-          <unix:name>net.ipv6.conf.default.accept_redirects</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_redirects_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv6_conf_default_accept_redirects_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_redirects_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv6_conf_default_accept_redirects_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv6_conf_default_accept_redirects_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv6_conf_default_accept_redirects:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv6_conf_default_accept_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv6_conf_default_accept_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv6_conf_default_accept_redirects:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv6_conf_default_accept_redirects:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv6_conf_default_accept_redirects:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv6_conf_default_accept_redirects:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_redirects_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv6_conf_default_accept_redirects:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv6_conf_default_accept_redirects:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_redirects_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_default_accept_redirects:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv6_conf_default_accept_redirects:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_default_accept_redirects:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_source_route_runtime:obj:1" version="1">
-          <unix:name>net.ipv6.conf.default.accept_source_route</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_source_route_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv6_conf_default_accept_source_route_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_source_route_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv6_conf_default_accept_source_route_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv6_conf_default_accept_source_route_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv6_conf_default_accept_source_route:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv6_conf_default_accept_source_route:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv6_conf_default_accept_source_route:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv6_conf_default_accept_source_route:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv6_conf_default_accept_source_route:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv6_conf_default_accept_source_route:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv6_conf_default_accept_source_route:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_source_route_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv6_conf_default_accept_source_route:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv6_conf_default_accept_source_route:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_source_route_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_default_accept_source_route:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv6_conf_default_accept_source_route:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_default_accept_source_route:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.default.accept_source_route[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_net_ipv6_conf_default_disable_ipv6_runtime:obj:1" version="1">
-          <unix:name>net.ipv6.conf.default.disable_ipv6</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_net_ipv6_conf_default_disable_ipv6_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_net_ipv6_conf_default_disable_ipv6_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv6_conf_default_disable_ipv6_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_net_ipv6_conf_default_disable_ipv6_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_net_ipv6_conf_default_disable_ipv6_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_net_ipv6_conf_default_disable_ipv6:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_net_ipv6_conf_default_disable_ipv6:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_net_ipv6_conf_default_disable_ipv6_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_net_ipv6_conf_default_disable_ipv6:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv6_conf_default_disable_ipv6:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_net_ipv6_conf_default_disable_ipv6_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.default.disable_ipv6[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.default.disable_ipv6[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*net.ipv6.conf.default.disable_ipv6[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:sysctl_object id="oval:ssg-object_sysctl_user_max_user_namespaces_runtime:obj:1" version="1">
-          <unix:name>user.max_user_namespaces</unix:name>
-        </unix:sysctl_object>
-        <ind:variable_object id="oval:ssg-object_sysctl_user_max_user_namespaces_defined_in_one_file:obj:1" version="1">
-          <ind:var_ref>oval:ssg-local_var_sysctl_user_max_user_namespaces_counter:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_user_max_user_namespaces_static_set_sysctls:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_sysctl_user_max_user_namespaces_static_set_sysctls_unfiltered:obj:1</oval-def:object_reference>
-            <oval-def:filter action="exclude">oval:ssg-state_sysctl_user_max_user_namespaces_filepath_is_symlink:ste:1</oval-def:filter>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-var_object_symlink_sysctl_user_max_user_namespaces:obj:1" comment="combine the blank string with symlink paths found" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-var_obj_symlink_sysctl_user_max_user_namespaces:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-var_obj_blank_sysctl_user_max_user_namespaces:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_blank_sysctl_user_max_user_namespaces:obj:1" comment="variable object of the blank string" version="1">
-          <ind:var_ref>oval:ssg-local_var_blank_path_sysctl_user_max_user_namespaces:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-var_obj_symlink_sysctl_user_max_user_namespaces:obj:1" comment="variable object of the symlinks found" version="1">
-          <ind:var_ref>oval:ssg-local_var_symlinks_sysctl_user_max_user_namespaces:var:1</ind:var_ref>
-        </ind:variable_object>
-        <unix:symlink_object comment="Symlinks referencing files in default dirs" id="oval:ssg-object_sysctl_user_max_user_namespaces_symlinks:obj:1" version="1">
-          <unix:filepath operation="equals" var_ref="oval:ssg-local_var_conf_files_sysctl_user_max_user_namespaces:var:1"/>
-          <oval-def:filter action="exclude">oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_user_max_user_namespaces:ste:1</oval-def:filter>
-        </unix:symlink_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_sysctl_user_max_user_namespaces_static_set_sysctls_unfiltered:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctls_sysctl_user_max_user_namespaces:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_run_usr_sysctls_sysctl_user_max_user_namespaces:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctls_sysctl_user_max_user_namespaces:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_sysctl_sysctl_user_max_user_namespaces:obj:1</oval-def:object_reference>
-            <oval-def:object_reference>oval:ssg-object_static_etc_sysctld_sysctl_user_max_user_namespaces:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_usr_sysctls_sysctl_user_max_user_namespaces:obj:1" version="1">
-          <oval-def:set>
-            <oval-def:object_reference>oval:ssg-object_static_run_sysctld_sysctl_user_max_user_namespaces:obj:1</oval-def:object_reference>
-          </oval-def:set>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_sysctl_sysctl_user_max_user_namespaces:obj:1" version="1">
-          <ind:filepath>/etc/sysctl.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*user.max_user_namespaces[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_etc_sysctld_sysctl_user_max_user_namespaces:obj:1" version="1">
-          <ind:path>/etc/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*user.max_user_namespaces[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_static_run_sysctld_sysctl_user_max_user_namespaces:obj:1" version="1">
-          <ind:path>/run/sysctl.d</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^[\s]*user.max_user_namespaces[\s]*=[\s]*(.*)[\s]*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_zipl_audit_argument_audit_1_argument_in_boot_loader_entries_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_zipl_audit_argument_audit_1_argument_in_etc_kernel_cmdline:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
-          <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_zipl_audit_backlog_limit_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_zipl_audit_backlog_limit_argument_audit_backlog_limit_8192_argument_in_etc_kernel_cmdline:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
-          <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_zipl_page_poison_argument_page_poison_1_argument_in_boot_loader_entries_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_zipl_page_poison_argument_page_poison_1_argument_in_etc_kernel_cmdline:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
-          <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_zipl_slub_debug_argument_slub_debug_P_argument_in_boot_loader_entries_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_zipl_slub_debug_argument_slub_debug_P_argument_in_etc_kernel_cmdline:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
-          <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_zipl_vsyscall_argument_vsyscall_none_argument_in_boot_loader_entries_conf:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/boot/loader/entries/.*.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^options (.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_zipl_vsyscall_argument_vsyscall_none_argument_in_etc_kernel_cmdline:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/kernel/cmdline</ind:filepath>
-          <ind:pattern operation="pattern match">^(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_accounts_password_pam_faillock:obj:1" version="1">
-          <ind:filepath>/etc/pam.d/system-auth</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_faillock\.so.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_password_pam_pwquality:obj:1" version="1">
-          <ind:filepath var_ref="oval:ssg-var_pam_pwquality_config_path:var:1" var_check="at least one"/>
-          <ind:pattern operation="pattern match">^\s*password\s+(?:(?:required)|(?:requisite))\s+pam_pwquality\.so.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_auditctl:obj:1" version="1">
-          <ind:filepath>/usr/lib/systemd/system/auditd.service</ind:filepath>
-          <ind:pattern operation="pattern match">^ExecStartPost=\-\/sbin\/auditctl.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_audit_rules_augenrules:obj:1" version="1">
-          <ind:filepath>/usr/lib/systemd/system/auditd.service</ind:filepath>
-          <ind:pattern operation="pattern match">^(ExecStartPost=\-\/sbin\/augenrules.*$|Requires=augenrules.service)</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_setdomainname_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_setdomainname_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_setdomainname_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_setdomainname_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setdomainname[\s]+|([\s]+|[,])setdomainname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_sethostname_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_sethostname_augenrules:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/audit/rules\.d/.*\.rules$</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_32bit_ardm_sethostname_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_64bit_ardm_sethostname_auditctl:obj:1" version="1">
-          <ind:filepath>/etc/audit/audit.rules</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*-a[\s]+always,exit[\s]+(?:.*-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+sethostname[\s]+|([\s]+|[,])sethostname([\s]+|[,]))).*(-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_conf_log_file:obj:1" version="1">
-          <ind:filepath operation="equals">/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^(log_file\s*=\s*.*)$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_conf_log_group_root:obj:1" comment="log_group = root" version="1">
-          <ind:filepath operation="equals">/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*log_group[ ]+=[ ]+root[ ]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_auditd_conf_log_group_is_set:obj:1" comment="log_group is set" version="1">
-          <ind:filepath operation="equals">/etc/audit/auditd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[ ]*log_group[ ]+=.*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_bootloader_disable_recovery_argument:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_DISABLE_RECOVERY=(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object comment="Ensure more than one chronyd NTP server is set" id="oval:ssg-object_chronyd_multiple_servers:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/chrony\.(conf|d/.+\.conf)$</ind:filepath>
-          <ind:pattern operation="pattern match">^([\s]*server[\s]+.+$){2,}$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_default_exists:obj:1" version="1">
-          <ind:filepath>/etc/default/grub</ind:filepath>
-          <ind:pattern operation="pattern match">^\s*GRUB_CMDLINE_LINUX_DEFAULT=.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_grub2_entries_reference_kernelopts:obj:1" version="1">
-          <ind:path>/boot/loader/entries/</ind:path>
-          <ind:filename operation="pattern match">^.*\.conf$</ind:filename>
-          <ind:pattern operation="pattern match">^options(?:\s+.*)?\s+\$kernelopts\b.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-obj_alinux2:obj:1" version="1">
-          <linux:name>alinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_alinux3:obj:1" version="1">
-          <linux:name>alinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_centos7:obj:1" version="1">
-          <linux:name>centos-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_name_centos8:obj:1" version="1" comment="Check os-release ID">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^ID="(\w+)"$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_version_centos8:obj:1" version="1" comment="Check os-release VERSION_ID">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^VERSION_ID="(\d)"$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_name_centos9:obj:1" version="1" comment="Check os-release ID">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^ID="(\w+)"$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_version_centos9:obj:1" version="1" comment="Check os-release VERSION_ID">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^VERSION_ID="(\d)"$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object comment="check /etc/debian_version file" id="oval:ssg-obj_debian:obj:1" version="1">
-          <unix:filepath>/etc/debian_version</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_debian_10:obj:1" version="1" comment="Check Debian version">
-          <ind:filepath>/etc/debian_version</ind:filepath>
-          <ind:pattern operation="pattern match">^10.[0-9]+$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_debian_11:obj:1" version="1" comment="Check Debian version">
-          <ind:filepath>/etc/debian_version</ind:filepath>
-          <ind:pattern operation="pattern match">^11.[0-9]+$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_debian_9:obj:1" version="1" comment="Check Debian version">
-          <ind:filepath>/etc/debian_version</ind:filepath>
-          <ind:pattern operation="pattern match">^9.[0-9]+$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-object_fedora_release_rpm:obj:1" version="1">
-          <linux:name operation="pattern match">fedora-release.*</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_fedora_vendor_product:obj:1" version="1">
-          <ind:filepath>/etc/system-release-cpe</ind:filepath>
-          <ind:pattern operation="pattern match">^cpe:\/o:fedoraproject:fedora:[\d]+$</ind:pattern>
-          <ind:instance datatype="int" operation="equals">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-obj_ol7_system:obj:1" version="1">
-          <linux:name>oraclelinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_ol8_system:obj:1" version="1">
-          <linux:name>oraclelinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_ol9_system:obj:1" version="1">
-          <linux:name>oraclelinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_opensuse_installed:obj:1" version="1">
-          <linux:name>openSUSE-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_opensuse_leap15_installed:obj:1" version="1">
-          <linux:name>openSUSE-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_opensuse_leap42_installed:obj:1" version="1">
-          <linux:name>openSUSE-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:family_object id="oval:ssg-object_unix_family:obj:1" version="1"/>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhcos:obj:1" version="1">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^ID="(\w+)"$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhcos4:obj:1" version="1">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^VERSION_ID="(\d)\.\d+"$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:family_object id="oval:ssg-obj_rhel7_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel7_client:obj:1" version="1">
-          <linux:name>redhat-release-client</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel7_workstation:obj:1" version="1">
-          <linux:name>redhat-release-workstation</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel7_server:obj:1" version="1">
-          <linux:name>redhat-release-server</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel7_computenode:obj:1" version="1">
-          <linux:name>redhat-release-computenode</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhevh_rhel7_version:obj:1" version="1">
-          <ind:filepath>/etc/redhat-release</ind:filepath>
-          <ind:pattern operation="pattern match">^Red Hat Enterprise Linux release (\d)\.\d+$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:family_object id="oval:ssg-obj_rhel8_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_0:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_1:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_2:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_3:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_4:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_5:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_6:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_7:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_8:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_9:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_10:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhevh_rhel8_version:obj:1" version="1">
-          <ind:filepath>/etc/redhat-release</ind:filepath>
-          <ind:pattern operation="pattern match">^Red Hat Enterprise Linux release (\d)\.\d+$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:family_object id="oval:ssg-obj_rhel9_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel9:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhevh_rhel9_version:obj:1" version="1">
-          <ind:filepath>/etc/redhat-release</ind:filepath>
-          <ind:pattern operation="pattern match">^Red Hat Enterprise Linux release (\d)\.\d+$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhvh4_version:obj:1" version="1">
-          <linux:name>redhat-release-virtualization-host</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sl7:obj:1" version="1">
-          <linux:name>sl-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:family_object id="oval:ssg-obj_sle12_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_sle12_desktop:obj:1" version="1">
-          <linux:name>sled-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sle12_server:obj:1" version="1">
-          <linux:name>sles-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sles_12_for_sap:obj:1" version="1">
-          <linux:name>SLES_SAP-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:family_object id="oval:ssg-obj_sle15_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_sle15_desktop:obj:1" version="1">
-          <linux:name>sled-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sle15_server:obj:1" version="1">
-          <linux:name>sles-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sles_15_for_sap:obj:1" version="1">
-          <linux:name>SLES_SAP-release</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object comment="check /etc/lsb-release file" id="oval:ssg-obj_lsb:obj:1" version="1">
-          <unix:filepath>/etc/lsb-release</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ubuntu:obj:1" version="1" comment="Check Ubuntu">
-          <ind:filepath>/etc/lsb-release</ind:filepath>
-          <ind:pattern operation="pattern match">^DISTRIB_ID=Ubuntu$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ubuntu_xenial:obj:1" version="1" comment="Check Ubuntu version">
-          <ind:filepath>/etc/lsb-release</ind:filepath>
-          <ind:pattern operation="pattern match">^DISTRIB_CODENAME=xenial$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ubuntu_bionic:obj:1" version="1" comment="Check Ubuntu version">
-          <ind:filepath>/etc/lsb-release</ind:filepath>
-          <ind:pattern operation="pattern match">^DISTRIB_CODENAME=bionic$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ubuntu_focal:obj:1" version="1" comment="Check Ubuntu version">
-          <ind:filepath>/etc/lsb-release</ind:filepath>
-          <ind:pattern operation="pattern match">^DISTRIB_CODENAME=focal$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-obj_uos20:obj:1" version="1">
-          <linux:name>uos-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhevm4_version:obj:1" version="1">
-          <linux:name>rhvm-appliance</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_audit_installed:obj:1" version="1">
-          <linux:name>audit</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_env_has_chrony_installed:obj:1" version="1">
-          <linux:name>chrony</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_gdm_installed:obj:1" version="1">
-          <linux:name>gdm</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_grub2_installed:obj:1" version="1">
-          <linux:name>grub2-common</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object id="oval:ssg-object_system_using_opal:obj:1" version="1">
-          <unix:filepath>/sys/firmware/opal</unix:filepath>
-        </unix:file_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_libuser_installed:obj:1" version="1">
-          <linux:name>libuser</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_login_defs_installed:obj:1" version="1">
-          <linux:name>shadow-utils</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_net-snmp_installed:obj:1" version="1">
-          <linux:name>net-snmp</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_nss-pam-ldapd_installed:obj:1" version="1">
-          <linux:name>nss-pam-ldapd</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_env_has_ntp_installed:obj:1" version="1">
-          <linux:name>ntp</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_ovirt-host_installed:obj:1" version="1">
-          <linux:name>ovirt-host</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_ovirt-engine_installed:obj:1" version="1">
-          <linux:name>ovirt-engine</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_pam_installed:obj:1" version="1">
-          <linux:name>pam</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_env_has_polkit_installed:obj:1" version="1">
-          <linux:name>polkit</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_env_has_postfix_installed:obj:1" version="1">
-          <linux:name>postfix</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_sssd-common_installed:obj:1" version="1">
-          <linux:name>sssd-common</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_sudo_installed:obj:1" version="1">
-          <linux:name>sudo</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_systemd_installed:obj:1" version="1">
-          <linux:name>systemd</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_tftp_server_installed:obj:1" version="1">
-          <linux:name>tftp-server</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_tmux_installed:obj:1" version="1">
-          <linux:name>tmux</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_usbguard_installed:obj:1" version="1">
-          <linux:name>usbguard</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object comment="/proc/net/wireless file" id="oval:ssg-object_proc_net_wireless_exists:obj:1" version="1">
-          <unix:filepath>/proc/net/wireless</unix:filepath>
-        </unix:file_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_yum_installed:obj:1" version="1">
-          <linux:name>yum</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_zipl_installed:obj:1" version="1">
-          <linux:name>s390utils-base</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object comment="Check file /.dockerenv" id="oval:ssg-object_installed_env_is_a_docker_container:obj:1" version="1">
-          <unix:filepath datatype="string">/.dockerenv</unix:filepath>
-        </unix:file_object>
-        <unix:file_object comment="Check file /run/.containerenv" id="oval:ssg-object_installed_env_is_a_podman_container:obj:1" version="1">
-          <unix:filepath datatype="string">/run/.containerenv</unix:filepath>
-        </unix:file_object>
-        <linux:rpminfo_object id="oval:ssg-obj_krb5_server_version_1_17_18:obj:1" version="1">
-          <linux:name>krb5-server</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_krb5_workstation_version_1_17_18:obj:1" version="1">
-          <linux:name>krb5-workstation</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_no_cd_dvd_drive_in_etc_fstab:obj:1" version="1">
-          <ind:filepath>/etc/fstab</ind:filepath>
-          <ind:pattern operation="pattern match" datatype="string" var_ref="oval:ssg-variable_cd_dvd_drive_alternative_names:var:1" var_check="at least one"/>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_proc_sys_kernel_osrelease_arch_aarch64:obj:1" version="1">
-          <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-          <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_proc_sys_kernel_osrelease_arch_ppc64le:obj:1" version="1">
-          <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-          <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_proc_sys_kernel_osrelease_arch_s390x:obj:1" version="1">
-          <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-          <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object id="oval:ssg-object_removable_partition_doesnt_exist:obj:1" version="1">
-          <unix:filepath var_ref="oval:ssg-var_removable_partition:var:1" var_check="at least one"/>
-        </unix:file_object>
-        <ind:variable_object id="oval:ssg-object_sshd_not_required:obj:1" version="1">
-          <ind:var_ref>oval:ssg-sshd_required:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-object_sshd_required:obj:1" version="1">
-          <ind:var_ref>oval:ssg-sshd_required:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-object_sshd_requirement_unknown:obj:1" version="1">
-          <ind:var_ref>oval:ssg-sshd_required:var:1</ind:var_ref>
-        </ind:variable_object>
-        <linux:rpminfo_object id="oval:ssg-obj_openssh-server_version:obj:1" version="1">
-          <linux:name>openssh-server</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_id_provider_is_set_to_ad:obj:1" version="1">
-          <ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*id_provider[ \t]*=[ \t]*((?i)ad)[ \t]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object comment="/sys/firmware/efi" id="oval:ssg-object_file_sys_firmware_efi:obj:1" version="1">
-          <unix:path>/sys/firmware/efi</unix:path>
-          <unix:filename xsi:nil="true"/>
-        </unix:file_object>
-        <unix:uname_object comment="64 bit architecture" id="oval:ssg-object_system_info_architecture_aarch_64:obj:1" version="1"/>
-        <unix:uname_object comment="64 bit architecture" id="oval:ssg-object_system_info_architecture_ppc_64:obj:1" version="1"/>
-        <unix:uname_object comment="64 bit architecture" id="oval:ssg-object_system_info_architecture_ppcle_64:obj:1" version="1"/>
-        <unix:uname_object comment="64 bit architecture" id="oval:ssg-object_system_info_architecture_s390_64:obj:1" version="1"/>
-        <unix:uname_object comment="32 bit architecture" id="oval:ssg-object_system_info_architecture_x86:obj:1" version="1"/>
-        <unix:uname_object comment="64 bit architecture" id="oval:ssg-object_system_info_architecture_x86_64:obj:1" version="1"/>
-        <unix:file_object comment="/etc/tmux.conf" id="oval:ssg-object_tmux_conf_readable_by_others:obj:1" version="1">
-          <unix:filepath operation="equals">/etc/tmux.conf</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_usbguard_rules_nonempty:obj:1" version="1">
-          <ind:filepath operation="pattern match">^/etc/usbguard/(rules|rules\.d/.*)\.conf$</ind:filepath>
-          <ind:pattern operation="pattern match">^.*\S+.*$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:variable_object id="oval:ssg-object_var_accounts_user_umask_umask_as_number:obj:1" version="1">
-          <ind:var_ref>oval:ssg-var_accounts_user_umask_umask_as_number:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-object_var_removable_partition_is_cd_dvd_drive:obj:1" version="1">
-          <ind:var_ref>oval:ssg-var_removable_partition:var:1</ind:var_ref>
-        </ind:variable_object>
-        <ind:variable_object id="oval:ssg-object_var_umask_for_daemons_umask_as_number:obj:1" version="1">
-          <ind:var_ref>oval:ssg-var_umask_for_daemons_umask_as_number:var:1</ind:var_ref>
-        </ind:variable_object>
-      </oval-def:objects>
-      <oval-def:states>
-        <ind:textfilecontent54_state id="oval:ssg-state_root_mail_alias:ste:1" version="1" comment="root email alias">
-          <ind:subexpression operation="equals" var_check="all" var_ref="oval:ssg-var_postfix_root_mail_alias:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_postmaster_mail_alias:ste:1" version="1" comment="postmaster email alias">
-          <ind:subexpression operation="pattern match">(?i)root</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_chronyd_port_value_0:ste:1" version="1">
-          <ind:subexpression>0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_chronyd_cmdport_value_0:ste:1" version="1">
-          <ind:subexpression>0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_time_service_set_maxpoll:ste:1" version="1">
-          <ind:subexpression operation="less than or equal" var_ref="oval:ssg-var_time_service_set_maxpoll:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_server_has_maxpoll:ste:1" version="1">
-          <ind:subexpression operation="pattern match" datatype="string">maxpoll \d+</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks__sshd_private_key:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state comment="All keys in /etc/ssh groupowned by root have the right permissions" id="oval:ssg-filter_ssh_key_owner_root:ste:1" version="1">
-          <unix:path>/etc/ssh</unix:path>
-          <unix:filename operation="pattern match">.*_key$</unix:filename>
-          <unix:group_id datatype="int">0</unix:group_id>
-          <unix:user_id datatype="int">0</unix:user_id>
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gread datatype="boolean">false</unix:gread>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:oread datatype="boolean">false</unix:oread>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state comment="All keys in /etc/ssh groupowned by ssh_keys have the right permissions" id="oval:ssg-filter_ssh_key_owner_ssh_keys:ste:1" version="1">
-          <unix:path>/etc/ssh</unix:path>
-          <unix:filename operation="pattern match">.*_key$</unix:filename>
-          <unix:group_id datatype="int" var_ref="oval:ssg-group_gid:var:1"/>
-          <unix:user_id datatype="int">0</unix:user_id>
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:oread datatype="boolean">false</unix:oread>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_disable_compression:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-var_sshd_disable_compression:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state comment="upper bound of ClientAliveInterval in seconds" id="oval:ssg-state_timeout_value_upper_bound:ste:1" version="1">
-          <ind:subexpression datatype="int" operation="less than or equal" var_check="all" var_ref="oval:ssg-sshd_idle_timeout_value:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state comment="lower bound of ClientAliveInterval in seconds" id="oval:ssg-state_timeout_value_lower_bound:ste:1" version="1">
-          <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_clientalivecountmax:ste:1" version="1">
-          <ind:subexpression datatype="int" operation="less than or equal" var_check="all" var_ref="oval:ssg-var_sshd_set_keepalive:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state comment="upper bound of LoginGraceTime in number of sessions" id="oval:ssg-state_logingracetime_value_upper_bound:ste:1" version="1">
-          <ind:subexpression datatype="int" operation="less than or equal" var_check="all" var_ref="oval:ssg-var_sshd_set_login_grace_time:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state comment="lower bound of LoginGraceTime in number of sessions" id="oval:ssg-state_logingracetime_value_lower_bound:ste:1" version="1">
-          <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state comment="upper bound of MaxAuthTries" id="oval:ssg-state_maxauthtries_value_upper_bound:ste:1" version="1">
-          <ind:subexpression datatype="int" operation="less than or equal" var_check="all" var_ref="oval:ssg-sshd_max_auth_tries_value:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state comment="lower bound of MaxAuthTries" id="oval:ssg-state_maxauthtries_value_lower_bound:ste:1" version="1">
-          <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state comment="upper bound of MaxSessions in number of sessions" id="oval:ssg-state_maxsessions_value_upper_bound:ste:1" version="1">
-          <ind:subexpression datatype="int" operation="less than or equal" var_check="all" var_ref="oval:ssg-var_sshd_max_sessions:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state comment="lower bound of MaxSessions in number of sessions" id="oval:ssg-state_maxsessions_value_lower_bound:ste:1" version="1">
-          <ind:subexpression datatype="int" operation="greater than or equal">0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-ste_sshd_config_start_parameter_valid:ste:1" version="1">
-          <ind:subexpression datatype="int" operation="less than or equal">10</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-ste_sshd_config_rate_parameter_valid:ste:1" version="1">
-          <ind:subexpression datatype="int" operation="greater than or equal">30</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-ste_sshd_config_full_parameter_valid:ste:1" version="1">
-          <ind:subexpression datatype="int" operation="less than or equal">100</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_use_priv_separation:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-var_sshd_priv_separation:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sssd_user_value:ste:1" comment="value of user setting" version="1">
-          <ind:subexpression>sssd</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_configure_usbguard_auditbackend:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^LinuxAudit$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_banner_etc_issue:ste:1" version="1">
-          <ind:subexpression datatype="string" var_ref="oval:ssg-login_banner_text:var:1" operation="pattern match"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="Disable Ctrl-Alt-Del key sequence override exists" id="oval:ssg-state_disable_ctrlaltdel_exists:ste:1" version="1">
-          <unix:filepath>/etc/systemd/system/ctrl-alt-del.target</unix:filepath>
-          <unix:canonical_path>/dev/null</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_configure_tmux_lock_after_time_lower_boundary:ste:1" version="1" comment="the value is greater than zero">
-          <ind:subexpression datatype="int" operation="greater than">0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_configure_tmux_lock_after_time_upper_boundary:ste:1" version="1" comment="the value is less than or equal to 900">
-          <ind:subexpression datatype="int" operation="less than or equal">900</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_etc_default_useradd_inactive:ste:1" version="1">
-          <ind:subexpression operation="less than or equal" var_ref="oval:ssg-var_account_disable_post_pw_expiration:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_etc_default_useradd_inactive_nonnegative:ste:1" version="1">
-          <ind:subexpression operation="greater than" datatype="int">-1</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_etc_passwd_no_duplicate_user_names:ste:1" version="1">
-          <ind:value var_ref="oval:ssg-variable_count_of_unique_usernames_from_etc_passwd:var:1" datatype="int" operation="equals" var_check="at least one"/>
-        </ind:variable_state>
-        <ind:variable_state id="oval:ssg-state_last_pass_max_days_instance_value:ste:1" version="1">
-          <ind:value operation="less than or equal" var_ref="oval:ssg-var_accounts_maximum_age_login_defs:var:1" datatype="int" var_check="at least one"/>
-        </ind:variable_state>
-        <ind:variable_state id="oval:ssg-state_last_pass_min_days_instance_value:ste:1" version="1">
-          <ind:value operation="greater than or equal" var_ref="oval:ssg-var_accounts_minimum_age_login_defs:var:1" datatype="int" var_check="at least one"/>
-        </ind:variable_state>
-        <ind:variable_state id="oval:ssg-state_last_pass_min_len_instance_value:ste:1" version="1">
-          <ind:value operation="greater than or equal" var_ref="oval:ssg-var_accounts_password_minlen_login_defs:var:1" datatype="int" var_check="at least one"/>
-        </ind:variable_state>
-        <ind:variable_state id="oval:ssg-state_last_pass_warn_age_instance_value:ste:1" version="1">
-          <ind:value operation="greater than or equal" var_ref="oval:ssg-var_accounts_password_warn_age_login_defs:var:1" datatype="int" var_check="at least one"/>
-        </ind:variable_state>
-        <unix:password_state id="oval:ssg-state_accounts_password_all_shadowed:ste:1" version="1">
-          <unix:password operation="pattern match">^[x*]$</unix:password>
-        </unix:password_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_gid_passwd_group_same:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-var_gid_passwd_group_same:var:1" var_check="at least one" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_accounts_root_gid_zero:ste:1" version="1" comment="root account's gid is equal to 0">
-          <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_uid_less_than_zero:ste:1" version="1">
-          <ind:subexpression datatype="int" operation="less than">0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_uid_greater_than_or_equal_uid_min:ste:1" version="1">
-          <ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg-variable_uid_min_value:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_uid_greater_than_or_equal_sys_uid_min:ste:1" version="1">
-          <ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg-variable_sys_uid_min_value:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_uid_less_than_sys_uid_min:ste:1" version="1">
-          <ind:subexpression datatype="int" operation="less than" var_ref="oval:ssg-variable_sys_uid_min_value:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_uid_greater_than_or_equal_sys_uid_max:ste:1" version="1">
-          <ind:subexpression datatype="int" operation="greater than or equal" var_ref="oval:ssg-variable_sys_uid_max_value:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_accounts_logon_fail_delay:ste:1" version="1">
-          <ind:subexpression operation="greater than or equal" var_ref="oval:ssg-var_accounts_fail_delay:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_maxlogins:ste:1" version="1">
-          <ind:subexpression operation="less than or equal" var_ref="oval:ssg-var_accounts_max_concurrent_login_sessions:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:file_state id="oval:ssg-state_tmp_inst:ste:1" version="1">
-          <unix:type>directory</unix:type>
-          <unix:uread datatype="boolean">false</unix:uread>
-          <unix:uwrite datatype="boolean">false</unix:uwrite>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gread datatype="boolean">false</unix:gread>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:oread datatype="boolean">false</unix:oread>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_var_tmp_tmp_inst:ste:1" version="1">
-          <unix:type>directory</unix:type>
-          <unix:uread datatype="boolean">false</unix:uread>
-          <unix:uwrite datatype="boolean">false</unix:uwrite>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gread datatype="boolean">false</unix:gread>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:oread datatype="boolean">false</unix:oread>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_etc_profile_tmout:ste:1" version="2">
-          <ind:subexpression datatype="int" operation="less than or equal" var_check="all" var_ref="oval:ssg-var_accounts_tmout:var:1"/>
-        </ind:textfilecontent54_state>
-        <unix:password_state id="oval:ssg-state_file_permissions_home_dirs_interactive_uids:ste:1" version="1">
-          <unix:user_id datatype="int" operation="greater than or equal">1000</unix:user_id>
-        </unix:password_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_home_dirs_dirs:ste:1" version="1" operator="AND">
-          <unix:type operation="equals">directory</unix:type>
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:oread datatype="boolean">false</unix:oread>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state comment="group or other has write privilege" id="oval:ssg-state_accounts_root_path_dirs_wrong_perms:ste:1" version="1" operator="OR">
-          <unix:gwrite datatype="boolean">true</unix:gwrite>
-          <unix:owrite datatype="boolean">true</unix:owrite>
-        </unix:file_state>
-        <unix:file_state comment="symbolic link" id="oval:ssg-state_accounts_root_path_dirs_symlink:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <ind:environmentvariable58_state comment="starts with colon or period" id="oval:ssg-state_begins_colon_period:ste:1" version="1">
-          <ind:value operation="pattern match">^[:\.]</ind:value>
-        </ind:environmentvariable58_state>
-        <ind:environmentvariable58_state comment="colon twice in a row" id="oval:ssg-state_contains_double_colon:ste:1" version="1">
-          <ind:value operation="pattern match">::</ind:value>
-        </ind:environmentvariable58_state>
-        <ind:environmentvariable58_state comment="period twice in a row" id="oval:ssg-state_contains_double_period:ste:1" version="1">
-          <ind:value operation="pattern match">\.\.</ind:value>
-        </ind:environmentvariable58_state>
-        <ind:environmentvariable58_state comment="ends with colon or period" id="oval:ssg-state_ends_colon_period:ste:1" version="1">
-          <ind:value operation="pattern match">[:\.]$</ind:value>
-        </ind:environmentvariable58_state>
-        <ind:environmentvariable58_state comment="begins with a slash" id="oval:ssg-state_begins_slash:ste:1" version="1">
-          <ind:value operation="pattern match">^[^/]</ind:value>
-        </ind:environmentvariable58_state>
-        <ind:environmentvariable58_state comment="elements begin with a slash" id="oval:ssg-state_contains_relative_path:ste:1" version="1">
-          <ind:value operation="pattern match">[^\\]:[^/]</ind:value>
-        </ind:environmentvariable58_state>
-        <ind:variable_state id="oval:ssg-ste_accounts_umask_etc_bashrc:ste:1" version="1">
-          <ind:value datatype="int" operation="bitwise and" var_ref="oval:ssg-var_accounts_user_umask_umask_as_number:var:1"/>
-        </ind:variable_state>
-        <ind:variable_state id="oval:ssg-ste_accounts_umask_etc_csh_cshrc:ste:1" version="1">
-          <ind:value datatype="int" operation="bitwise and" var_ref="oval:ssg-var_accounts_user_umask_umask_as_number:var:1"/>
-        </ind:variable_state>
-        <ind:variable_state id="oval:ssg-ste_accounts_umask_etc_login_defs:ste:1" version="1">
-          <ind:value datatype="int" operation="bitwise and" var_ref="oval:ssg-var_accounts_user_umask_umask_as_number:var:1"/>
-        </ind:variable_state>
-        <ind:variable_state id="oval:ssg-ste_accounts_umask_etc_profile:ste:1" version="1">
-          <ind:value datatype="int" operation="bitwise and" var_ref="oval:ssg-var_accounts_user_umask_umask_as_number:var:1"/>
-        </ind:variable_state>
-        <unix:file_state id="oval:ssg-state_not_mode_0750:ste:1" version="1" operator="OR">
-          <unix:suid datatype="boolean">true</unix:suid>
-          <unix:sgid datatype="boolean">true</unix:sgid>
-          <unix:sticky datatype="boolean">true</unix:sticky>
-          <unix:gwrite datatype="boolean">true</unix:gwrite>
-          <unix:oread datatype="boolean">true</unix:oread>
-          <unix:owrite datatype="boolean">true</unix:owrite>
-          <unix:oexec datatype="boolean">true</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_not_mode_0700:ste:1" version="1" operator="OR">
-          <unix:suid datatype="boolean">true</unix:suid>
-          <unix:sgid datatype="boolean">true</unix:sgid>
-          <unix:sticky datatype="boolean">true</unix:sticky>
-          <unix:gread datatype="boolean">true</unix:gread>
-          <unix:gwrite datatype="boolean">true</unix:gwrite>
-          <unix:gexec datatype="boolean">true</unix:gexec>
-          <unix:oread datatype="boolean">true</unix:oread>
-          <unix:owrite datatype="boolean">true</unix:owrite>
-          <unix:oexec datatype="boolean">true</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_owner_not_root_root_var_log_audit:ste:1" version="1" operator="OR">
-          <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
-          <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_owner_not_root_var_log_audit-non_root:ste:1" version="1" operator="OR">
-          <unix:group_id datatype="int" operation="not equal">0</unix:group_id>
-          <unix:user_id datatype="int" operation="equals">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_not_mode_0640:ste:1" version="1" operator="OR">
-          <unix:suid datatype="boolean">true</unix:suid>
-          <unix:sgid datatype="boolean">true</unix:sgid>
-          <unix:sticky datatype="boolean">true</unix:sticky>
-          <unix:uexec datatype="boolean">true</unix:uexec>
-          <unix:gwrite datatype="boolean">true</unix:gwrite>
-          <unix:gexec datatype="boolean">true</unix:gexec>
-          <unix:oread datatype="boolean">true</unix:oread>
-          <unix:owrite datatype="boolean">true</unix:owrite>
-          <unix:oexec datatype="boolean">true</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_not_mode_0600:ste:1" version="1" operator="OR">
-          <unix:suid datatype="boolean">true</unix:suid>
-          <unix:sgid datatype="boolean">true</unix:sgid>
-          <unix:sticky datatype="boolean">true</unix:sticky>
-          <unix:uexec datatype="boolean">true</unix:uexec>
-          <unix:gread datatype="boolean">true</unix:gread>
-          <unix:gwrite datatype="boolean">true</unix:gwrite>
-          <unix:gexec datatype="boolean">true</unix:gexec>
-          <unix:oread datatype="boolean">true</unix:oread>
-          <unix:owrite datatype="boolean">true</unix:owrite>
-          <unix:oexec datatype="boolean">true</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_setuid_or_setgid_set:ste:1" version="1" operator="OR">
-          <unix:suid datatype="boolean">true</unix:suid>
-          <unix:sgid datatype="boolean">true</unix:sgid>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_dev_proc_sys_dirs:ste:1" version="1">
-          <unix:filepath operation="pattern match">^\/(dev|proc|sys)\/.*$</unix:filepath>
-        </unix:file_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_proper_audit_rule_but_for_unprivileged_command:ste:1" version="1">
-          <ind:subexpression operation="not equal" datatype="string" var_ref="oval:ssg-variable_all_privileged_commands:var:1" var_check="all"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_audit_rules_privileged_commands:ste:1" version="1">
-          <ind:subexpression operation="pattern match" datatype="string" var_ref="oval:ssg-variable_all_privileged_commands:var:1" var_check="at least one"/>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_count_of_privileged_commands_having_audit_definition_augenrules:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-variable_count_of_privileged_commands_having_audit_definition_augenrules:var:1" var_check="at least one"/>
-        </ind:variable_state>
-        <ind:variable_state id="oval:ssg-state_count_of_privileged_commands_having_audit_definition_auditctl:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-variable_count_of_privileged_commands_having_audit_definition_auditctl:var:1" var_check="at least one"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_audispd_configure_remote_server:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-var_audispd_remote_server:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_audispd_disk_full_action:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-var_audispd_disk_full_action:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_audispd_network_failure_action:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-var_audispd_network_failure_action:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_data_disk_error_action:ste:1" version="1">
-          <ind:subexpression operation="pattern match" var_ref="oval:ssg-var_auditd_disk_error_action_regex:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_data_disk_error_action_stig_syslog:ste:1" version="1">
-          <ind:subexpression operation="case insensitive equals">SYSLOG</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_data_disk_error_action_stig_single:ste:1" version="1">
-          <ind:subexpression operation="case insensitive equals">SINGLE</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_data_disk_error_action_stig_halt:ste:1" version="1">
-          <ind:subexpression operation="case insensitive equals">HALT</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_data_disk_full_action:ste:1" version="1">
-          <ind:subexpression operation="pattern match" var_ref="oval:ssg-var_auditd_disk_full_action_regex:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_data_disk_full_action_stig_syslog:ste:1" version="1">
-          <ind:subexpression operation="case insensitive equals">SYSLOG</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_data_disk_full_action_stig_single:ste:1" version="1">
-          <ind:subexpression operation="case insensitive equals">SINGLE</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_data_disk_full_action_stig_halt:ste:1" version="1">
-          <ind:subexpression operation="case insensitive equals">HALT</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_data_retention_action_mail_acct:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-var_auditd_action_mail_acct:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_data_retention_admin_space_left_action:ste:1" version="1">
-          <ind:subexpression operation="case insensitive equals" var_ref="oval:ssg-var_auditd_admin_space_left_action:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_data_retention_flush:ste:1" version="1">
-          <ind:subexpression operation="case insensitive equals" var_ref="oval:ssg-var_auditd_flush:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_data_retention_max_log_file:ste:1" version="1">
-          <ind:subexpression operation="greater than or equal" var_ref="oval:ssg-var_auditd_max_log_file:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_data_retention_max_log_file_action:ste:1" version="1">
-          <ind:subexpression operation="case insensitive equals" var_ref="oval:ssg-var_auditd_max_log_file_action:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_data_retention_max_log_file_action_stig_syslog:ste:1" version="1">
-          <ind:subexpression operation="case insensitive equals">syslog</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_data_retention_max_log_file_action_stig_keep_logs:ste:1" version="1">
-          <ind:subexpression operation="case insensitive equals">keep_logs</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_data_retention_num_logs:ste:1" version="1">
-          <ind:subexpression operation="greater than or equal" var_ref="oval:ssg-var_auditd_num_logs:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_data_retention_space_left:ste:1" version="1">
-          <ind:subexpression operation="greater than or equal" var_ref="oval:ssg-var_auditd_space_left:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_data_retention_space_left_action:ste:1" version="2">
-          <ind:subexpression operation="case insensitive equals" var_ref="oval:ssg-var_auditd_space_left_action:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_overflow_action:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?i)(syslog|single|halt)(?-i)$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_doc_10-base-config:ste:1" version="1">
-          <ind:text operation="equals" var_check="all" var_ref="oval:ssg-var_doc_10-base-config:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_doc_11-loginuid:ste:1" version="1">
-          <ind:text operation="equals" var_check="all" var_ref="oval:ssg-var_doc_11-loginuid:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_doc_30-ospp-v42:ste:1" version="1">
-          <ind:text operation="equals" var_check="all" var_ref="oval:ssg-var_doc_30-ospp-v42:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_doc_43-module-load:ste:1" version="1">
-          <ind:text operation="equals" var_check="all" var_ref="oval:ssg-var_doc_43-module-load:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_bootloader_uefi_superuser_differ_from_other_users:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="not equal" var_check="all" var_ref="oval:ssg-var_uefi_user_accounts:var:1"/>
-        </ind:textfilecontent54_state>
-        <unix:file_state id="oval:ssg-state_zipl_bootmap_is_newer_than_zipl_conf:ste:1" version="1">
-          <unix:m_time datatype="int" operation="greater than or equal" var_check="all" var_ref="oval:ssg-variable_zipl_conf_file_age:var:1"/>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_zipl_bootmap_is_newer_than_boot_entries:ste:1" version="1">
-          <unix:m_time datatype="int" operation="greater than or equal" var_check="all" var_ref="oval:ssg-variable_boot_entry_files_age:var:1"/>
-        </unix:file_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_zipl_systemd_debug-shell_argument_in_boot_loader_entries_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">\bsystemd.debug-shell\b</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_zipl_systemd_debug-shell_argument_in_etc_kernel_cmdline:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">\bsystemd.debug-shell\b</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_groupownership_ignore_include_paths:ste:1" comment="ignore" version="1">
-          <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*)</ind:text>
-        </ind:textfilecontent54_state>
-        <unix:file_state id="oval:ssg-state_rsyslog_files_groupownership:ste:1" version="1">
-          <unix:type operation="equals">regular</unix:type>
-          <unix:group_id datatype="int">0</unix:group_id>
-        </unix:file_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_owner_ignore_include_paths:ste:1" comment="ignore" version="1">
-          <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*)</ind:text>
-        </ind:textfilecontent54_state>
-        <unix:file_state id="oval:ssg-state_rsyslog_files_ownership:ste:1" version="1">
-          <unix:type operation="equals">regular</unix:type>
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_permissions_ignore_include_paths:ste:1" comment="ignore" version="1">
-          <ind:text operation="pattern match">(?:file="[^\s;]+"|\$IncludeConfig[\s]+[^\s;]+|\/dev\/.*)</ind:text>
-        </ind:textfilecontent54_state>
-        <unix:file_state id="oval:ssg-state_rsyslog_files_permissions:ste:1" version="1">
-          <unix:type operation="equals">regular</unix:type>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gread datatype="boolean">false</unix:gread>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:oread datatype="boolean">false</unix:oread>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_network_nmcli_permissions:ste:1" version="1">
-          <ind:subexpression datatype="string">ResultActive=auth_admin</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:interface_state id="oval:ssg-state_wifi_up:ste:1" version="1">
-          <unix:flag datatype="string" entity_check="at least one" operation="equals">UP</unix:flag>
-        </unix:interface_state>
-        <unix:file_state id="oval:ssg-state_world_writable_and_not_sticky:ste:1" version="1">
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:owrite datatype="boolean">true</unix:owrite>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_owner_systemmap:ste:1" version="1">
-          <unix:user_id datatype="int" operation="equals">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_systemmap:ste:1" version="1">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gread datatype="boolean">false</unix:gread>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:oread datatype="boolean">false</unix:oread>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_unauthorized_world_write:ste:1" version="1">
-          <unix:type operation="equals">regular</unix:type>
-          <unix:owrite datatype="boolean">true</unix:owrite>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_unauthorized_world_write_exclude_special_selinux_files:ste:1" version="1">
-          <unix:filepath operation="pattern match">^/selinux/(?:(?:member)|(?:user)|(?:relabel)|(?:create)|(?:access)|(?:context))$</unix:filepath>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_unauthorized_world_write_exclude_proc:ste:1" version="1">
-          <unix:filepath operation="pattern match">^/proc/.*$</unix:filepath>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_unauthorized_world_write_exclude_sys:ste:1" version="1">
-          <unix:filepath operation="pattern match">^/sys/.*$</unix:filepath>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_owner_binaries_not_root:ste:1" version="1" operator="OR">
-          <unix:user_id datatype="int" operation="not equal">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_perms_binary_files_nogroupwrite_noworldwrite:ste:1" version="1" operator="OR">
-          <unix:gwrite datatype="boolean">true</unix:gwrite>
-          <unix:owrite datatype="boolean">true</unix:owrite>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_perms_binary_files_symlink:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_grub2_nousb_argument:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^.*\bnousb\b.*$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <linux:partition_state id="oval:ssg-state_local_nodev:ste:1" version="1">
-          <linux:device operation="pattern match">^/dev/.*$</linux:device>
-          <linux:mount_options datatype="string" entity_check="all" operation="not equal">nodev</linux:mount_options>
-        </linux:partition_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coredump_disable_backtraces:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?i)0(?-i)$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coredump_disable_storage:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?i)none(?-i)$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_core_dumps_limitsconf:ste:1" version="1">
-          <ind:subexpression operation="equals">0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_core_dumps_limits_d:ste:1" version="1">
-          <ind:subexpression operation="equals">0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <linux:selinuxsecuritycontext_state comment="state unconfined_service_t" id="oval:ssg-state_selinux_confinement_of_daemons:ste:1" version="1">
-          <linux:type datatype="string" operation="equals">unconfined_service_t</linux:type>
-        </linux:selinuxsecuritycontext_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_selinux_policy:ste:1" version="1">
-          <ind:subexpression operation="equals" var_check="all" var_ref="oval:ssg-var_selinux_policy_name:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_etc_selinux_config:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="equals" var_check="all" var_ref="oval:ssg-var_selinux_state:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_proc_cpuinfo_64_bit:ste:1" version="1">
-          <ind:subexpression operation="pattern match">\blm\b</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_proc_sys_kernel_osrelease_64_bit:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(x86_64|aarch64|ppc64le|s390x)$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_gnome_gdm_disable_xdmcp:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^false$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_crypto_current_file_newer_than_config_file:ste:1" version="1">
-          <ind:value datatype="int" operation="less than or equal" var_check="all" var_ref="oval:ssg-variable_crypto_policies_current_file_timestamp:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_configure_crypto_policy:ste:1" version="1">
-          <ind:subexpression operation="equals" var_check="all" var_ref="oval:ssg-var_system_crypto_policy:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_configure_crypto_policy_current:ste:1" version="1">
-          <ind:subexpression operation="equals" var_check="all" var_ref="oval:ssg-var_system_crypto_policy:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_symlink_kerberos_crypto_policy_backend:ste:1" version="1">
-          <ind:value datatype="string" operation="equals" var_ref="oval:ssg-var_symlink_kerberos_crypto_policy_backend:var:1"/>
-        </ind:variable_state>
-        <ind:variable_state id="oval:ssg-state_location_of_kerberos_crypto_policy_backend:ste:1" version="1">
-          <ind:value datatype="string" operation="equals">/etc/crypto-policies/back-ends/krb5.config</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_harden_openssl_crypto_policy:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_harden_ssh_client_crypto_policy_Match:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^final all$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_harden_ssh_client_crypto_policy_RekeyLimit:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^512M 1h$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_harden_ssh_client_crypto_policy_GSSAPIAuthentication:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^no$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_harden_ssh_client_crypto_policy_Ciphers:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_harden_ssh_client_crypto_policy_PubkeyAcceptedKeyTypes:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_harden_ssh_client_crypto_policy_MACs:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^hmac-sha2-512,hmac-sha2-256$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_harden_ssh_client_crypto_policy_KexAlgorithms:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_harden_sshd_crypto_policy:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^'-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256'$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_enable_dracut_fips_module:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="equals">fips</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state comment="variable value is set to 'FIPS' or 'FIPS:modifier', where the modifier corresponds to a crypto policy module that further restricts the modified crypto policy." id="oval:ssg-ste_system_crypto_policy_value:ste:1" version="2">
-          <ind:value operation="pattern match" datatype="string">^FIPS(:(OSPP|NO-SHA1|NO-CAMELLIA))?$</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_grub2_enable_fips_mode:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^.*fips=1.*$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <linux:rpmverifyfile_state id="oval:ssg-state_files_fail_user_ownership:ste:1" version="1">
-          <linux:ownership_differs>fail</linux:ownership_differs>
-        </linux:rpmverifyfile_state>
-        <linux:rpmverifyfile_state id="oval:ssg-state_files_fail_group_ownership:ste:1" version="1">
-          <linux:group_differs>fail</linux:group_differs>
-        </linux:rpmverifyfile_state>
-        <linux:rpmverifyfile_state id="oval:ssg-state_files_fail_mode:ste:1" version="1">
-          <linux:mode_differs>fail</linux:mode_differs>
-        </linux:rpmverifyfile_state>
-        <linux:rpminfo_state id="oval:ssg-state_package_gpg-pubkey-fd431d51-4ae0493b:ste:1" version="1">
-          <linux:release>4ae0493b</linux:release>
-          <linux:version>fd431d51</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_package_gpg-pubkey--:ste:1" version="1">
-          <linux:release/>
-          <linux:version/>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-audit_access_failed_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_failed_rules:ste:1" version="1">
-          <ind:text operation="equals">## Unsuccessful file access (any other opens) This has to go last.
--a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
--a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
--a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
--a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
-</ind:text>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-audit_access_success_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_3_access_success_rules:ste:1" version="1">
-          <ind:text operation="equals">## Successful file access (any other opens) This has to go last.
-## These next two are likely to result in a whole lot of events
--a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access
--a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access
-</ind:text>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-audit_basic_configuration_state_whole_file_contents_tc_audit_rules_d_10_base_config_rules:ste:1" version="1">
-          <ind:text operation="equals">## First rule - delete all
--D
-
-## Increase the buffers to survive stress events.
-## Make this bigger for busy systems
--b 8192
-
-## This determine how long to wait in burst of events
---backlog_wait_time 60000
-
-## Set failure mode to syslog
--f 1
-
-</ind:text>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-audit_create_failed_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_1_create_failed_rules:ste:1" version="1">
-          <ind:text operation="equals">## Unsuccessful file creation (open with O_CREAT)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b32 -S open -F a1&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b64 -S open -F a1&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b32 -S open -F a1&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b64 -S open -F a1&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
-</ind:text>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-audit_create_success_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_1_create_success_rules:ste:1" version="1">
-          <ind:text operation="equals">## Successful file creation (open with O_CREAT)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S open -F a1&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S open -F a1&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S creat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S creat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
-</ind:text>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-audit_delete_failed_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_4_delete_failed_rules:ste:1" version="1">
-          <ind:text operation="equals">## Unsuccessful file delete
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
-</ind:text>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-audit_delete_success_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_4_delete_success_rules:ste:1" version="1">
-          <ind:text operation="equals">## Successful file delete
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-delete
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-delete
-</ind:text>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-audit_immutable_login_uids_state_whole_file_contents_tc_audit_rules_d_11_loginuid_rules:ste:1" version="1">
-          <ind:text operation="equals">## Make the loginuid immutable. This prevents tampering with the auid.
---loginuid-immutable
-
-</ind:text>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-audit_modify_failed_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_2_modify_failed_rules:ste:1" version="1">
-          <ind:text operation="equals">## Unsuccessful file modifications (open for write or truncate)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
-</ind:text>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-audit_modify_success_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_2_modify_success_rules:ste:1" version="1">
-          <ind:text operation="equals">## Successful file modifications (open for write or truncate)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;01003 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b32 -S open -F a1&amp;01003 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S open -F a1&amp;01003 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
-</ind:text>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-audit_module_load_state_whole_file_contents_tc_audit_rules_d_43_module_load_rules:ste:1" version="1">
-          <ind:text operation="equals">## These rules watch for kernel module insertion. By monitoring
-## the syscall, we do not need any watches on programs.
--a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
--a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
--a always,exit -F arch=b32 -S delete_module -F key=module-unload
--a always,exit -F arch=b64 -S delete_module -F key=module-unload
-</ind:text>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-audit_ospp_general_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_rules:ste:1" version="1">
-          <ind:text operation="equals">## The purpose of these rules is to meet the requirements for Operating
-## System Protection Profile (OSPP)v4.2. These rules depends on having
-## the following rule files copied to /etc/audit/rules.d:
-##
-## 10-base-config.rules, 11-loginuid.rules,
-## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
-## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
-## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
-## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
-## 30-ospp-v42-5-perm-change-failed.rules,
-## 30-ospp-v42-5-perm-change-success.rules,
-## 30-ospp-v42-6-owner-change-failed.rules,
-## 30-ospp-v42-6-owner-change-success.rules
-##
-## original copies may be found in /usr/share/audit/sample-rules/
-
-
-## User add delete modify. This is covered by pam. However, someone could
-## open a file and directly create or modify a user, so we'll watch passwd and
-## shadow for writes
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify
-
-## User enable and disable. This is entirely handled by pam.
-
-## Group add delete modify. This is covered by pam. However, someone could
-## open a file and directly create or modify a user, so we'll watch group and
-## gshadow for writes
--a always,exit -F path=/etc/passwd -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F path=/etc/shadow -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F path=/etc/group -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=group-modify
--a always,exit -F path=/etc/gshadow -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=group-modify
-
-
-## Use of special rights for config changes. This would be use of setuid
-## programs that relate to user accts. This is not all setuid apps because
-## requirements are only for ones that affect system configuration.
--a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/mount -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/umount -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/passwd -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/crontab -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/at -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
-
-## Privilege escalation via su or sudo. This is entirely handled by pam.
-
-## Watch for configuration changes to privilege escalation.
--a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
--a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
-
-## Audit log access
--a always,exit -F dir=/var/log/audit/ -F perm=r -F auid&gt;=1000 -F auid!=unset -F key=access-audit-trail
-## Attempts to Alter Process and Session Initiation Information
--a always,exit -F path=/var/run/utmp -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=session
--a always,exit -F path=/var/log/btmp -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=session
--a always,exit -F path=/var/log/wtmp -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=session
-
-## Attempts to modify MAC controls
--a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=MAC-policy
-
-## Software updates. This is entirely handled by rpm.
-
-## System start and shutdown. This is entirely handled by systemd
-
-## Kernel Module loading. This is handled in 43-module-load.rules
-
-## Application invocation. The requirements list an optional requirement
-## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
-## state results from that policy. This would be handled entirely by
-## that daemon.
-
-</ind:text>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-audit_owner_change_failed_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_6_owner_change_failed_rules:ste:1" version="1">
-          <ind:text operation="equals">## Unsuccessful ownership change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
-</ind:text>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-audit_owner_change_success_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_6_owner_change_success_rules:ste:1" version="1">
-          <ind:text operation="equals">## Successful ownership change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-owner-change
-</ind:text>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-audit_perm_change_failed_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_5_perm_change_failed_rules:ste:1" version="1">
-          <ind:text operation="equals">## Unsuccessful permission change
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-perm-change
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-perm-change
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-perm-change
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-perm-change
-</ind:text>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-audit_perm_change_success_state_whole_file_contents_tc_audit_rules_d_30_ospp_v42_5_perm_change_success_rules:ste:1" version="1">
-          <ind:text operation="equals">## Successful permission change
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-perm-change
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-perm-change
-</ind:text>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_freq:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?i)50(?-i)$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_local_events:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?i)yes(?-i)$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_log_format:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?i)ENRICHED(?-i)$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_name_format:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?i)hostname(?-i)$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_auditd_write_logs:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?i)yes(?-i)$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_ostree_1_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_ostree_2_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_audit_backlog_limit_kernel_argument_audit_backlog_limit_8192_argument_in_proc_cmdline:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_audit_option_audit_1_argument_in_boot_loader_entries_ostree_1_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?audit=1(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_audit_option_audit_1_argument_in_boot_loader_entries_ostree_2_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?audit=1(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_audit_option_audit_1_argument_in_proc_cmdline:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?audit=1(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_boot_loader_entries_ostree_1_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?systemd.confirm_spawn=(?:1|yes|true|on)(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_boot_loader_entries_ostree_2_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?systemd.confirm_spawn=(?:1|yes|true|on)(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_disable_interactive_boot_systemd_confirm_spawn_1_yes_true_on_argument_in_proc_cmdline:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?systemd.confirm_spawn=(?:1|yes|true|on)(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_boot_loader_entries_ostree_1_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?selinux=0(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_boot_loader_entries_ostree_2_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?selinux=0(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_enable_selinux_kernel_argument_selinux_0_argument_in_proc_cmdline:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?selinux=0(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_nousb_kernel_argument_nousb_argument_in_boot_loader_entries_ostree_1_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?nousb(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_nousb_kernel_argument_nousb_argument_in_boot_loader_entries_ostree_2_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?nousb(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_nousb_kernel_argument_nousb_argument_in_proc_cmdline:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?nousb(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_page_poison_kernel_argument_page_poison_1_argument_in_boot_loader_entries_ostree_1_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?page_poison=1(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_page_poison_kernel_argument_page_poison_1_argument_in_boot_loader_entries_ostree_2_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?page_poison=1(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_page_poison_kernel_argument_page_poison_1_argument_in_proc_cmdline:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?page_poison=1(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_pti_kernel_argument_pti_on_argument_in_boot_loader_entries_ostree_1_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?pti=on(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_pti_kernel_argument_pti_on_argument_in_boot_loader_entries_ostree_2_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?pti=on(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_pti_kernel_argument_pti_on_argument_in_proc_cmdline:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?pti=on(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_slub_debug_kernel_argument_slub_debug_P_argument_in_boot_loader_entries_ostree_1_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?slub_debug=P(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_slub_debug_kernel_argument_slub_debug_P_argument_in_boot_loader_entries_ostree_2_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?slub_debug=P(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_slub_debug_kernel_argument_slub_debug_P_argument_in_proc_cmdline:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?slub_debug=P(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_boot_loader_entries_ostree_1_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?vsyscall=none(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_boot_loader_entries_ostree_2_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?vsyscall=none(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_coreos_vsyscall_kernel_argument_vsyscall_none_argument_in_proc_cmdline:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?vsyscall=none(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:file_state id="oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_0:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_1:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_2:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_3:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_4:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_ownerdir_ownership_binary_dirs_uid_0_5:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_ownerdir_ownership_binary_dirs_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_0:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_1:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_2:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_ownerdir_ownership_library_dirs_uid_0_3:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_ownerdir_ownership_library_dirs_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissionsdir_permissions_binary_dirs_0_mode_0755or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissionsdir_permissions_binary_dirs_1_mode_0755or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissionsdir_permissions_binary_dirs_2_mode_0755or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissionsdir_permissions_binary_dirs_3_mode_0755or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissionsdir_permissions_binary_dirs_4_mode_0755or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissionsdir_permissions_binary_dirs_5_mode_0755or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks_dir_permissions_binary_dirs:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissionsdir_permissions_library_dirs_0_mode_7755or_stricter_:ste:1" operator="AND" version="3">
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissionsdir_permissions_library_dirs_1_mode_7755or_stricter_:ste:1" operator="AND" version="3">
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissionsdir_permissions_library_dirs_2_mode_7755or_stricter_:ste:1" operator="AND" version="3">
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissionsdir_permissions_library_dirs_3_mode_7755or_stricter_:ste:1" operator="AND" version="3">
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks_dir_permissions_library_dirs:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_disable_host_auth:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^no$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:file_state id="oval:ssg-state_file_groupowner_backup_etc_group_gid_0_0:ste:1" version="1">
-          <unix:group_id datatype="int">0</unix:group_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_groupowner_backup_etc_group_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_groupowner_backup_etc_gshadow_gid_0_0:ste:1" version="1">
-          <unix:group_id datatype="int">0</unix:group_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_groupowner_backup_etc_gshadow_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_groupowner_backup_etc_passwd_gid_0_0:ste:1" version="1">
-          <unix:group_id datatype="int">0</unix:group_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_groupowner_backup_etc_passwd_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_groupowner_backup_etc_shadow_gid_0_0:ste:1" version="1">
-          <unix:group_id datatype="int">0</unix:group_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_groupowner_backup_etc_shadow_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_groupowner_etc_group_gid_0_0:ste:1" version="1">
-          <unix:group_id datatype="int">0</unix:group_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_groupowner_etc_group_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_groupowner_etc_gshadow_gid_0_0:ste:1" version="1">
-          <unix:group_id datatype="int">0</unix:group_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_groupowner_etc_gshadow_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_groupowner_etc_issue_gid_0_0:ste:1" version="1">
-          <unix:group_id datatype="int">0</unix:group_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_groupowner_etc_issue_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_groupowner_etc_passwd_gid_0_0:ste:1" version="1">
-          <unix:group_id datatype="int">0</unix:group_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_groupowner_etc_passwd_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_groupowner_etc_shadow_gid_0_0:ste:1" version="1">
-          <unix:group_id datatype="int">0</unix:group_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_groupowner_etc_shadow_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_groupowner_sshd_config_gid_0_0:ste:1" version="1">
-          <unix:group_id datatype="int">0</unix:group_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_groupowner_sshd_config_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_groupowner_var_log_gid_0_0:ste:1" version="1">
-          <unix:group_id datatype="int">0</unix:group_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_groupowner_var_log_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_groupowner_var_log_messages_gid_0_0:ste:1" version="1">
-          <unix:group_id datatype="int">0</unix:group_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_groupowner_var_log_messages_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_groupowner_var_log_syslog_gid_4_0:ste:1" version="1">
-          <unix:group_id datatype="int">4</unix:group_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_groupowner_var_log_syslog_uid_4:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_groupownership_audit_configuration_gid_0_0:ste:1" version="1">
-          <unix:group_id datatype="int">0</unix:group_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_groupownership_audit_configuration_gid_0_1:ste:1" version="1">
-          <unix:group_id datatype="int">0</unix:group_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_groupownership_audit_configuration_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_owner_backup_etc_group_uid_0_0:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_owner_backup_etc_group_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_owner_backup_etc_gshadow_uid_0_0:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_owner_backup_etc_gshadow_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_owner_backup_etc_passwd_uid_0_0:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_owner_backup_etc_passwd_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_owner_backup_etc_shadow_uid_0_0:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_owner_backup_etc_shadow_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_owner_etc_group_uid_0_0:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_owner_etc_group_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_owner_etc_gshadow_uid_0_0:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_owner_etc_gshadow_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_owner_etc_issue_uid_0_0:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_owner_etc_issue_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_owner_etc_passwd_uid_0_0:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_owner_etc_passwd_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_owner_etc_shadow_uid_0_0:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_owner_etc_shadow_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_owner_sshd_config_uid_0_0:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_owner_sshd_config_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_owner_var_log_uid_0_0:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_owner_var_log_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_owner_var_log_messages_uid_0_0:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_owner_var_log_messages_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_owner_var_log_syslog_uid_104_0:ste:1" version="1">
-          <unix:user_id datatype="int">104</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_owner_var_log_syslog_uid_104:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_ownership_audit_configuration_uid_0_0:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_ownership_audit_configuration_uid_0_1:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_ownership_audit_configuration_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_ownership_library_dirs_uid_0_0:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_ownership_library_dirs_uid_0_1:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_ownership_library_dirs_uid_0_2:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_ownership_library_dirs_uid_0_3:ste:1" version="1">
-          <unix:user_id datatype="int">0</unix:user_id>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-symlink_file_ownership_library_dirs_uid_0:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_backup_etc_group_0_mode_0644or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks__backup_etc_group:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_backup_etc_gshadow_0_mode_0000or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:uread datatype="boolean">false</unix:uread>
-          <unix:uwrite datatype="boolean">false</unix:uwrite>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gread datatype="boolean">false</unix:gread>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:oread datatype="boolean">false</unix:oread>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks__backup_etc_gshadow:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_backup_etc_passwd_0_mode_0644or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks__backup_etc_passwd:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_backup_etc_shadow_0_mode_0000or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:uread datatype="boolean">false</unix:uread>
-          <unix:uwrite datatype="boolean">false</unix:uwrite>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gread datatype="boolean">false</unix:gread>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:oread datatype="boolean">false</unix:oread>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks__backup_etc_shadow:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_etc_group_0_mode_0644or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks__etc_group:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_etc_gshadow_0_mode_0000or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:uread datatype="boolean">false</unix:uread>
-          <unix:uwrite datatype="boolean">false</unix:uwrite>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gread datatype="boolean">false</unix:gread>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:oread datatype="boolean">false</unix:oread>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks__etc_gshadow:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_etc_issue_0_mode_0644or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks__etc_issue:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_etc_passwd_0_mode_0644or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks__etc_passwd:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_etc_shadow_0_mode_0000or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:uread datatype="boolean">false</unix:uread>
-          <unix:uwrite datatype="boolean">false</unix:uwrite>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gread datatype="boolean">false</unix:gread>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:oread datatype="boolean">false</unix:oread>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks__etc_shadow:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_library_dirs_0_mode_7755or_stricter_:ste:1" operator="AND" version="3">
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_library_dirs_1_mode_7755or_stricter_:ste:1" operator="AND" version="3">
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_library_dirs_2_mode_7755or_stricter_:ste:1" operator="AND" version="3">
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_library_dirs_3_mode_7755or_stricter_:ste:1" operator="AND" version="3">
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks__library_dirs:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_sshd_config_0_mode_0600or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gread datatype="boolean">false</unix:gread>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:oread datatype="boolean">false</unix:oread>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks__sshd_config:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_sshd_pub_key_0_mode_0644or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks__sshd_pub_key:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_var_log_0_mode_0755or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks__var_log:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_var_log_messages_0_mode_0640or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:oread datatype="boolean">false</unix:oread>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks__var_log_messages:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-state_file_permissions_var_log_syslog_0_mode_0640or_stricter_:ste:1" operator="AND" version="3">
-          <unix:suid datatype="boolean">false</unix:suid>
-          <unix:sgid datatype="boolean">false</unix:sgid>
-          <unix:sticky datatype="boolean">false</unix:sticky>
-          <unix:uexec datatype="boolean">false</unix:uexec>
-          <unix:gwrite datatype="boolean">false</unix:gwrite>
-          <unix:gexec datatype="boolean">false</unix:gexec>
-          <unix:oread datatype="boolean">false</unix:oread>
-          <unix:owrite datatype="boolean">false</unix:owrite>
-          <unix:oexec datatype="boolean">false</unix:oexec>
-        </unix:file_state>
-        <unix:file_state id="oval:ssg-exclude_symlinks__var_log_syslog:ste:1" version="1">
-          <unix:type operation="equals">symbolic link</unix:type>
-        </unix:file_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_grub2_iommu_argument:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?iommu=force(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_grub2_ipv6_disable_argument:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?ipv6\.disable=1(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_grub2_l1tf_argument:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match" var_ref="oval:ssg-local_var_regex_l1tf_var_l1tf_options:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_grub2_mce_argument:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?mce=0(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_grub2_rng_core_default_quality_argument:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match" var_ref="oval:ssg-local_var_regex_rng_core_default_quality_var_rng_core_default_quality:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_grub2_slab_nomerge_argument:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?slab_nomerge=yes(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_grub2_spec_store_bypass_disable_argument:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match" var_ref="oval:ssg-local_var_regex_spec_store_bypass_disable_var_spec_store_bypass_disable_options:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_grub2_spectre_v2_argument:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?spectre_v2=on(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_acpi_custom_method:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">n</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_acpi_custom_method:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_acpi_custom_method_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_binfmt_misc:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">n</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_binfmt_misc:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_binfmt_misc_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_bug:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_bug:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_bug_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_compat_brk:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">n</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_compat_brk:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_compat_brk_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_compat_vdso:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">n</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_compat_vdso:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_compat_vdso_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_debug_credentials:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_debug_credentials:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_debug_credentials_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_debug_fs:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">n</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_debug_fs:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_debug_fs_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_debug_list:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_debug_list:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_debug_list_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_debug_notifiers:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_debug_notifiers:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_debug_notifiers_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_debug_sg:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_debug_sg:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_debug_sg_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_default_mmap_min_addr:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">65536</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_default_mmap_min_addr:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_default_mmap_min_addr_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_devkmem:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">n</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_devkmem:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_devkmem_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_hibernation:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">n</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_hibernation:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_hibernation_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_ia32_emulation:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">n</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_ia32_emulation:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_ia32_emulation_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_ipv6:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">n</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_ipv6:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_ipv6_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_kexec:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">n</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_kexec:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_kexec_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_legacy_ptys:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">n</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_legacy_ptys:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_legacy_ptys_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_module_sig:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_module_sig:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_module_sig_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_module_sig_all:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_module_sig_all:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_module_sig_all_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_module_sig_force:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_module_sig_force:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_module_sig_force_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_module_sig_hash:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string" var_ref="oval:ssg-var_kernel_config_module_sig_hash:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_module_sig_hash:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_module_sig_hash_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_module_sig_key:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string" var_ref="oval:ssg-var_kernel_config_module_sig_key:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_module_sig_key:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_module_sig_key_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_module_sig_sha512:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_module_sig_sha512:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_module_sig_sha512_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_page_poisoning_no_sanity:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_page_poisoning_no_sanity:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_page_poisoning_no_sanity_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_page_poisoning_zero:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_page_poisoning_zero:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_page_poisoning_zero_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_page_table_isolation:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_page_table_isolation:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_page_table_isolation_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_panic_on_oops:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_panic_on_oops:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_panic_on_oops_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_panic_timeout:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string" var_ref="oval:ssg-var_kernel_config_panic_timeout:var:1"/>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_panic_timeout:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_panic_timeout_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_proc_kcore:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">n</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_proc_kcore:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_proc_kcore_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_randomize_base:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_randomize_base:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_randomize_base_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_randomize_memory:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_randomize_memory:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_randomize_memory_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_retpoline:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_retpoline:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_retpoline_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_seccomp:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_seccomp:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_seccomp_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_seccomp_filter:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_seccomp_filter:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_seccomp_filter_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_security:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_security:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_security_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_security_dmesg_restrict:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">n</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_security_dmesg_restrict:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_security_dmesg_restrict_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_security_writable_hooks:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_security_writable_hooks:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_security_writable_hooks_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_security_yama:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_security_yama:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_security_yama_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_slub_debug:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_slub_debug:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_slub_debug_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_syn_cookies:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_syn_cookies:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_syn_cookies_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_unmap_kernel_at_el0:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">y</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_unmap_kernel_at_el0:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_unmap_kernel_at_el0_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_kernel_config_x86_vsyscall_emulation:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">n</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_var_kernel_config_x86_vsyscall_emulation:ste:1" version="1">
-          <ind:value operation="equals" datatype="int" var_ref="oval:ssg-local_var_config_x86_vsyscall_emulation_count_compliant_configs:var:1"/>
-        </ind:variable_state>
-        <linux:partition_state version="1" id="oval:ssg-state_boot_partition_nodev_optional_yes:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nodev</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_boot_partition_nosuid_optional_yes:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nosuid</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_dev_shm_partition_nodev_optional_no:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nodev</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_dev_shm_partition_noexec_optional_no:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">noexec</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_dev_shm_partition_nosuid_optional_no:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nosuid</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_home_partition_nodev_optional_yes:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nodev</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_home_partition_nosuid_optional_yes:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nosuid</linux:mount_options>
-        </linux:partition_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_nodev_etc_fstab_cd_dvd_drive:ste:1" version="1">
-          <ind:subexpression operation="pattern match" datatype="string">^.*,?nodev,?.*$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_nodev_etc_fstab_not_cd_dvd_drive:ste:1" version="1">
-          <ind:subexpression operation="pattern match" datatype="string">^.*,?nodev,?.*</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_noexec_etc_fstab_cd_dvd_drive:ste:1" version="1">
-          <ind:subexpression operation="pattern match" datatype="string">^.*,?noexec,?.*$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_noexec_etc_fstab_not_cd_dvd_drive:ste:1" version="1">
-          <ind:subexpression operation="pattern match" datatype="string">^.*,?noexec,?.*</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_nosuid_etc_fstab_cd_dvd_drive:ste:1" version="1">
-          <ind:subexpression operation="pattern match" datatype="string">^.*,?nosuid,?.*$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_nosuid_etc_fstab_not_cd_dvd_drive:ste:1" version="1">
-          <ind:subexpression operation="pattern match" datatype="string">^.*,?nosuid,?.*</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <linux:partition_state version="1" id="oval:ssg-state_tmp_partition_nodev_optional_yes:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nodev</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_tmp_partition_noexec_optional_yes:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">noexec</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_tmp_partition_nosuid_optional_yes:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nosuid</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_var_log_audit_partition_nodev_optional_yes:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nodev</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_var_log_audit_partition_noexec_optional_yes:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">noexec</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_var_log_audit_partition_nosuid_optional_yes:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nosuid</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_var_log_partition_nodev_optional_yes:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nodev</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_var_log_partition_noexec_optional_yes:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">noexec</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_var_log_partition_nosuid_optional_yes:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nosuid</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_var_partition_nodev_optional_yes:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nodev</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_var_partition_nosuid_optional_yes:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nosuid</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_var_tmp_partition_nodev_optional_yes:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nodev</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_var_tmp_partition_noexec_optional_yes:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">noexec</linux:mount_options>
-        </linux:partition_state>
-        <linux:partition_state version="1" id="oval:ssg-state_var_tmp_partition_nosuid_optional_yes:ste:1">
-          <linux:mount_options datatype="string" entity_check="at least one" operation="equals">nosuid</linux:mount_options>
-        </linux:partition_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_auditd_on:ste:1" comment="auditd listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">auditd.service</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_auditd_socket_on:ste:1" comment="auditd listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">auditd.socket</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_running_auditd:ste:1" version="1" comment="auditd is running">
-          <linux:value>active</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_not_running_autofs:ste:1" version="1" comment="autofs is not running">
-          <linux:value operation="pattern match">inactive|failed</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_loadstate_is_masked_autofs:ste:1" version="1" comment="LoadState is set to masked">
-          <linux:value>masked</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_not_running_bluetooth:ste:1" version="1" comment="bluetooth is not running">
-          <linux:value operation="pattern match">inactive|failed</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_loadstate_is_masked_bluetooth:ste:1" version="1" comment="LoadState is set to masked">
-          <linux:value>masked</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_chronyd_on:ste:1" comment="chronyd listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">chronyd.service</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_chronyd_socket_on:ste:1" comment="chronyd listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">chronyd.socket</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_running_chronyd:ste:1" version="1" comment="chronyd is running">
-          <linux:value>active</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_cron_on:ste:1" comment="cron listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">cron.service</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_cron_socket_on:ste:1" comment="cron listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">cron.socket</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_running_cron:ste:1" version="1" comment="cron is running">
-          <linux:value>active</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_not_running_debug-shell:ste:1" version="1" comment="debug-shell is not running">
-          <linux:value operation="pattern match">inactive|failed</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_loadstate_is_masked_debug-shell:ste:1" version="1" comment="LoadState is set to masked">
-          <linux:value>masked</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_fapolicyd_on:ste:1" comment="fapolicyd listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">fapolicyd.service</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_fapolicyd_socket_on:ste:1" comment="fapolicyd listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">fapolicyd.socket</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_running_fapolicyd:ste:1" version="1" comment="fapolicyd is running">
-          <linux:value>active</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_firewalld_on:ste:1" comment="firewalld listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">firewalld.service</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_firewalld_socket_on:ste:1" comment="firewalld listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">firewalld.socket</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_running_firewalld:ste:1" version="1" comment="firewalld is running">
-          <linux:value>active</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_ip6tables_on:ste:1" comment="ip6tables listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">ip6tables.service</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_ip6tables_socket_on:ste:1" comment="ip6tables listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">ip6tables.socket</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_running_ip6tables:ste:1" version="1" comment="ip6tables is running">
-          <linux:value>active</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_iptables_on:ste:1" comment="iptables listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">iptables.service</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_iptables_socket_on:ste:1" comment="iptables listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">iptables.socket</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_running_iptables:ste:1" version="1" comment="iptables is running">
-          <linux:value>active</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_not_running_netfs:ste:1" version="1" comment="netfs is not running">
-          <linux:value operation="pattern match">inactive|failed</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_loadstate_is_masked_netfs:ste:1" version="1" comment="LoadState is set to masked">
-          <linux:value>masked</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_ntp_on:ste:1" comment="ntp listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">ntp.service</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_ntp_socket_on:ste:1" comment="ntp listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">ntp.socket</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_running_ntp:ste:1" version="1" comment="ntp is running">
-          <linux:value>active</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_ntpd_on:ste:1" comment="ntpd listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">ntpd.service</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_ntpd_socket_on:ste:1" comment="ntpd listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">ntpd.socket</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_running_ntpd:ste:1" version="1" comment="ntpd is running">
-          <linux:value>active</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_rngd_on:ste:1" comment="rngd listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">rngd.service</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_rngd_socket_on:ste:1" comment="rngd listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">rngd.socket</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_running_rngd:ste:1" version="1" comment="rngd is running">
-          <linux:value>active</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_rsyslog_on:ste:1" comment="rsyslog listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">rsyslog.service</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_rsyslog_socket_on:ste:1" comment="rsyslog listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">rsyslog.socket</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_running_rsyslog:ste:1" version="1" comment="rsyslog is running">
-          <linux:value>active</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_not_running_sshd:ste:1" version="1" comment="sshd is not running">
-          <linux:value operation="pattern match">inactive|failed</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_loadstate_is_masked_sshd:ste:1" version="1" comment="LoadState is set to masked">
-          <linux:value>masked</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_not_running_syslog:ste:1" version="1" comment="syslog is not running">
-          <linux:value operation="pattern match">inactive|failed</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_loadstate_is_masked_syslog:ste:1" version="1" comment="LoadState is set to masked">
-          <linux:value>masked</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_syslog-ng_on:ste:1" comment="syslog-ng listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">syslog-ng.service</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_syslog-ng_socket_on:ste:1" comment="syslog-ng listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">syslog-ng.socket</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_running_syslog-ng:ste:1" version="1" comment="syslog-ng is running">
-          <linux:value>active</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_not_running_systemd-coredump:ste:1" version="1" comment="systemd-coredump is not running">
-          <linux:value operation="pattern match">inactive|failed</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_loadstate_is_masked_systemd-coredump:ste:1" version="1" comment="LoadState is set to masked">
-          <linux:value>masked</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_systemd-journald_on:ste:1" comment="systemd-journald listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">systemd-journald.service</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_systemd-journald_socket_on:ste:1" comment="systemd-journald listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">systemd-journald.socket</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_running_systemd-journald:ste:1" version="1" comment="systemd-journald is running">
-          <linux:value>active</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_ufw_on:ste:1" comment="ufw listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">ufw.service</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_ufw_socket_on:ste:1" comment="ufw listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">ufw.socket</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_running_ufw:ste:1" version="1" comment="ufw is running">
-          <linux:value>active</linux:value>
-        </linux:systemdunitproperty_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_usbguard_on:ste:1" comment="usbguard listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">usbguard.service</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitdependency_state id="oval:ssg-state_systemd_usbguard_socket_on:ste:1" comment="usbguard listed at least once in the dependencies" version="1">
-          <linux:dependency entity_check="at least one">usbguard.socket</linux:dependency>
-        </linux:systemdunitdependency_state>
-        <linux:systemdunitproperty_state id="oval:ssg-state_service_running_usbguard:ste:1" version="1" comment="usbguard is running">
-          <linux:value>active</linux:value>
-        </linux:systemdunitproperty_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_disable_empty_passwords:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^no$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_disable_gssapi_auth:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^no$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_disable_kerb_auth:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^no$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_disable_pubkey_auth:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^no$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_disable_rhosts:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^yes$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_disable_root_login:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^no$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_disable_root_password_login:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^prohibit-password$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_disable_tcp_forwarding:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^no$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_disable_user_known_hosts:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^yes$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_disable_x11_forwarding:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^no$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_do_not_permit_user_env:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^no$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_enable_gssapi_auth:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^yes$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_enable_pam:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^yes$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_enable_pubkey_auth:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^yes$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_enable_strictmodes:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^yes$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_enable_warning_banner:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^/etc/issue$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_enable_warning_banner_net:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^/etc/issue.net$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_enable_x11_forwarding:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^yes$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_print_last_log:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^yes$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_set_keepalive_0:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^0$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_set_loglevel_info:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^INFO$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sshd_set_loglevel_verbose:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^VERBOSE$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_logfile_sudoers:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="equals" var_ref="oval:ssg-var_sudo_logfile:var:1"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_fs_protected_hardlinks_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">1</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_fs_protected_hardlinks_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_fs_protected_hardlinks_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_fs_protected_hardlinks_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_fs_protected_hardlinks:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_fs_protected_hardlinks:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">1</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_fs_protected_symlinks_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">1</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_fs_protected_symlinks_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_fs_protected_symlinks_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_fs_protected_symlinks_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_fs_protected_symlinks:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_fs_protected_symlinks:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">1</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_fs_suid_dumpable_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">0</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_fs_suid_dumpable_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_fs_suid_dumpable_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_fs_suid_dumpable_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_fs_suid_dumpable:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_fs_suid_dumpable:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_kernel_core_pattern_runtime:ste:1" version="1">
-          <unix:value datatype="string" operation="equals">|/bin/false</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_kernel_core_pattern_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_kernel_core_pattern_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_kernel_core_pattern_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_kernel_core_pattern:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">|/bin/false</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_kernel_core_pattern_empty_string_runtime:ste:1" version="1">
-          <unix:value datatype="string" operation="equals">''</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_kernel_core_pattern_empty_string_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_kernel_core_pattern_empty_string_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_kernel_core_pattern_empty_string_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_core_pattern_empty_string:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_kernel_core_pattern_empty_string:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="string">''</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_kernel_core_uses_pid_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">0</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_kernel_core_uses_pid_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_kernel_core_uses_pid_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_kernel_core_uses_pid_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_core_uses_pid:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_kernel_core_uses_pid:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_kernel_dmesg_restrict_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">1</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_kernel_dmesg_restrict_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_kernel_dmesg_restrict_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_kernel_dmesg_restrict_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_dmesg_restrict:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_kernel_dmesg_restrict:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">1</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_kernel_kexec_load_disabled_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">1</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_kernel_kexec_load_disabled_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_kernel_kexec_load_disabled_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_kernel_kexec_load_disabled_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_kexec_load_disabled:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_kernel_kexec_load_disabled:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">1</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_kernel_kptr_restrict_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_kernel_kptr_restrict_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_kernel_kptr_restrict_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_kernel_kptr_restrict_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_kernel_kptr_restrict_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_kptr_restrict:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_kernel_kptr_restrict:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_kernel_kptr_restrict_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_kernel_panic_on_oops_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">1</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_kernel_panic_on_oops_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_kernel_panic_on_oops_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_kernel_panic_on_oops_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_panic_on_oops:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_kernel_panic_on_oops:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">1</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_kernel_perf_event_paranoid_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">2</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_kernel_perf_event_paranoid_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_kernel_perf_event_paranoid_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_kernel_perf_event_paranoid_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_perf_event_paranoid:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_kernel_perf_event_paranoid:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">2</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_kernel_randomize_va_space_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">2</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_kernel_randomize_va_space_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_kernel_randomize_va_space_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_kernel_randomize_va_space_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_randomize_va_space:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_kernel_randomize_va_space:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">2</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_kernel_unprivileged_bpf_disabled_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">1</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_kernel_unprivileged_bpf_disabled_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_kernel_unprivileged_bpf_disabled_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_kernel_unprivileged_bpf_disabled_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_unprivileged_bpf_disabled:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_kernel_unprivileged_bpf_disabled:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">1</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_kernel_yama_ptrace_scope_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">1</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_kernel_yama_ptrace_scope_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_kernel_yama_ptrace_scope_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_kernel_yama_ptrace_scope_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_kernel_yama_ptrace_scope:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_kernel_yama_ptrace_scope:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">1</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_core_bpf_jit_harden_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">2</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_core_bpf_jit_harden_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_core_bpf_jit_harden_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_core_bpf_jit_harden_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_core_bpf_jit_harden:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_core_bpf_jit_harden:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">2</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_accept_local_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">0</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_accept_local_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_accept_local_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_conf_all_accept_local_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_accept_local:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_accept_local:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_accept_redirects_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_accept_redirects_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_accept_redirects_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_conf_all_accept_redirects_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_accept_redirects:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_accept_redirects:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_accept_source_route_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_accept_source_route_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_accept_source_route_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_conf_all_accept_source_route_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_accept_source_route:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_accept_source_route:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_arp_filter_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_all_arp_filter_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_arp_filter_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_arp_filter_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_conf_all_arp_filter_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_arp_filter:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_arp_filter:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_all_arp_filter_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_arp_ignore_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_all_arp_ignore_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_arp_ignore_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_arp_ignore_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_conf_all_arp_ignore_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_arp_ignore:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_arp_ignore:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_all_arp_ignore_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_log_martians_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_all_log_martians_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_log_martians_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_log_martians_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_conf_all_log_martians_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_log_martians:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_log_martians:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_all_log_martians_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_route_localnet_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">0</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_route_localnet_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_route_localnet_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_conf_all_route_localnet_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_route_localnet:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_route_localnet:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_rp_filter_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_all_rp_filter_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_rp_filter_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_rp_filter_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_conf_all_rp_filter_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_rp_filter:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_rp_filter:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_all_rp_filter_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_secure_redirects_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_secure_redirects_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_secure_redirects_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_conf_all_secure_redirects_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_secure_redirects:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_secure_redirects:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_send_redirects_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">0</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_send_redirects_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_send_redirects_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_conf_all_send_redirects_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_send_redirects:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_send_redirects:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_shared_media_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_all_shared_media_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_shared_media_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_conf_all_shared_media_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_conf_all_shared_media_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_all_shared_media:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_all_shared_media:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_all_shared_media_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_accept_redirects_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_accept_redirects_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_accept_redirects_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_conf_default_accept_redirects_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_default_accept_redirects:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_accept_redirects:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_accept_source_route_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_accept_source_route_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_accept_source_route_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_conf_default_accept_source_route_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_default_accept_source_route:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_accept_source_route:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_log_martians_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_default_log_martians_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_log_martians_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_log_martians_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_conf_default_log_martians_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_default_log_martians:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_log_martians:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_default_log_martians_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_rp_filter_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_default_rp_filter_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_rp_filter_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_rp_filter_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_conf_default_rp_filter_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_default_rp_filter:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_rp_filter:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_default_rp_filter_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_secure_redirects_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_secure_redirects_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_secure_redirects_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_conf_default_secure_redirects_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_default_secure_redirects:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_secure_redirects:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_send_redirects_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">0</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_send_redirects_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_send_redirects_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_conf_default_send_redirects_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_default_send_redirects:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_send_redirects:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_shared_media_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_default_shared_media_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_shared_media_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_conf_default_shared_media_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_conf_default_shared_media_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_conf_default_shared_media:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_conf_default_shared_media:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_conf_default_shared_media_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_ip_forward_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">0</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_ip_forward_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_ip_forward_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_ip_forward_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_ip_forward:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_ip_forward:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_tcp_invalid_ratelimit_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_tcp_invalid_ratelimit_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_tcp_invalid_ratelimit_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_tcp_invalid_ratelimit_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_tcp_invalid_ratelimit:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_tcp_invalid_ratelimit:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv4_tcp_syncookies_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_tcp_syncookies_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv4_tcp_syncookies_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv4_tcp_syncookies_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv4_tcp_syncookies_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv4_tcp_syncookies:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv4_tcp_syncookies:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv4_tcp_syncookies_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv6_conf_all_accept_ra_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv6_conf_all_accept_ra_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv6_conf_all_accept_ra_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv6_conf_all_accept_ra_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv6_conf_all_accept_ra_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv6_conf_all_accept_ra:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_all_accept_ra:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv6_conf_all_accept_ra_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv6_conf_all_accept_redirects_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv6_conf_all_accept_redirects_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv6_conf_all_accept_redirects_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv6_conf_all_accept_redirects_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv6_conf_all_accept_redirects:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_all_accept_redirects:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv6_conf_all_accept_source_route_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv6_conf_all_accept_source_route_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv6_conf_all_accept_source_route_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv6_conf_all_accept_source_route_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv6_conf_all_accept_source_route:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_all_accept_source_route:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv6_conf_all_disable_ipv6_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">1</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv6_conf_all_disable_ipv6_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv6_conf_all_disable_ipv6_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv6_conf_all_disable_ipv6_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv6_conf_all_disable_ipv6:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_all_disable_ipv6:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">1</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv6_conf_default_accept_ra_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv6_conf_default_accept_ra_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv6_conf_default_accept_ra_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv6_conf_default_accept_ra_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv6_conf_default_accept_ra_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv6_conf_default_accept_ra:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_default_accept_ra:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv6_conf_default_accept_ra_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv6_conf_default_accept_redirects_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv6_conf_default_accept_redirects_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv6_conf_default_accept_redirects_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv6_conf_default_accept_redirects_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv6_conf_default_accept_redirects:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_default_accept_redirects:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv6_conf_default_accept_source_route_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals" var_ref="oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route_value:var:1"/>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv6_conf_default_accept_source_route_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv6_conf_default_accept_source_route_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv6_conf_default_accept_source_route_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv6_conf_default_accept_source_route:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_default_accept_source_route:ste:1" version="1">
-          <ind:subexpression operation="equals" var_ref="oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route_value:var:1" datatype="int"/>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_net_ipv6_conf_default_disable_ipv6_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">1</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_net_ipv6_conf_default_disable_ipv6_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_net_ipv6_conf_default_disable_ipv6_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_net_ipv6_conf_default_disable_ipv6_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_net_ipv6_conf_default_disable_ipv6:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_net_ipv6_conf_default_disable_ipv6:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">1</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:sysctl_state id="oval:ssg-state_sysctl_user_max_user_namespaces_runtime:ste:1" version="1">
-          <unix:value datatype="int" operation="equals">0</unix:value>
-        </unix:sysctl_state>
-        <ind:variable_state id="oval:ssg-state_sysctl_user_max_user_namespaces_defined_in_one_file:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_sysctl_user_max_user_namespaces_filepath_is_symlink:ste:1" version="1">
-          <ind:filepath operation="equals" var_check="at least one" var_ref="oval:ssg-local_var_sysctl_user_max_user_namespaces_safe_symlinks:var:1" datatype="string"/>
-        </ind:textfilecontent54_state>
-        <unix:symlink_state comment="State that matches symlinks referencing files not in the default dirs" id="oval:ssg-state_symlink_points_outside_usual_dirs_sysctl_user_max_user_namespaces:ste:1" version="1">
-          <unix:canonical_path operation="pattern match">^(?!(\/etc\/sysctl\.conf$|(\/etc|\/run|\/usr\/lib)\/sysctl\.d\/)).*$</unix:canonical_path>
-        </unix:symlink_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_static_sysctld_sysctl_user_max_user_namespaces:ste:1" version="1">
-          <ind:subexpression operation="equals" datatype="int">0</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_zipl_audit_argument_audit_1_argument_in_boot_loader_entries_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?audit=1(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_zipl_audit_argument_audit_1_argument_in_etc_kernel_cmdline:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?audit=1(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_zipl_audit_backlog_limit_argument_audit_backlog_limit_8192_argument_in_boot_loader_entries_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_zipl_audit_backlog_limit_argument_audit_backlog_limit_8192_argument_in_etc_kernel_cmdline:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?audit_backlog_limit=8192(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_zipl_page_poison_argument_page_poison_1_argument_in_boot_loader_entries_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?page_poison=1(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_zipl_page_poison_argument_page_poison_1_argument_in_etc_kernel_cmdline:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?page_poison=1(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_zipl_slub_debug_argument_slub_debug_P_argument_in_boot_loader_entries_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?slub_debug=P(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_zipl_slub_debug_argument_slub_debug_P_argument_in_etc_kernel_cmdline:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?slub_debug=P(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_zipl_vsyscall_argument_vsyscall_none_argument_in_boot_loader_entries_conf:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?vsyscall=none(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_zipl_vsyscall_argument_vsyscall_none_argument_in_etc_kernel_cmdline:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(?:.*\s)?vsyscall=none(?:\s.*)?$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_bootloader_disable_recovery_argument:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^(true|"true")$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <linux:rpminfo_state id="oval:ssg-state_alinux2:ste:1" version="1">
-          <linux:version operation="pattern match">^2.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_alinux3:ste:1" version="1">
-          <linux:version operation="pattern match">^3.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_centos7:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_name_centos8:ste:1" version="1">
-          <ind:subexpression>centos</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_version_centos8:ste:1" version="1">
-          <ind:subexpression>8</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_name_centos9:ste:1" version="1">
-          <ind:subexpression>centos</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_version_centos9:ste:1" version="1">
-          <ind:subexpression>9</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <linux:rpminfo_state id="oval:ssg-state_ol7_system:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_ol8_system:ste:1" version="1">
-          <linux:version operation="pattern match">^8.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_ol9_system:ste:1" version="1">
-          <linux:version operation="pattern match">^9.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_opensuse_installed:ste:1" version="1">
-          <linux:name operation="pattern match">openSUSE-release</linux:name>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_opensuse_leap15_installed:ste:1" version="1">
-          <linux:version operation="pattern match">^15.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_opensuse_leap42_installed:ste:1" version="1">
-          <linux:version operation="pattern match">^42.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:family_state id="oval:ssg-state_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhcos:ste:1" version="1">
-          <ind:subexpression operation="pattern match">rhcos</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhcos4:ste:1" version="1">
-          <ind:subexpression operation="pattern match">4</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:family_state id="oval:ssg-state_rhel7_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel7_client:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel7_workstation:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel7_server:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel7_computenode:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhevh_rhel7_version:ste:1" version="1">
-          <ind:subexpression operation="pattern match">7</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:family_state id="oval:ssg-state_rhel8_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8:ste:1" version="1">
-          <linux:version operation="pattern match">^8.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_0:ste:1" version="1">
-          <linux:version operation="pattern match">^8.0*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_1:ste:1" version="1">
-          <linux:version operation="pattern match">^8.1*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_2:ste:1" version="1">
-          <linux:version operation="pattern match">^8.2*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_3:ste:1" version="1">
-          <linux:version operation="pattern match">^8.3*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_4:ste:1" version="1">
-          <linux:version operation="pattern match">^8.4*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_5:ste:1" version="1">
-          <linux:version operation="pattern match">^8.5*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_6:ste:1" version="1">
-          <linux:version operation="pattern match">^8.6*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_7:ste:1" version="1">
-          <linux:version operation="pattern match">^8.7*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_8:ste:1" version="1">
-          <linux:version operation="pattern match">^8.8*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_9:ste:1" version="1">
-          <linux:version operation="pattern match">^8.9*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_10:ste:1" version="1">
-          <linux:version operation="pattern match">^8.10*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhevh_rhel8_version:ste:1" version="1">
-          <ind:subexpression operation="pattern match">8</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:family_state id="oval:ssg-state_rhel9_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel9:ste:1" version="1">
-          <linux:version operation="pattern match">^9.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhevh_rhel9_version:ste:1" version="1">
-          <ind:subexpression operation="pattern match">9</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhvh4_version:ste:1" version="1">
-          <linux:evr datatype="evr_string" operation="greater than or equal">0:4.4</linux:evr>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sl7:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:family_state id="oval:ssg-state_sle12_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_sle12_desktop:ste:1" version="1">
-          <linux:version operation="pattern match">^12.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sle12_server:ste:1" version="1">
-          <linux:version operation="pattern match">^12.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sles_12_for_sap:ste:1" version="1">
-          <linux:version operation="pattern match">^12.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:family_state id="oval:ssg-state_sle15_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_sle15_desktop:ste:1" version="1">
-          <linux:version operation="pattern match">^15.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sle15_server:ste:1" version="1">
-          <linux:version operation="pattern match">^15.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sles_15_for_sap:ste:1" version="1">
-          <linux:version operation="pattern match">^15.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_uos20:ste:1" version="1">
-          <linux:version operation="pattern match">^20.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhevm4_version:ste:1" version="1">
-          <linux:version operation="pattern match">^4.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_krb5_server_version_1_17_18:ste:1" version="1">
-          <linux:evr datatype="evr_string" operation="less than">0:1.17-18</linux:evr>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_krb5_workstation_version_1_17_18:ste:1" version="1">
-          <linux:evr datatype="evr_string" operation="less than">0:1.17-18</linux:evr>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_proc_sys_kernel_osrelease_arch_aarch64:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^aarch64$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_proc_sys_kernel_osrelease_arch_ppc64le:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^ppc64le$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_proc_sys_kernel_osrelease_arch_s390x:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:variable_state id="oval:ssg-state_sshd_not_required:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">1</ind:value>
-        </ind:variable_state>
-        <ind:variable_state id="oval:ssg-state_sshd_required:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">2</ind:value>
-        </ind:variable_state>
-        <ind:variable_state id="oval:ssg-state_sshd_requirement_unset:ste:1" version="1">
-          <ind:value operation="equals" datatype="int">0</ind:value>
-        </ind:variable_state>
-        <linux:rpminfo_state id="oval:ssg-state_openssh-server_version:ste:1" version="1">
-          <linux:evr datatype="evr_string" operation="greater than or equal">0:7.4</linux:evr>
-        </linux:rpminfo_state>
-        <unix:uname_state comment="64 bit architecture" id="oval:ssg-state_system_info_architecture_aarch_64:ste:1" version="1">
-          <unix:processor_type operation="equals">aarch64</unix:processor_type>
-        </unix:uname_state>
-        <unix:uname_state comment="64 bit architecture" id="oval:ssg-state_system_info_architecture_ppc_64:ste:1" version="1">
-          <unix:processor_type operation="equals">ppc64</unix:processor_type>
-        </unix:uname_state>
-        <unix:uname_state comment="64 bit architecture" id="oval:ssg-state_system_info_architecture_ppcle_64:ste:1" version="1">
-          <unix:processor_type operation="equals">ppc64le</unix:processor_type>
-        </unix:uname_state>
-        <unix:uname_state comment="64 bit architecture" id="oval:ssg-state_system_info_architecture_s390_64:ste:1" version="1">
-          <unix:processor_type operation="equals">s390x</unix:processor_type>
-        </unix:uname_state>
-        <unix:uname_state comment="32 bit architecture" id="oval:ssg-state_system_info_architecture_x86:ste:1" version="1">
-          <unix:processor_type operation="equals">i686</unix:processor_type>
-        </unix:uname_state>
-        <unix:uname_state comment="64 bit architecture" id="oval:ssg-state_system_info_architecture_x86_64:ste:1" version="1">
-          <unix:processor_type operation="equals">x86_64</unix:processor_type>
-        </unix:uname_state>
-        <unix:file_state id="oval:ssg-state_tmux_conf_readable_by_others:ste:1" version="1" operator="AND">
-          <unix:oread datatype="boolean">true</unix:oread>
-        </unix:file_state>
-        <ind:variable_state id="oval:ssg-state_var_removable_partition_is_cd_dvd_drive:ste:1" version="1">
-          <ind:value operation="equals">/dev/cdrom</ind:value>
-        </ind:variable_state>
-      </oval-def:states>
-      <oval-def:variables>
-        <oval-def:external_variable comment="expected email alias" datatype="string" id="oval:ssg-var_postfix_root_mail_alias:var:1" version="1"/>
-        <oval-def:external_variable comment="maxpoll value" datatype="int" id="oval:ssg-var_time_service_set_maxpoll:var:1" version="1"/>
-        <oval-def:local_variable id="oval:ssg-group_gid:var:1" datatype="int" version="1" comment="Count of all group names (including duplicates if any)">
-          <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-obj_dedicated_group_gid:obj:1"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-ssh_client_line_regex:var:1" datatype="string" comment="The regex of the directive" version="1">
-          <oval-def:concat>
-            <oval-def:literal_component>^[\s]*RekeyLimit[\s]+</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_ssh_client_rekey_limit_size:var:1"/>
-            <oval-def:literal_component>[\s]+</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_ssh_client_rekey_limit_time:var:1"/>
-            <oval-def:literal_component>[\s]*$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="Size component of the rekey limit" datatype="string" id="oval:ssg-var_ssh_client_rekey_limit_size:var:1" version="1"/>
-        <oval-def:external_variable comment="Time component of the rekey limit" datatype="string" id="oval:ssg-var_ssh_client_rekey_limit_time:var:1" version="1"/>
-        <oval-def:external_variable comment="external variable for the desired value of Compression" datatype="string" id="oval:ssg-var_sshd_disable_compression:var:1" version="1"/>
-        <oval-def:local_variable id="oval:ssg-sshd_line_regex:var:1" datatype="string" comment="The regex of the directive" version="1">
-          <oval-def:concat>
-            <oval-def:literal_component>^[\s]*RekeyLimit[\s]+</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_rekey_limit_size:var:1"/>
-            <oval-def:literal_component>[\s]+</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_rekey_limit_time:var:1"/>
-            <oval-def:literal_component>[\s]*$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="Size component of the rekey limit" datatype="string" id="oval:ssg-var_rekey_limit_size:var:1" version="1"/>
-        <oval-def:external_variable comment="Time component of the rekey limit" datatype="string" id="oval:ssg-var_rekey_limit_time:var:1" version="1"/>
-        <oval-def:external_variable comment="timeout value" datatype="int" id="oval:ssg-sshd_idle_timeout_value:var:1" version="1"/>
-        <oval-def:external_variable comment="ClientAliveCountMax value" datatype="int" id="oval:ssg-var_sshd_set_keepalive:var:1" version="1"/>
-        <oval-def:external_variable comment="logingracetime value" datatype="int" id="oval:ssg-var_sshd_set_login_grace_time:var:1" version="1"/>
-        <oval-def:external_variable comment="maxauthtries value" datatype="int" id="oval:ssg-sshd_max_auth_tries_value:var:1" version="1"/>
-        <oval-def:external_variable comment="maxsessions value" datatype="int" id="oval:ssg-var_sshd_max_sessions:var:1" version="1"/>
-        <oval-def:external_variable comment="external variable for the desired value of UsePrivilegeSeparation" datatype="string" id="oval:ssg-var_sshd_priv_separation:var:1" version="1"/>
-        <oval-def:external_variable comment="warning banner text variable" datatype="string" id="oval:ssg-login_banner_text:var:1" version="1"/>
-        <oval-def:constant_variable id="oval:ssg-var_pam_faillock_audit_parameter_regex:var:1" version="1" datatype="string" comment="regex to identify audit parameter in pam files">
-          <oval-def:value>^[\s]*auth[\s]+(?:required|requisite)[\s]+pam_faillock.so[^\n#]preauth[^\n#]*audit</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:external_variable comment="inactive days expiration" datatype="int" id="oval:ssg-var_account_disable_post_pw_expiration:var:1" version="1"/>
-        <oval-def:local_variable id="oval:ssg-variable_count_of_all_usernames_from_etc_passwd:var:1" datatype="int" version="1" comment="Count of all username rows retrieved from /etc/passwd (including duplicates if any)">
-          <oval-def:count>
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-object_etc_passwd_content:obj:1"/>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-variable_count_of_unique_usernames_from_etc_passwd:var:1" datatype="int" version="1" comment="Count of unique username rows retrieved from /etc/passwd">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-object_etc_passwd_content:obj:1"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-variable_last_pass_max_days_instance_value:var:1" datatype="int" comment="The value of last PASS_MAX_DAYS directive in /etc/login.defs" version="1">
-          <oval-def:regex_capture pattern="PASS_MAX_DAYS\s+(\d+)">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-object_last_pass_max_days_from_etc_login_defs:obj:1"/>
-          </oval-def:regex_capture>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="Maximum password age" datatype="int" id="oval:ssg-var_accounts_maximum_age_login_defs:var:1" version="1"/>
-        <oval-def:local_variable id="oval:ssg-variable_last_pass_min_days_instance_value:var:1" datatype="int" comment="The value of last PASS_MIN_DAYS directive in /etc/login.defs" version="1">
-          <oval-def:regex_capture pattern="PASS_MIN_DAYS\s+(\d+)">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-object_last_pass_min_days_from_etc_login_defs:obj:1"/>
-          </oval-def:regex_capture>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="Minimum password age in days" datatype="int" id="oval:ssg-var_accounts_minimum_age_login_defs:var:1" version="1"/>
-        <oval-def:local_variable id="oval:ssg-variable_last_pass_min_len_instance_value:var:1" datatype="int" comment="The value of last PASS_MIN_LEN directive in /etc/login.defs" version="1">
-          <oval-def:regex_capture pattern="PASS_MIN_LEN\s+(\d+)">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-object_last_pass_min_len_from_etc_login_defs:obj:1"/>
-          </oval-def:regex_capture>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="Password minimum length" datatype="int" id="oval:ssg-var_accounts_password_minlen_login_defs:var:1" version="1"/>
-        <oval-def:local_variable id="oval:ssg-variable_last_pass_warn_age_instance_value:var:1" datatype="int" comment="The value of last PASS_WARN_AGE directive in /etc/login.defs" version="1">
-          <oval-def:regex_capture pattern="PASS_WARN_AGE\s+(\d+)">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-object_last_pass_warn_age_from_etc_login_defs:obj:1"/>
-          </oval-def:regex_capture>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="password expiration warning age in days" datatype="int" id="oval:ssg-var_accounts_password_warn_age_login_defs:var:1" version="1"/>
-        <oval-def:local_variable id="oval:ssg-var_gid_passwd_group_same:var:1" comment="GIDs from /etc/group" datatype="string" version="1">
-          <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-object_gid_passwd_group_same_var:obj:1"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-variable_uid_min_value:var:1" datatype="int" comment="Value of last UID_MIN from /etc/login.defs" version="1">
-          <oval-def:regex_capture pattern="UID_MIN[\s]+(\d+)">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-object_last_uid_min_from_etc_login_defs:obj:1"/>
-          </oval-def:regex_capture>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-variable_sys_uid_min_value:var:1" datatype="int" comment="Value of last SYS_UID_MIN from /etc/login.defs" version="1">
-          <oval-def:regex_capture pattern="SYS_UID_MIN[\s]+(\d+)">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-object_last_sys_uid_min_from_etc_login_defs:obj:1"/>
-          </oval-def:regex_capture>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-variable_sys_uid_max_value:var:1" datatype="int" comment="Value of last SYS_UID_MAX from /etc/login.defs" version="1">
-          <oval-def:regex_capture pattern="SYS_UID_MAX[\s]+(\d+)">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-object_last_sys_uid_max_from_etc_login_defs:obj:1"/>
-          </oval-def:regex_capture>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-var_accounts_fail_delay:var:1" datatype="int" version="1" comment="Expected fail_delay"/>
-        <oval-def:external_variable comment="maximum number of concurrent logins per user" datatype="int" id="oval:ssg-var_accounts_max_concurrent_login_sessions:var:1" version="1"/>
-        <oval-def:external_variable comment="external variable for TMOUT" datatype="int" id="oval:ssg-var_accounts_tmout:var:1" version="1"/>
-        <oval-def:local_variable id="oval:ssg-var_file_permissions_home_dirs_dirs:var:1" datatype="string" version="1" comment="Variable including all home dirs from interactive users">
-          <oval-def:object_component item_field="home_dir" object_ref="oval:ssg-object_file_permissions_home_dirs_objects:obj:1"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Split the PATH on the : delimiter" datatype="string" id="oval:ssg-var_accounts_root_path_dirs_no_write:var:1" version="1">
-          <oval-def:split delimiter=":">
-            <oval-def:object_component item_field="value" object_ref="oval:ssg-object_accounts_root_path_dirs_no_write_pathenv:obj:1"/>
-          </oval-def:split>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_first_digit_of_umask_from_etc_bashrc:var:1" comment="First octal digit of umask from /etc/bashrc" datatype="int" version="1">
-          <oval-def:substring substring_start="1" substring_length="1">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-obj_umask_from_etc_bashrc:obj:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_second_digit_of_umask_from_etc_bashrc:var:1" comment="Second octal digit of umask from /etc/bashrc" datatype="int" version="1">
-          <oval-def:substring substring_start="2" substring_length="1">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-obj_umask_from_etc_bashrc:obj:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_third_digit_of_umask_from_etc_bashrc:var:1" comment="Third octal digit of umask from /etc/bashrc" datatype="int" version="1">
-          <oval-def:substring substring_start="3" substring_length="1">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-obj_umask_from_etc_bashrc:obj:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_etc_bashrc_umask_as_number:var:1" comment="/etc/bashrc umask converted from string to a number" datatype="int" version="1">
-          <oval-def:arithmetic arithmetic_operation="add">
-            <oval-def:arithmetic arithmetic_operation="multiply">
-              <oval-def:literal_component datatype="int">64</oval-def:literal_component>
-              <oval-def:variable_component var_ref="oval:ssg-var_first_digit_of_umask_from_etc_bashrc:var:1"/>
-            </oval-def:arithmetic>
-            <oval-def:arithmetic arithmetic_operation="multiply">
-              <oval-def:literal_component datatype="int">8</oval-def:literal_component>
-              <oval-def:variable_component var_ref="oval:ssg-var_second_digit_of_umask_from_etc_bashrc:var:1"/>
-            </oval-def:arithmetic>
-            <oval-def:variable_component var_ref="oval:ssg-var_third_digit_of_umask_from_etc_bashrc:var:1"/>
-          </oval-def:arithmetic>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_first_digit_of_umask_from_etc_csh_cshrc:var:1" comment="First octal digit of umask from /etc/csh.cshrc" datatype="int" version="1">
-          <oval-def:substring substring_start="1" substring_length="1">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-obj_umask_from_etc_csh_cshrc:obj:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_second_digit_of_umask_from_etc_csh_cshrc:var:1" comment="Second octal digit of umask from /etc/csh.cshrc" datatype="int" version="1">
-          <oval-def:substring substring_start="2" substring_length="1">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-obj_umask_from_etc_csh_cshrc:obj:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_third_digit_of_umask_from_etc_csh_cshrc:var:1" comment="Third octal digit of umask from /etc/csh.cshrc" datatype="int" version="1">
-          <oval-def:substring substring_start="3" substring_length="1">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-obj_umask_from_etc_csh_cshrc:obj:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_etc_csh_cshrc_umask_as_number:var:1" comment="/etc/csh.cshrc umask converted from string to a number" datatype="int" version="1">
-          <oval-def:arithmetic arithmetic_operation="add">
-            <oval-def:arithmetic arithmetic_operation="multiply">
-              <oval-def:literal_component datatype="int">64</oval-def:literal_component>
-              <oval-def:variable_component var_ref="oval:ssg-var_first_digit_of_umask_from_etc_csh_cshrc:var:1"/>
-            </oval-def:arithmetic>
-            <oval-def:arithmetic arithmetic_operation="multiply">
-              <oval-def:literal_component datatype="int">8</oval-def:literal_component>
-              <oval-def:variable_component var_ref="oval:ssg-var_second_digit_of_umask_from_etc_csh_cshrc:var:1"/>
-            </oval-def:arithmetic>
-            <oval-def:variable_component var_ref="oval:ssg-var_third_digit_of_umask_from_etc_csh_cshrc:var:1"/>
-          </oval-def:arithmetic>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_first_digit_of_umask_from_etc_login_defs:var:1" comment="First octal digit of umask from /etc/login.defs" datatype="int" version="1">
-          <oval-def:substring substring_start="1" substring_length="1">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-obj_umask_from_etc_login_defs:obj:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_second_digit_of_umask_from_etc_login_defs:var:1" comment="Second octal digit of umask from /etc/login.defs" datatype="int" version="1">
-          <oval-def:substring substring_start="2" substring_length="1">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-obj_umask_from_etc_login_defs:obj:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_third_digit_of_umask_from_etc_login_defs:var:1" comment="Third octal digit of umask from /etc/login.defs" datatype="int" version="1">
-          <oval-def:substring substring_start="3" substring_length="1">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-obj_umask_from_etc_login_defs:obj:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_etc_login_defs_umask_as_number:var:1" comment="/etc/login.defs umask converted from string to a number" datatype="int" version="1">
-          <oval-def:arithmetic arithmetic_operation="add">
-            <oval-def:arithmetic arithmetic_operation="multiply">
-              <oval-def:literal_component datatype="int">64</oval-def:literal_component>
-              <oval-def:variable_component var_ref="oval:ssg-var_first_digit_of_umask_from_etc_login_defs:var:1"/>
-            </oval-def:arithmetic>
-            <oval-def:arithmetic arithmetic_operation="multiply">
-              <oval-def:literal_component datatype="int">8</oval-def:literal_component>
-              <oval-def:variable_component var_ref="oval:ssg-var_second_digit_of_umask_from_etc_login_defs:var:1"/>
-            </oval-def:arithmetic>
-            <oval-def:variable_component var_ref="oval:ssg-var_third_digit_of_umask_from_etc_login_defs:var:1"/>
-          </oval-def:arithmetic>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_first_digit_of_umask_from_etc_profile:var:1" comment="First octal digit of umask from /etc/profile" datatype="int" version="1">
-          <oval-def:substring substring_start="1" substring_length="1">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-obj_umask_from_etc_profile:obj:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_second_digit_of_umask_from_etc_profile:var:1" comment="Second octal digit of umask from /etc/profile" datatype="int" version="1">
-          <oval-def:substring substring_start="2" substring_length="1">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-obj_umask_from_etc_profile:obj:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_third_digit_of_umask_from_etc_profile:var:1" comment="Third octal digit of umask from /etc/profile" datatype="int" version="1">
-          <oval-def:substring substring_start="3" substring_length="1">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-obj_umask_from_etc_profile:obj:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_etc_profile_umask_as_number:var:1" comment="/etc/profile umask converted from string to a number" datatype="int" version="1">
-          <oval-def:arithmetic arithmetic_operation="add">
-            <oval-def:arithmetic arithmetic_operation="multiply">
-              <oval-def:literal_component datatype="int">64</oval-def:literal_component>
-              <oval-def:variable_component var_ref="oval:ssg-var_first_digit_of_umask_from_etc_profile:var:1"/>
-            </oval-def:arithmetic>
-            <oval-def:arithmetic arithmetic_operation="multiply">
-              <oval-def:literal_component datatype="int">8</oval-def:literal_component>
-              <oval-def:variable_component var_ref="oval:ssg-var_second_digit_of_umask_from_etc_profile:var:1"/>
-            </oval-def:arithmetic>
-            <oval-def:variable_component var_ref="oval:ssg-var_third_digit_of_umask_from_etc_profile:var:1"/>
-          </oval-def:arithmetic>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_access_var_log_audit_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+dir=/var/log/audit/)[\s]+(?:-F[\s]+perm=r)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-audit_log_dir:var:1" datatype="string" version="1" comment="path to audit log directory">
-          <oval-def:regex_capture pattern="^(.*)\/([^\/]+$)">
-            <oval-def:variable_component var_ref="oval:ssg-audit_log_file_path:var:1"/>
-          </oval-def:regex_capture>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-variable_all_privileged_commands:var:1" comment="All privileged commands" datatype="string" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_system_privileged_commands:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-variable_count_of_suid_sgid_binaries_on_system:var:1" comment="count of suid / sgid binaries actually present on the system" datatype="int" version="1">
-          <oval-def:count>
-            <oval-def:object_component object_ref="oval:ssg-object_system_privileged_commands:obj:1" item_field="filepath"/>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-variable_count_of_privileged_commands_having_audit_definition_augenrules:var:1" comment="count of suid / sgid binaries having full audit rule definition in some of /etc/audit/rules.d/*.rules files" datatype="int" version="1">
-          <oval-def:count>
-            <oval-def:object_component object_ref="oval:ssg-object_arpc_suid_sgid_augenrules:obj:1" item_field="subexpression"/>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-variable_count_of_privileged_commands_having_audit_definition_auditctl:var:1" comment="count of suid / sgid binaries having full audit rule definition in /etc/audit/audit.rules file" datatype="int" version="1">
-          <oval-def:count>
-            <oval-def:object_component object_ref="oval:ssg-object_arpc_suid_sgid_auditctl:obj:1" item_field="subexpression"/>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="audispd remote_server setting" datatype="string" id="oval:ssg-var_audispd_remote_server:var:1" version="1"/>
-        <oval-def:external_variable comment="audispd network failure action" datatype="string" id="oval:ssg-var_audispd_disk_full_action:var:1" version="1"/>
-        <oval-def:external_variable comment="audispd network failure action" datatype="string" id="oval:ssg-var_audispd_network_failure_action:var:1" version="1"/>
-        <oval-def:local_variable datatype="string" id="oval:ssg-var_auditd_disk_error_action_regex:var:1" version="1" comment="Build regex to be case insensitive">
-          <oval-def:concat>
-            <oval-def:literal_component>(?i)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_auditd_disk_error_action:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="audit disk_error_action setting" datatype="string" id="oval:ssg-var_auditd_disk_error_action:var:1" version="1"/>
-        <oval-def:local_variable datatype="string" id="oval:ssg-var_auditd_disk_full_action_regex:var:1" version="1" comment="Build regex to be case insensitive">
-          <oval-def:concat>
-            <oval-def:literal_component>(?i)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_auditd_disk_full_action:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="audit disk_full_action setting" datatype="string" id="oval:ssg-var_auditd_disk_full_action:var:1" version="1"/>
-        <oval-def:external_variable comment="audit action_mail_acct setting" datatype="string" id="oval:ssg-var_auditd_action_mail_acct:var:1" version="1"/>
-        <oval-def:external_variable comment="audit admin_space_left_action setting" datatype="string" id="oval:ssg-var_auditd_admin_space_left_action:var:1" version="1"/>
-        <oval-def:external_variable comment="audit flush setting" datatype="string" id="oval:ssg-var_auditd_flush:var:1" version="1"/>
-        <oval-def:external_variable comment="audit max_log_file setting" datatype="int" id="oval:ssg-var_auditd_max_log_file:var:1" version="1"/>
-        <oval-def:external_variable comment="audit max_log_file_action setting" datatype="string" id="oval:ssg-var_auditd_max_log_file_action:var:1" version="1"/>
-        <oval-def:external_variable comment="audit num_logs setting" datatype="int" id="oval:ssg-var_auditd_num_logs:var:1" version="1"/>
-        <oval-def:external_variable comment="audit space_left setting" datatype="int" id="oval:ssg-var_auditd_space_left:var:1" version="1"/>
-        <oval-def:external_variable comment="audit space_left_action setting" datatype="string" id="oval:ssg-var_auditd_space_left_action:var:1" version="2"/>
-        <oval-def:local_variable datatype="string" comment="Contents of reference file in /usr/share/doc/10-base-config.rules" id="oval:ssg-var_doc_10-base-config:var:1" version="1">
-          <oval-def:object_component item_field="text" object_ref="oval:ssg-object_doc_10-base-config:obj:1"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable datatype="string" comment="Contents of reference file in /usr/share/doc/11-loginuid.rules" id="oval:ssg-var_doc_11-loginuid:var:1" version="1">
-          <oval-def:object_component item_field="text" object_ref="oval:ssg-object_doc_11-loginuid:obj:1"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable datatype="string" comment="Contents of reference file in /usr/share/doc/30-ospp-v42.rules" id="oval:ssg-var_doc_30-ospp-v42:var:1" version="1">
-          <oval-def:object_component item_field="text" object_ref="oval:ssg-object_doc_30-ospp-v42:obj:1"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable datatype="string" comment="Contents of reference file in /usr/share/doc/43-module-load.rules" id="oval:ssg-var_doc_43-module-load:var:1" version="1">
-          <oval-def:object_component item_field="text" object_ref="oval:ssg-object_doc_43-module-load:obj:1"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_uefi_user_accounts:var:1" datatype="string" version="1" comment="Variable           including all system usernames">
-          <oval-def:object_component item_field="username" object_ref="oval:ssg-object_uefi_user_accounts:obj:1"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-variable_zipl_conf_file_age:var:1" version="1" comment="Age of /etc/zipl.conf" datatype="int">
-          <oval-def:object_component object_ref="oval:ssg-zipl_conf_file:obj:1" item_field="m_time"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-variable_boot_entry_files_age:var:1" version="1" comment="Age of /boot/loader/entries/*.conf files" datatype="int">
-          <oval-def:object_component object_ref="oval:ssg-boot_entry_files:obj:1" item_field="m_time"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_rfg_include_config_regex:var:1" datatype="string" version="1" comment="$IncludeConfig value converted to regex">
-          <oval-def:unique>
-            <oval-def:glob_to_regex>
-              <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-object_rfg_rsyslog_include_config_value:obj:1"/>
-            </oval-def:glob_to_regex>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_rfg_syslog_config:var:1" datatype="string" version="1" comment="Locations of all rsyslog configuration files as collection">
-          <oval-def:literal_component datatype="string">^/etc/rsyslog.conf$</oval-def:literal_component>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_rfg_all_log_files:var:1" datatype="string" version="1" comment="Locations of all rsyslog configuration files as collection">
-          <oval-def:object_component object_ref="oval:ssg-object_var_rfg_all_log_files:obj:1" item_field="value"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_rfg_log_files_paths:var:1" datatype="string" version="1" comment="File paths of all rsyslog configuration files">
-          <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-object_rfg_log_files_paths:obj:1"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_rfo_include_config_regex:var:1" datatype="string" version="1" comment="$IncludeConfig value converted to regex">
-          <oval-def:unique>
-            <oval-def:glob_to_regex>
-              <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-object_rfo_rsyslog_include_config_value:obj:1"/>
-            </oval-def:glob_to_regex>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_rfo_syslog_config:var:1" datatype="string" version="1" comment="Locations of all rsyslog configuration files as collection">
-          <oval-def:literal_component datatype="string">^/etc/rsyslog.conf$</oval-def:literal_component>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_rfo_all_log_files:var:1" datatype="string" version="1" comment="Locations of all rsyslog configuration files as collection">
-          <oval-def:object_component object_ref="oval:ssg-object_var_rfo_all_log_files:obj:1" item_field="value"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_rfo_log_files_paths:var:1" datatype="string" version="1" comment="File paths of all rsyslog configuration files">
-          <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-object_rfo_log_files_paths:obj:1"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_rfp_include_config_regex:var:1" datatype="string" version="1" comment="$IncludeConfig value converted to regex">
-          <oval-def:unique>
-            <oval-def:glob_to_regex>
-              <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-object_rfp_rsyslog_include_config_value:obj:1"/>
-            </oval-def:glob_to_regex>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_rfp_syslog_config:var:1" datatype="string" version="1" comment="Locations of all rsyslog configuration files as collection">
-          <oval-def:literal_component datatype="string">^/etc/rsyslog.conf$</oval-def:literal_component>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_rfp_all_log_files:var:1" datatype="string" version="1" comment="Locations of all rsyslog configuration files as collection">
-          <oval-def:object_component object_ref="oval:ssg-object_var_rfp_all_log_files:obj:1" item_field="value"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_rfp_log_files_paths:var:1" datatype="string" version="1" comment="File paths of all rsyslog configuration files">
-          <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-object_rfp_log_files_paths:obj:1"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="used for remediation only" datatype="string" id="oval:ssg-rsyslog_remote_loghost_address:var:1" version="1"/>
-        <oval-def:external_variable comment="External variable: name of selinux policy in /etc/selinux/config" datatype="string" id="oval:ssg-var_selinux_policy_name:var:1" version="1"/>
-        <oval-def:external_variable comment="external variable for selinux state" datatype="string" id="oval:ssg-var_selinux_state:var:1" version="1"/>
-        <oval-def:local_variable id="oval:ssg-variable_crypto_policies_current_file_timestamp:var:1" version="1" comment="Age of /etc/crypto-policies/state/current" datatype="int">
-          <oval-def:object_component object_ref="oval:ssg-crypto_policies_current_file:obj:1" item_field="m_time"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-variable_crypto_policies_config_file_timestamp:var:1" version="1" comment="Age of /etc/crypto-policies/config" datatype="int">
-          <oval-def:object_component object_ref="oval:ssg-crypto_policies_config_file:obj:1" item_field="m_time"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="defined crypto policy" datatype="string" id="oval:ssg-var_system_crypto_policy:var:1" version="1"/>
-        <oval-def:local_variable id="oval:ssg-var_symlink_kerberos_crypto_policy_configuration:var:1" datatype="string" comment="regex variable for canonical path to targeted kerberos policy" version="1">
-          <oval-def:object_component item_field="canonical_path" object_ref="oval:ssg-object_kerberos_crypto_policy_configuration:obj:1"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_symlink_kerberos_crypto_policy_backend:var:1" datatype="string" comment="regex variable for canonical path to targeted kerberos policy" version="1">
-          <oval-def:object_component item_field="canonical_path" object_ref="oval:ssg-object_kerberos_crypto_policy_backend:obj:1"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-variable_aide_build_new_database_absolute_path:var:1" datatype="string" comment="Absolute path of Aide build database file" version="1">
-          <oval-def:concat>
-            <oval-def:object_component object_ref="oval:ssg-object_aide_build_database_dirpath:obj:1" item_field="subexpression"/>
-            <oval-def:literal_component>/</oval-def:literal_component>
-            <oval-def:object_component object_ref="oval:ssg-object_aide_build_new_database_filename:obj:1" item_field="subexpression"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-variable_aide_operational_database_absolute_path:var:1" datatype="string" comment="Absolute path of Aide build database file" version="1">
-          <oval-def:concat>
-            <oval-def:object_component object_ref="oval:ssg-object_aide_build_database_dirpath:obj:1" item_field="subexpression"/>
-            <oval-def:literal_component>/</oval-def:literal_component>
-            <oval-def:object_component object_ref="oval:ssg-object_aide_operational_database_filename:obj:1" item_field="subexpression"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_32bit_open_write_tc_group_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&amp;03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_64bit_open_write_tc_group_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&amp;03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_32bit_open_by_handle_at_write_tc_group_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&amp;03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_64bit_open_by_handle_at_write_tc_group_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&amp;03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_32bit_openat_write_tc_group_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&amp;03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_64bit_openat_write_tc_group_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&amp;03)[\s]+(?:-F[\s]+path=/etc/group)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_32bit_open_write_tc_gshadow_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&amp;03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_64bit_open_write_tc_gshadow_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&amp;03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_32bit_open_by_handle_at_write_tc_gshadow_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&amp;03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_64bit_open_by_handle_at_write_tc_gshadow_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&amp;03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_32bit_openat_write_tc_gshadow_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&amp;03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_64bit_openat_write_tc_gshadow_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&amp;03)[\s]+(?:-F[\s]+path=/etc/gshadow)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_32bit_open_write_tc_passwd_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&amp;03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_64bit_open_write_tc_passwd_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&amp;03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_32bit_open_by_handle_at_write_tc_passwd_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&amp;03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_64bit_open_by_handle_at_write_tc_passwd_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&amp;03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_32bit_openat_write_tc_passwd_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&amp;03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_64bit_openat_write_tc_passwd_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&amp;03)[\s]+(?:-F[\s]+path=/etc/passwd)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_32bit_open_write_tc_shadow_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&amp;03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_64bit_open_write_tc_shadow_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+(?:-F[\s]+a1&amp;03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_32bit_open_by_handle_at_write_tc_shadow_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&amp;03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_64bit_open_by_handle_at_write_tc_shadow_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&amp;03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_32bit_openat_write_tc_shadow_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&amp;03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_64bit_openat_write_tc_shadow_regex:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+(?:-F[\s]+a2&amp;03)[\s]+(?:-F[\s]+path=/etc/shadow)[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_chmod_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_chmod_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chmod[\s]+|([\s]+|[,])chmod([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_chmod_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_chmod_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit chmod EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_chmod_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_chmod_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_chmod_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit chmod EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_chmod_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_chmod_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_chmod_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit chmod EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_chmod_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_chmod_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_chmod_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit chmod EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_chmod_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_chmod_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_chown_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_chown_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+chown[\s]+|([\s]+|[,])chown([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_chown_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_chown_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit chown EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_chown_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_chown_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_chown_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit chown EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_chown_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_chown_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_chown_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit chown EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_chown_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_chown_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_chown_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit chown EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_chown_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_chown_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_creat_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_creat_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+creat[\s]+|([\s]+|[,])creat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_creat_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_creat_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit creat EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_creat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_creat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_creat_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit creat EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_creat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_creat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_creat_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit creat EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_creat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_creat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_creat_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit creat EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_creat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_creat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_fchmod_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_fchmod_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmod[\s]+|([\s]+|[,])fchmod([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_fchmod_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_fchmod_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit fchmod EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_fchmod_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fchmod_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_fchmod_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit fchmod EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_fchmod_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fchmod_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_fchmod_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit fchmod EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_fchmod_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fchmod_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_fchmod_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit fchmod EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_fchmod_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fchmod_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_fchmodat_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_fchmodat_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchmodat[\s]+|([\s]+|[,])fchmodat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_fchmodat_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_fchmodat_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit fchmodat EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_fchmodat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fchmodat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_fchmodat_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit fchmodat EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_fchmodat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fchmodat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_fchmodat_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit fchmodat EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_fchmodat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fchmodat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_fchmodat_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit fchmodat EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_fchmodat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fchmodat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_fchown_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_fchown_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchown[\s]+|([\s]+|[,])fchown([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_fchown_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_fchown_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit fchown EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_fchown_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fchown_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_fchown_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit fchown EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_fchown_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fchown_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_fchown_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit fchown EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_fchown_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fchown_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_fchown_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit fchown EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_fchown_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fchown_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_fchownat_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_fchownat_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fchownat[\s]+|([\s]+|[,])fchownat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_fchownat_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_fchownat_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit fchownat EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_fchownat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fchownat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_fchownat_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit fchownat EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_fchownat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fchownat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_fchownat_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit fchownat EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_fchownat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fchownat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_fchownat_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit fchownat EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_fchownat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fchownat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_fremovexattr_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_fremovexattr_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fremovexattr[\s]+|([\s]+|[,])fremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_fremovexattr_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_fremovexattr_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit fremovexattr EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_fremovexattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fremovexattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_fremovexattr_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit fremovexattr EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_fremovexattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fremovexattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_fremovexattr_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit fremovexattr EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_fremovexattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fremovexattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_fremovexattr_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit fremovexattr EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_fremovexattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fremovexattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_fsetxattr_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_fsetxattr_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+fsetxattr[\s]+|([\s]+|[,])fsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_fsetxattr_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_fsetxattr_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit fsetxattr EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_fsetxattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fsetxattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_fsetxattr_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit fsetxattr EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_fsetxattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fsetxattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_fsetxattr_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit fsetxattr EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_fsetxattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fsetxattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_fsetxattr_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit fsetxattr EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_fsetxattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_fsetxattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_ftruncate_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_ftruncate_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+ftruncate[\s]+|([\s]+|[,])ftruncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_ftruncate_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_ftruncate_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit ftruncate EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_ftruncate_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_ftruncate_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_ftruncate_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit ftruncate EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_ftruncate_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_ftruncate_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_ftruncate_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit ftruncate EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_ftruncate_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_ftruncate_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_ftruncate_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit ftruncate EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_ftruncate_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_ftruncate_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_lchown_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_lchown_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lchown[\s]+|([\s]+|[,])lchown([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_lchown_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_lchown_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit lchown EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_lchown_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_lchown_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_lchown_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit lchown EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_lchown_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_lchown_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_lchown_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit lchown EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_lchown_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_lchown_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_lchown_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit lchown EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_lchown_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_lchown_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_lremovexattr_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_lremovexattr_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lremovexattr[\s]+|([\s]+|[,])lremovexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_lremovexattr_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_lremovexattr_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit lremovexattr EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_lremovexattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_lremovexattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_lremovexattr_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit lremovexattr EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_lremovexattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_lremovexattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_lremovexattr_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit lremovexattr EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_lremovexattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_lremovexattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_lremovexattr_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit lremovexattr EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_lremovexattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_lremovexattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_lsetxattr_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_lsetxattr_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+lsetxattr[\s]+|([\s]+|[,])lsetxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_lsetxattr_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_lsetxattr_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit lsetxattr EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_lsetxattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_lsetxattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_lsetxattr_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit lsetxattr EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_lsetxattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_lsetxattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_lsetxattr_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit lsetxattr EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_lsetxattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_lsetxattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_lsetxattr_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit lsetxattr EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_lsetxattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_lsetxattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_open_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_open_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open[\s]+|([\s]+|[,])open([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_open_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_open_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit open EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_open_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_open_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_open_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit open EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_open_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_open_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_open_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit open EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_open_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_open_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_open_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit open EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_open_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_open_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_open_by_handle_at_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_open_by_handle_at_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+open_by_handle_at[\s]+|([\s]+|[,])open_by_handle_at([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_open_by_handle_at_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_open_by_handle_at_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit open_by_handle_at EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_open_by_handle_at_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_open_by_handle_at_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_open_by_handle_at_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit open_by_handle_at EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_open_by_handle_at_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_open_by_handle_at_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_open_by_handle_at_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit open_by_handle_at EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_open_by_handle_at_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_open_by_handle_at_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_open_by_handle_at_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit open_by_handle_at EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_open_by_handle_at_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_open_by_handle_at_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_32bit_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_64bit_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_separator_regex:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>(?:[^.]|\.\s)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_32bit_a20100_eacces_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit open_by_handle_at O_CREAT EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_32bit_a20100_eperm_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit open_by_handle_at O_CREAT EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_64bit_a20100_eacces_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit open_by_handle_at O_CREAT EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_64bit_a20100_eperm_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit open_by_handle_at O_CREAT EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_creat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_32bit_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_64bit_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_separator_regex:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>(?:[^.]|\.\s)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_32bit_a201003_eacces_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit open_by_handle_at O_TRUNC EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_32bit_a201003_eperm_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit open_by_handle_at O_TRUNC EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_64bit_a201003_eacces_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit open_by_handle_at O_TRUNC EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_64bit_a201003_eperm_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit open_by_handle_at O_TRUNC EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_o_trunc_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open_by_handle_at)(?:,[\S]+)*)[\s]+</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_by_handle_at_order_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_a20100_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_a201003_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_a20100_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_a201003_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_a20100_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_a201003_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_a20100_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_a201003_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_by_handle_at_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_eacces_augenrules_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a20100_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a20100_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_32bit_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a201003_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a201003_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a20100_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_32bit_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_eperm_augenrules_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a20100_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a20100_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_32bit_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a201003_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a201003_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a20100_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_32bit_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_eacces_augenrules_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a20100_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a20100_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_64bit_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a201003_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a201003_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a20100_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_64bit_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_eperm_augenrules_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a20100_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a20100_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_64bit_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a201003_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a201003_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a20100_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_64bit_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_auditctl_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a20100_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a20100_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_32bit_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a201003_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a201003_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a20100_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_32bit_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_32bit_open_by_handle_at_auditctl_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a20100_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a20100_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_32bit_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a201003_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a201003_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_32bit_a20100_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_32bit_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_open_by_handle_at_order_64bit_auditctl_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a20100_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a20100_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_64bit_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a201003_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a201003_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a20100_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_64bit_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_64bit_open_by_handle_at_auditctl_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a20100_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a20100_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_64bit_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a201003_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a201003_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_64bit_a20100_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_by_handle_at_order_nofilter_64bit_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_o_creat_32bit_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_o_creat_64bit_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_o_creat_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_o_creat_separator_regex:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>(?:[^.]|\.\s)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_o_creat_32bit_a20100_eacces_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit open O_CREAT EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_o_creat_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a1&amp;0100)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_o_creat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_o_creat_32bit_a20100_eperm_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit open O_CREAT EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_o_creat_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a1&amp;0100)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_o_creat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_o_creat_64bit_a20100_eacces_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit open O_CREAT EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_o_creat_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a1&amp;0100)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_o_creat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_o_creat_64bit_a20100_eperm_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit open O_CREAT EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_o_creat_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a1&amp;0100)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_o_creat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_o_trunc_32bit_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_o_trunc_64bit_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_o_trunc_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_o_trunc_separator_regex:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>(?:[^.]|\.\s)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_o_trunc_32bit_a201003_eacces_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit open O_TRUNC EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_o_trunc_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a1&amp;01003)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_o_trunc_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_o_trunc_32bit_a201003_eperm_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit open O_TRUNC EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_o_trunc_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a1&amp;01003)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_o_trunc_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_o_trunc_64bit_a201003_eacces_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit open O_TRUNC EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_o_trunc_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a1&amp;01003)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_o_trunc_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_o_trunc_64bit_a201003_eperm_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit open O_TRUNC EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_o_trunc_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a1&amp;01003)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_o_trunc_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_order_32bit_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_order_64bit_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(open)(?:,[\S]+)*)[\s]+</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_open_order_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_order_32bit_a20100_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a1&amp;0100)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_order_32bit_a201003_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a1&amp;01003)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_order_32bit_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_order_32bit_a20100_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a1&amp;0100)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_order_32bit_a201003_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a1&amp;01003)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_order_32bit_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_order_64bit_a20100_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a1&amp;0100)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_order_64bit_a201003_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a1&amp;01003)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_order_64bit_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_order_64bit_a20100_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a1&amp;0100)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_order_64bit_a201003_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a1&amp;01003)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_open_order_64bit_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_open_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_32bit_open_eacces_augenrules_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a20100_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a20100_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_nofilter_32bit_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a201003_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a201003_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a20100_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_nofilter_32bit_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_32bit_open_eperm_augenrules_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a20100_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a20100_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_nofilter_32bit_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a201003_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a201003_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a20100_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_nofilter_32bit_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_64bit_open_eacces_augenrules_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a20100_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a20100_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_nofilter_64bit_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a201003_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a201003_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a20100_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_nofilter_64bit_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_64bit_open_eperm_augenrules_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a20100_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a20100_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_nofilter_64bit_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a201003_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a201003_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a20100_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_nofilter_64bit_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_32bit_open_auditctl_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a20100_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a20100_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_nofilter_32bit_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a201003_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a201003_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a20100_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_nofilter_32bit_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_32bit_open_auditctl_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a20100_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a20100_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_nofilter_32bit_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a201003_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a201003_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_32bit_a20100_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_nofilter_32bit_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_open_order_64bit_auditctl_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a20100_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a20100_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_nofilter_64bit_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a201003_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a201003_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a20100_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_nofilter_64bit_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_64bit_open_auditctl_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a20100_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a20100_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_nofilter_64bit_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a201003_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a201003_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_64bit_a20100_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_open_order_nofilter_64bit_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_openat_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_openat_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+openat[\s]+|([\s]+|[,])openat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_openat_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_openat_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit openat EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_openat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_openat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_openat_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit openat EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_openat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_openat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_openat_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit openat EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_openat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_openat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_openat_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit openat EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_openat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_openat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_openat_o_creat_32bit_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_openat_o_creat_64bit_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_openat_o_creat_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_openat_o_creat_separator_regex:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>(?:[^.]|\.\s)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_o_creat_32bit_a20100_eacces_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit openat O_CREAT EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_o_creat_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_o_creat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_o_creat_32bit_a20100_eperm_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit openat O_CREAT EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_o_creat_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_o_creat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_o_creat_64bit_a20100_eacces_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit openat O_CREAT EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_o_creat_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_o_creat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_o_creat_64bit_a20100_eperm_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit openat O_CREAT EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_o_creat_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_o_creat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_openat_o_trunc_32bit_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_openat_o_trunc_64bit_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_openat_o_trunc_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_openat_o_trunc_separator_regex:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>(?:[^.]|\.\s)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_o_trunc_32bit_a201003_eacces_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit openat O_TRUNC EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_o_trunc_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_o_trunc_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_o_trunc_32bit_a201003_eperm_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit openat O_TRUNC EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_o_trunc_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_o_trunc_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_o_trunc_64bit_a201003_eacces_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit openat O_TRUNC EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_o_trunc_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_o_trunc_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_o_trunc_64bit_a201003_eperm_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit openat O_TRUNC EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_o_trunc_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_o_trunc_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_openat_order_32bit_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_openat_order_64bit_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:-S[\s]+(?:[\S]+,)*(openat)(?:,[\S]+)*)[\s]+</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_audit_rule_openat_order_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(?:unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_order_32bit_a20100_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_order_32bit_a201003_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_order_32bit_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_order_32bit_a20100_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_order_32bit_a201003_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_order_32bit_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_32bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_order_64bit_a20100_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_order_64bit_a201003_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_order_64bit_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_order_64bit_a20100_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;0100)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_order_64bit_a201003_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+a2&amp;01003)[\s]+(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_audit_rule_openat_order_64bit_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_64bit_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_audit_rule_openat_order_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_32bit_openat_eacces_augenrules_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a20100_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a20100_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_nofilter_32bit_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a201003_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a201003_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a20100_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_nofilter_32bit_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_32bit_openat_eperm_augenrules_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a20100_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a20100_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_nofilter_32bit_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a201003_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a201003_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a20100_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_nofilter_32bit_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_64bit_openat_eacces_augenrules_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a20100_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a20100_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_nofilter_64bit_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a201003_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a201003_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a20100_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_nofilter_64bit_eacces_augenrules:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_64bit_openat_eperm_augenrules_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a20100_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a20100_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_nofilter_64bit_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a201003_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a201003_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a20100_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_nofilter_64bit_eperm_augenrules:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_32bit_openat_auditctl_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a20100_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a20100_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_nofilter_32bit_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a201003_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a201003_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a20100_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_nofilter_32bit_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_32bit_openat_auditctl_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a20100_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a20100_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_nofilter_32bit_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a201003_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a201003_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_32bit_a20100_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_nofilter_32bit_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_openat_order_64bit_auditctl_eacces_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a20100_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a20100_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_nofilter_64bit_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a201003_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a201003_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a20100_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_nofilter_64bit_eacces_auditctl:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_arufm_rule_order_64bit_openat_auditctl_eperm_regex:var:1" version="1" datatype="string" comment="arches to audit">
-          <oval-def:concat>
-            <oval-def:literal_component>^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a20100_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a20100_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_nofilter_64bit_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a201003_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>$\n(^(?!</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a201003_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>|</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_64bit_a20100_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>).*$\n)*^</oval-def:literal_component>
-            <oval-def:object_component item_field="text" object_ref="oval:ssg-object_arufm_openat_order_nofilter_64bit_eperm_auditctl:obj:1"/>
-            <oval-def:literal_component>$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_removexattr_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_removexattr_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+removexattr[\s]+|([\s]+|[,])removexattr([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_removexattr_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_removexattr_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit removexattr EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_removexattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_removexattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_removexattr_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit removexattr EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_removexattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_removexattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_removexattr_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit removexattr EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_removexattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_removexattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_removexattr_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit removexattr EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_removexattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_removexattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_rename_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_rename_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+rename[\s]+|([\s]+|[,])rename([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_rename_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_rename_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit rename EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_rename_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_rename_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_rename_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit rename EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_rename_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_rename_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_rename_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit rename EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_rename_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_rename_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_rename_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit rename EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_rename_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_rename_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_renameat_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_renameat_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+renameat[\s]+|([\s]+|[,])renameat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_renameat_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_renameat_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit renameat EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_renameat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_renameat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_renameat_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit renameat EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_renameat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_renameat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_renameat_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit renameat EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_renameat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_renameat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_renameat_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit renameat EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_renameat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_renameat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_setxattr_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_setxattr_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+setxattr[\s]+|([\s]+|[,])setxattr([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_setxattr_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_setxattr_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit setxattr EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_setxattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_setxattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_setxattr_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit setxattr EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_setxattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_setxattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_setxattr_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit setxattr EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_setxattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_setxattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_setxattr_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit setxattr EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_setxattr_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_setxattr_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_truncate_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_truncate_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+truncate[\s]+|([\s]+|[,])truncate([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_truncate_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_truncate_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit truncate EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_truncate_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_truncate_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_truncate_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit truncate EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_truncate_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_truncate_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_truncate_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit truncate EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_truncate_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_truncate_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_truncate_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit truncate EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_truncate_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_truncate_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_unlink_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_unlink_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlink[\s]+|([\s]+|[,])unlink([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_unlink_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_unlink_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit unlink EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_unlink_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_unlink_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_unlink_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit unlink EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_unlink_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_unlink_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_unlink_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit unlink EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_unlink_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_unlink_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_unlink_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit unlink EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_unlink_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_unlink_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_32bit_arufm_unlinkat_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b32[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_64bit_arufm_unlinkat_head:var:1" version="1" datatype="string" comment="audit rule arch and syscal">
-          <oval-def:value>^[\s]*-a[\s]+always,exit[\s]+(?:-F[\s]+arch=b64[\s]+)(?:.*(-S[\s]+unlinkat[\s]+|([\s]+|[,])unlinkat([\s]+|[,])))(?:(?!-F[\s]+a\d&amp;).)*</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-var_arufm_unlinkat_tail:var:1" version="1" datatype="string" comment="audit rule auid and key">
-          <oval-def:value>[\s]+(?:-F\s+auid&gt;=1000[\s]+)(?:-F\s+auid!=(unset|4294967295)[\s]+)(?:-k[\s]+|-F[\s]+key=)[\S]+[\s]*$</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eacces_unlinkat_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit unlinkat EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_unlinkat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_unlinkat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_32bit_arufm_eperm_unlinkat_regex:var:1" version="1" datatype="string" comment="Expression to match 32bit unlinkat EPERM EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_32bit_arufm_unlinkat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_unlinkat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eacces_unlinkat_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit unlinkat EACCES syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_unlinkat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EACCES)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_unlinkat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_64bit_arufm_eperm_unlinkat_regex:var:1" version="1" datatype="string" comment="Expression to match 64bit unlinkat EPERM syscall">
-          <oval-def:concat>
-            <oval-def:variable_component var_ref="oval:ssg-var_64bit_arufm_unlinkat_head:var:1"/>
-            <oval-def:literal_component>(?:-F\s+exit=-EPERM)</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_arufm_unlinkat_tail:var:1"/>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-local_var_regex_l1tf_var_l1tf_options:var:1" comment="Regex that matches l1tf with value var_l1tf_options" datatype="string" version="1">
-          <oval-def:concat>
-            <oval-def:literal_component>^(?:.*\s)?l1tf=</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_l1tf_options:var:1"/>
-            <oval-def:literal_component>(?:\s.*)?$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="Variable defining the value the argument should have" datatype="string" id="oval:ssg-var_l1tf_options:var:1" version="1"/>
-        <oval-def:local_variable id="oval:ssg-local_var_regex_rng_core_default_quality_var_rng_core_default_quality:var:1" comment="Regex that matches rng_core.default_quality with value var_rng_core_default_quality" datatype="string" version="1">
-          <oval-def:concat>
-            <oval-def:literal_component>^(?:.*\s)?rng_core.default_quality=</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_rng_core_default_quality:var:1"/>
-            <oval-def:literal_component>(?:\s.*)?$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="Variable defining the value the argument should have" datatype="string" id="oval:ssg-var_rng_core_default_quality:var:1" version="1"/>
-        <oval-def:local_variable id="oval:ssg-local_var_regex_spec_store_bypass_disable_var_spec_store_bypass_disable_options:var:1" comment="Regex that matches spec_store_bypass_disable with value var_spec_store_bypass_disable_options" datatype="string" version="1">
-          <oval-def:concat>
-            <oval-def:literal_component>^(?:.*\s)?spec_store_bypass_disable=</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_spec_store_bypass_disable_options:var:1"/>
-            <oval-def:literal_component>(?:\s.*)?$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="Variable defining the value the argument should have" datatype="string" id="oval:ssg-var_spec_store_bypass_disable_options:var:1" version="1"/>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_acpi_custom_method_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_acpi_custom_method_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_acpi_custom_method_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_acpi_custom_method:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_binfmt_misc_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_binfmt_misc_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_binfmt_misc_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_binfmt_misc:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_bug_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_bug_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_bug_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_bug:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_compat_brk_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_compat_brk_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_compat_brk_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_compat_brk:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_compat_vdso_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_compat_vdso_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_compat_vdso_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_compat_vdso:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_debug_credentials_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_debug_credentials_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_debug_credentials_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_debug_credentials:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_debug_fs_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_debug_fs_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_debug_fs_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_debug_fs:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_debug_list_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_debug_list_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_debug_list_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_debug_list:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_debug_notifiers_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_debug_notifiers_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_debug_notifiers_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_debug_notifiers:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_debug_sg_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_debug_sg_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_debug_sg_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_debug_sg:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_default_mmap_min_addr_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_default_mmap_min_addr_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_default_mmap_min_addr_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_default_mmap_min_addr:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_devkmem_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_devkmem_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_devkmem_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_devkmem:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_hibernation_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_hibernation_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_hibernation_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_hibernation:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_ia32_emulation_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_ia32_emulation_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_ia32_emulation_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_ia32_emulation:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_ipv6_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_ipv6_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_ipv6_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_ipv6:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_kexec_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_kexec_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_kexec_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_kexec:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_legacy_ptys_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_legacy_ptys_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_legacy_ptys_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_legacy_ptys:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_module_sig_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_module_sig_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_module_sig_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_module_sig:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_module_sig_all_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_module_sig_all_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_module_sig_all_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_module_sig_all:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_module_sig_force_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_module_sig_force_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_module_sig_force_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_module_sig_force:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_module_sig_hash_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_module_sig_hash_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_module_sig_hash_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_module_sig_hash:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="Value for kernel CONFIG_MODULE_SIG_HASH setting" datatype="string" id="oval:ssg-var_kernel_config_module_sig_hash:var:1" version="1"/>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_module_sig_key_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_module_sig_key_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_module_sig_key_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_module_sig_key:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="Value for kernel CONFIG_MODULE_SIG_KEY setting" datatype="string" id="oval:ssg-var_kernel_config_module_sig_key:var:1" version="1"/>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_module_sig_sha512_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_module_sig_sha512_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_module_sig_sha512_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_module_sig_sha512:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_page_poisoning_no_sanity_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_page_poisoning_no_sanity_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_page_poisoning_no_sanity_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_page_poisoning_no_sanity:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_page_poisoning_zero_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_page_poisoning_zero_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_page_poisoning_zero_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_page_poisoning_zero:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_page_table_isolation_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_page_table_isolation_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_page_table_isolation_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_page_table_isolation:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_panic_on_oops_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_panic_on_oops_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_panic_on_oops_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_panic_on_oops:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_panic_timeout_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_panic_timeout_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_panic_timeout_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_panic_timeout:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="Value for kernel CONFIG_PANIC_TIMEOUT setting" datatype="string" id="oval:ssg-var_kernel_config_panic_timeout:var:1" version="1"/>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_proc_kcore_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_proc_kcore_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_proc_kcore_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_proc_kcore:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_randomize_base_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_randomize_base_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_randomize_base_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_randomize_base:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_randomize_memory_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_randomize_memory_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_randomize_memory_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_randomize_memory:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_retpoline_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_retpoline_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_retpoline_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_retpoline:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_seccomp_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_seccomp_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_seccomp_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_seccomp:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_seccomp_filter_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_seccomp_filter_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_seccomp_filter_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_seccomp_filter:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_security_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_security_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_security_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_security:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_security_dmesg_restrict_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_security_dmesg_restrict_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_security_dmesg_restrict_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_security_dmesg_restrict:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_security_writable_hooks_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_security_writable_hooks_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_security_writable_hooks_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_security_writable_hooks:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_security_yama_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_security_yama_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_security_yama_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_security_yama:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_slub_debug_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_slub_debug_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_slub_debug_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_slub_debug:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_syn_cookies_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_syn_cookies_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_syn_cookies_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_syn_cookies:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_unmap_kernel_at_el0_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_unmap_kernel_at_el0_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_unmap_kernel_at_el0_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_unmap_kernel_at_el0:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of kernels installed" datatype="int" id="oval:ssg-local_var_config_x86_vsyscall_emulation_count_kernels_installed:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_x86_vsyscall_emulation_files:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count number of configs found" datatype="int" id="oval:ssg-local_var_config_x86_vsyscall_emulation_count_compliant_configs:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_kernel_config_x86_vsyscall_emulation:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_atm_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_bluetooth_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_can_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_cfg80211_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_cramfs_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_firewire-core_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_freevxfs_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_hfs_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_hfsplus_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_iwlmvm_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_iwlwifi_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_jffs2_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_mac80211_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_rds_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_sctp_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_squashfs_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_tipc_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_udf_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_usb-storage_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_uvcvideo_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable datatype="string" comment="Other paths where kernel modules can be configured" id="oval:ssg-var_kernel_module_vfat_paths:var:1" version="1">
-          <oval-def:value>/etc/modprobe.d</oval-def:value>
-          <oval-def:value>/etc/modules-load.d</oval-def:value>
-          <oval-def:value>/run/modprobe.d</oval-def:value>
-          <oval-def:value>/run/modules-load.d</oval-def:value>
-          <oval-def:value>/usr/lib/modprobe.d</oval-def:value>
-          <oval-def:value>/usr/lib/modules-load.d</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:constant_variable id="oval:ssg-variable_cd_dvd_drive_alternative_names_nodev:var:1" datatype="string" comment="CD/DVD drive alternative names whitelist" version="1">
-          <oval-def:value>/dev/cdrom</oval-def:value>
-          <oval-def:value>/dev/dvd</oval-def:value>
-          <oval-def:value>/dev/scd0</oval-def:value>
-          <oval-def:value>/dev/sr0</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-variable_cd_dvd_drive_regex_pattern_nodev:var:1" datatype="string" comment="Regular expression pattern for CD / DVD drive alternative names" version="1">
-          <oval-def:concat>
-            <oval-def:literal_component>^[\s]*</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-variable_cd_dvd_drive_alternative_names_nodev:var:1"/>
-            <oval-def:literal_component>[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-variable_not_cd_dvd_drive_regex_pattern_nodev:var:1" datatype="string" comment="Regular expression pattern for removable block special device other than CD / DVD drive" version="1">
-          <oval-def:concat>
-            <oval-def:literal_component>^[\s]*</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_removable_partition:var:1"/>
-            <oval-def:literal_component>[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="removable partition" datatype="string" id="oval:ssg-var_removable_partition:var:1" version="1"/>
-        <oval-def:constant_variable id="oval:ssg-variable_cd_dvd_drive_alternative_names_noexec:var:1" datatype="string" comment="CD/DVD drive alternative names whitelist" version="1">
-          <oval-def:value>/dev/cdrom</oval-def:value>
-          <oval-def:value>/dev/dvd</oval-def:value>
-          <oval-def:value>/dev/scd0</oval-def:value>
-          <oval-def:value>/dev/sr0</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-variable_cd_dvd_drive_regex_pattern_noexec:var:1" datatype="string" comment="Regular expression pattern for CD / DVD drive alternative names" version="1">
-          <oval-def:concat>
-            <oval-def:literal_component>^[\s]*</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-variable_cd_dvd_drive_alternative_names_noexec:var:1"/>
-            <oval-def:literal_component>[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-variable_not_cd_dvd_drive_regex_pattern_noexec:var:1" datatype="string" comment="Regular expression pattern for removable block special device other than CD / DVD drive" version="1">
-          <oval-def:concat>
-            <oval-def:literal_component>^[\s]*</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_removable_partition:var:1"/>
-            <oval-def:literal_component>[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-variable_cd_dvd_drive_alternative_names_nosuid:var:1" datatype="string" comment="CD/DVD drive alternative names whitelist" version="1">
-          <oval-def:value>/dev/cdrom</oval-def:value>
-          <oval-def:value>/dev/dvd</oval-def:value>
-          <oval-def:value>/dev/scd0</oval-def:value>
-          <oval-def:value>/dev/sr0</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-variable_cd_dvd_drive_regex_pattern_nosuid:var:1" datatype="string" comment="Regular expression pattern for CD / DVD drive alternative names" version="1">
-          <oval-def:concat>
-            <oval-def:literal_component>^[\s]*</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-variable_cd_dvd_drive_alternative_names_nosuid:var:1"/>
-            <oval-def:literal_component>[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-variable_not_cd_dvd_drive_regex_pattern_nosuid:var:1" datatype="string" comment="Regular expression pattern for removable block special device other than CD / DVD drive" version="1">
-          <oval-def:concat>
-            <oval-def:literal_component>^[\s]*</oval-def:literal_component>
-            <oval-def:variable_component var_ref="oval:ssg-var_removable_partition:var:1"/>
-            <oval-def:literal_component>[\s]+[/\w]+[\s]+[\w]+[\s]+([^\s]+)(?:[\s]+[\d]+){2}$</oval-def:literal_component>
-          </oval-def:concat>
-        </oval-def:local_variable>
-        <oval-def:external_variable comment="Variable value for sudo logfile " datatype="string" id="oval:ssg-var_sudo_logfile:var:1" version="1"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_fs_protected_hardlinks_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_fs_protected_hardlinks_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_fs_protected_hardlinks_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_fs_protected_hardlinks:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_fs_protected_hardlinks:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_fs_protected_hardlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_fs_protected_hardlinks_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_fs_protected_hardlinks:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_fs_protected_hardlinks_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_fs_protected_symlinks_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_fs_protected_symlinks_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_fs_protected_symlinks_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_fs_protected_symlinks:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_fs_protected_symlinks:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_fs_protected_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_fs_protected_symlinks_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_fs_protected_symlinks:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_fs_protected_symlinks_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_fs_suid_dumpable_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_fs_suid_dumpable_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_fs_suid_dumpable_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_fs_suid_dumpable:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_fs_suid_dumpable:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_fs_suid_dumpable:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_fs_suid_dumpable_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_fs_suid_dumpable:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_fs_suid_dumpable_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_kernel_core_pattern_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_core_pattern_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_kernel_core_pattern_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_kernel_core_pattern:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_kernel_core_pattern:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_kernel_core_pattern:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_core_pattern_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_kernel_core_pattern:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_core_pattern_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_kernel_core_pattern_empty_string_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_kernel_core_pattern_empty_string_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_kernel_core_pattern_empty_string:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_kernel_core_pattern_empty_string:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_kernel_core_pattern_empty_string:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_core_pattern_empty_string_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_kernel_core_pattern_empty_string:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_core_pattern_empty_string_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_kernel_core_uses_pid_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_core_uses_pid_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_kernel_core_uses_pid_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_kernel_core_uses_pid:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_kernel_core_uses_pid:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_kernel_core_uses_pid:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_core_uses_pid_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_kernel_core_uses_pid:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_core_uses_pid_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_kernel_dmesg_restrict_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_dmesg_restrict_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_kernel_dmesg_restrict_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_kernel_dmesg_restrict:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_kernel_dmesg_restrict:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_kernel_dmesg_restrict:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_dmesg_restrict_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_kernel_dmesg_restrict:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_dmesg_restrict_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_kernel_kexec_load_disabled_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_kexec_load_disabled_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_kernel_kexec_load_disabled_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_kernel_kexec_load_disabled:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_kernel_kexec_load_disabled:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_kernel_kexec_load_disabled:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_kexec_load_disabled_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_kernel_kexec_load_disabled:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_kexec_load_disabled_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_kernel_kptr_restrict_value:var:1" version="1" comment="External variable for kernel.kptr_restrict" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_kernel_kptr_restrict_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_kptr_restrict_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_kernel_kptr_restrict_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_kernel_kptr_restrict:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_kernel_kptr_restrict:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_kernel_kptr_restrict:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_kptr_restrict_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_kernel_kptr_restrict:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_kptr_restrict_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_kernel_panic_on_oops_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_panic_on_oops_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_kernel_panic_on_oops_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_kernel_panic_on_oops:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_kernel_panic_on_oops:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_kernel_panic_on_oops:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_panic_on_oops_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_kernel_panic_on_oops:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_panic_on_oops_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_kernel_perf_event_paranoid_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_perf_event_paranoid_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_kernel_perf_event_paranoid_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_kernel_perf_event_paranoid:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_kernel_perf_event_paranoid:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_kernel_perf_event_paranoid:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_perf_event_paranoid_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_kernel_perf_event_paranoid:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_perf_event_paranoid_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_kernel_randomize_va_space_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_randomize_va_space_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_kernel_randomize_va_space_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_kernel_randomize_va_space:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_kernel_randomize_va_space:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_kernel_randomize_va_space:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_randomize_va_space_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_kernel_randomize_va_space:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_randomize_va_space_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_kernel_unprivileged_bpf_disabled_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_unprivileged_bpf_disabled_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_kernel_unprivileged_bpf_disabled_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_kernel_unprivileged_bpf_disabled:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_kernel_unprivileged_bpf_disabled:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_kernel_unprivileged_bpf_disabled:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_unprivileged_bpf_disabled_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_kernel_unprivileged_bpf_disabled:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_unprivileged_bpf_disabled_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_kernel_yama_ptrace_scope_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_yama_ptrace_scope_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_kernel_yama_ptrace_scope_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_kernel_yama_ptrace_scope:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_kernel_yama_ptrace_scope:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_kernel_yama_ptrace_scope:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_yama_ptrace_scope_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_kernel_yama_ptrace_scope:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_kernel_yama_ptrace_scope_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_core_bpf_jit_harden_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_core_bpf_jit_harden_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_core_bpf_jit_harden_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_core_bpf_jit_harden:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_core_bpf_jit_harden:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_core_bpf_jit_harden:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_core_bpf_jit_harden_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_core_bpf_jit_harden:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_core_bpf_jit_harden_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_accept_local_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_local_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_accept_local_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_accept_local:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_accept_local:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_accept_local:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_local_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_accept_local:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_local_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv4_conf_all_accept_redirects_value:var:1" version="1" comment="External variable for net.ipv4.conf.all.accept_redirects" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_accept_redirects_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_redirects_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_accept_redirects_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_accept_redirects:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_accept_redirects:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_accept_redirects:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_redirects_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_accept_redirects:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_redirects_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv4_conf_all_accept_source_route_value:var:1" version="1" comment="External variable for net.ipv4.conf.all.accept_source_route" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_accept_source_route_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_source_route_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_accept_source_route_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_accept_source_route:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_accept_source_route:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_accept_source_route:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_source_route_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_accept_source_route:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_accept_source_route_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv4_conf_all_arp_filter_value:var:1" version="1" comment="External variable for net.ipv4.conf.all.arp_filter" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_arp_filter_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_filter_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_arp_filter_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_arp_filter:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_arp_filter:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_arp_filter:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_filter_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_arp_filter:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_filter_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv4_conf_all_arp_ignore_value:var:1" version="1" comment="External variable for net.ipv4.conf.all.arp_ignore" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_arp_ignore_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_ignore_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_arp_ignore_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_arp_ignore:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_arp_ignore:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_arp_ignore:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_ignore_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_arp_ignore:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_arp_ignore_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv4_conf_all_log_martians_value:var:1" version="1" comment="External variable for net.ipv4.conf.all.log_martians" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_log_martians_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_log_martians_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_log_martians_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_log_martians:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_log_martians:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_log_martians:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_log_martians_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_log_martians:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_log_martians_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_route_localnet_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_route_localnet_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_route_localnet_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_route_localnet:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_route_localnet:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_route_localnet:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_route_localnet_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_route_localnet:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_route_localnet_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv4_conf_all_rp_filter_value:var:1" version="1" comment="External variable for net.ipv4.conf.all.rp_filter" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_rp_filter_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_rp_filter_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_rp_filter_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_rp_filter:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_rp_filter:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_rp_filter:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_rp_filter_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_rp_filter:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_rp_filter_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv4_conf_all_secure_redirects_value:var:1" version="1" comment="External variable for net.ipv4.conf.all.secure_redirects" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_secure_redirects_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_secure_redirects_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_secure_redirects_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_secure_redirects:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_secure_redirects:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_secure_redirects:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_secure_redirects_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_secure_redirects:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_secure_redirects_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_send_redirects_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_send_redirects_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_send_redirects_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_send_redirects:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_send_redirects:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_send_redirects:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_send_redirects_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_send_redirects:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_send_redirects_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv4_conf_all_shared_media_value:var:1" version="1" comment="External variable for net.ipv4.conf.all.shared_media" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_shared_media_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_shared_media_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_conf_all_shared_media_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_all_shared_media:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_all_shared_media:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_all_shared_media:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_shared_media_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_all_shared_media:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_all_shared_media_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv4_conf_default_accept_redirects_value:var:1" version="1" comment="External variable for net.ipv4.conf.default.accept_redirects" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_conf_default_accept_redirects_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_redirects_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_conf_default_accept_redirects_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_default_accept_redirects:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_default_accept_redirects:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_default_accept_redirects:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_redirects_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_default_accept_redirects:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_redirects_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv4_conf_default_accept_source_route_value:var:1" version="1" comment="External variable for net.ipv4.conf.default.accept_source_route" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_conf_default_accept_source_route_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_source_route_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_conf_default_accept_source_route_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_default_accept_source_route:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_default_accept_source_route:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_default_accept_source_route:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_source_route_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_default_accept_source_route:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_accept_source_route_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv4_conf_default_log_martians_value:var:1" version="1" comment="External variable for net.ipv4.conf.default.log_martians" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_conf_default_log_martians_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_log_martians_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_conf_default_log_martians_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_default_log_martians:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_default_log_martians:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_default_log_martians:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_log_martians_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_default_log_martians:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_log_martians_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv4_conf_default_rp_filter_value:var:1" version="1" comment="External variable for net.ipv4.conf.default.rp_filter" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_conf_default_rp_filter_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_rp_filter_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_conf_default_rp_filter_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_default_rp_filter:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_default_rp_filter:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_default_rp_filter:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_rp_filter_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_default_rp_filter:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_rp_filter_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv4_conf_default_secure_redirects_value:var:1" version="1" comment="External variable for net.ipv4.conf.default.secure_redirects" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_conf_default_secure_redirects_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_secure_redirects_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_conf_default_secure_redirects_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_default_secure_redirects:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_default_secure_redirects:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_default_secure_redirects:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_secure_redirects_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_default_secure_redirects:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_secure_redirects_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_conf_default_send_redirects_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_send_redirects_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_conf_default_send_redirects_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_default_send_redirects:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_default_send_redirects:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_default_send_redirects:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_send_redirects_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_default_send_redirects:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_send_redirects_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv4_conf_default_shared_media_value:var:1" version="1" comment="External variable for net.ipv4.conf.default.shared_media" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_conf_default_shared_media_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_shared_media_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_conf_default_shared_media_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_conf_default_shared_media:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_conf_default_shared_media:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_conf_default_shared_media:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_shared_media_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_conf_default_shared_media:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_conf_default_shared_media_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_value:var:1" version="1" comment="External variable for net.ipv4.icmp_echo_ignore_broadcasts" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_icmp_echo_ignore_broadcasts:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_icmp_echo_ignore_broadcasts_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_value:var:1" version="1" comment="External variable for net.ipv4.icmp_ignore_bogus_error_responses" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_icmp_ignore_bogus_error_responses:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_icmp_ignore_bogus_error_responses_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_ip_forward_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_ip_forward_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_ip_forward_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_ip_forward:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_ip_forward:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_ip_forward:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_ip_forward_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_ip_forward:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_ip_forward_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_value:var:1" version="1" comment="External variable for net.ipv4.tcp_invalid_ratelimit" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_tcp_invalid_ratelimit_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_tcp_invalid_ratelimit_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_tcp_invalid_ratelimit_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_tcp_invalid_ratelimit:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_tcp_invalid_ratelimit:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_tcp_invalid_ratelimit:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_tcp_invalid_ratelimit_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_tcp_invalid_ratelimit:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_tcp_invalid_ratelimit_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv4_tcp_syncookies_value:var:1" version="1" comment="External variable for net.ipv4.tcp_syncookies" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv4_tcp_syncookies_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_tcp_syncookies_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv4_tcp_syncookies_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv4_tcp_syncookies:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv4_tcp_syncookies:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv4_tcp_syncookies:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_tcp_syncookies_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv4_tcp_syncookies:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv4_tcp_syncookies_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv6_conf_all_accept_ra_value:var:1" version="1" comment="External variable for net.ipv6.conf.all.accept_ra" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv6_conf_all_accept_ra_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_ra_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv6_conf_all_accept_ra_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv6_conf_all_accept_ra:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv6_conf_all_accept_ra:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv6_conf_all_accept_ra:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_ra_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv6_conf_all_accept_ra:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_ra_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv6_conf_all_accept_redirects_value:var:1" version="1" comment="External variable for net.ipv6.conf.all.accept_redirects" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv6_conf_all_accept_redirects_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_redirects_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv6_conf_all_accept_redirects_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv6_conf_all_accept_redirects:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv6_conf_all_accept_redirects:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv6_conf_all_accept_redirects:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_redirects_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv6_conf_all_accept_redirects:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_redirects_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv6_conf_all_accept_source_route_value:var:1" version="1" comment="External variable for net.ipv6.conf.all.accept_source_route" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv6_conf_all_accept_source_route_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_source_route_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv6_conf_all_accept_source_route_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv6_conf_all_accept_source_route:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv6_conf_all_accept_source_route:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv6_conf_all_accept_source_route:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_source_route_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv6_conf_all_accept_source_route:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_accept_source_route_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv6_conf_all_disable_ipv6_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv6_conf_all_disable_ipv6_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv6_conf_all_disable_ipv6:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv6_conf_all_disable_ipv6:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv6_conf_all_disable_ipv6:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv6_conf_all_disable_ipv6:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_all_disable_ipv6_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv6_conf_default_accept_ra_value:var:1" version="1" comment="External variable for net.ipv6.conf.default.accept_ra" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv6_conf_default_accept_ra_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_ra_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv6_conf_default_accept_ra_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv6_conf_default_accept_ra:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv6_conf_default_accept_ra:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv6_conf_default_accept_ra:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_ra_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv6_conf_default_accept_ra:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_ra_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv6_conf_default_accept_redirects_value:var:1" version="1" comment="External variable for net.ipv6.conf.default.accept_redirects" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv6_conf_default_accept_redirects_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_redirects_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv6_conf_default_accept_redirects_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv6_conf_default_accept_redirects:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv6_conf_default_accept_redirects:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv6_conf_default_accept_redirects:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_redirects_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv6_conf_default_accept_redirects:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_redirects_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-sysctl_net_ipv6_conf_default_accept_source_route_value:var:1" version="1" comment="External variable for net.ipv6.conf.default.accept_source_route" datatype="int"/>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv6_conf_default_accept_source_route_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_source_route_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv6_conf_default_accept_source_route_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv6_conf_default_accept_source_route:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv6_conf_default_accept_source_route:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv6_conf_default_accept_source_route:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_source_route_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv6_conf_default_accept_source_route:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_accept_source_route_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_net_ipv6_conf_default_disable_ipv6_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_disable_ipv6_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_net_ipv6_conf_default_disable_ipv6_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_net_ipv6_conf_default_disable_ipv6:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_net_ipv6_conf_default_disable_ipv6:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_net_ipv6_conf_default_disable_ipv6:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_disable_ipv6_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_net_ipv6_conf_default_disable_ipv6:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_net_ipv6_conf_default_disable_ipv6_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Count unique sysctls" datatype="int" id="oval:ssg-local_var_sysctl_user_max_user_namespaces_counter:var:1" version="1">
-          <oval-def:count>
-            <oval-def:unique>
-              <oval-def:object_component object_ref="oval:ssg-object_sysctl_user_max_user_namespaces_static_set_sysctls:obj:1" item_field="filepath"/>
-            </oval-def:unique>
-          </oval-def:count>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_sysctl_user_max_user_namespaces_safe_symlinks:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-var_object_symlink_sysctl_user_max_user_namespaces:obj:1" item_field="value"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Blank string" datatype="string" id="oval:ssg-local_var_blank_path_sysctl_user_max_user_namespaces:var:1" version="1">
-          <oval-def:literal_component datatype="string"/>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="Unique list of symlink conf files" datatype="string" id="oval:ssg-local_var_symlinks_sysctl_user_max_user_namespaces:var:1" version="1">
-          <oval-def:unique>
-            <oval-def:object_component object_ref="oval:ssg-object_sysctl_user_max_user_namespaces_symlinks:obj:1" item_field="filepath"/>
-          </oval-def:unique>
-        </oval-def:local_variable>
-        <oval-def:local_variable comment="List of conf files" datatype="string" id="oval:ssg-local_var_conf_files_sysctl_user_max_user_namespaces:var:1" version="1">
-          <oval-def:object_component object_ref="oval:ssg-object_sysctl_user_max_user_namespaces_static_set_sysctls_unfiltered:obj:1" item_field="filepath"/>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-var_pam_pwquality_config_path:var:1" version="1" datatype="string" comment="correct path for pam_pwquality.so check">
-          <oval-def:value>/etc/pam.d/system-auth</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:local_variable id="oval:ssg-audit_log_file_path:var:1" datatype="string" version="1" comment="path to audit log files">
-          <oval-def:regex_capture pattern="^log_file\s*=\s*(.*)">
-            <oval-def:object_component item_field="subexpression" object_ref="oval:ssg-object_auditd_conf_log_file:obj:1"/>
-          </oval-def:regex_capture>
-        </oval-def:local_variable>
-        <oval-def:constant_variable id="oval:ssg-variable_cd_dvd_drive_alternative_names:var:1" datatype="string" comment="CD/DVD drive alternative names whitelist" version="1">
-          <oval-def:value>/dev/cdrom</oval-def:value>
-          <oval-def:value>/dev/dvd</oval-def:value>
-          <oval-def:value>/dev/scd0</oval-def:value>
-          <oval-def:value>/dev/sr0</oval-def:value>
-        </oval-def:constant_variable>
-        <oval-def:external_variable comment="May be defined by Profiles to explicitly say if sshd is required or not" datatype="int" id="oval:ssg-sshd_required:var:1" version="1"/>
-        <oval-def:external_variable id="oval:ssg-var_accounts_user_umask:var:1" datatype="string" version="1" comment="Value of var_accounts_user_umask (the required umask) as string"/>
-        <oval-def:local_variable id="oval:ssg-var_first_digit_of_umask_from_var_accounts_user_umask:var:1" comment="First octal digit of umask from var_accounts_user_umask" datatype="int" version="1">
-          <oval-def:substring substring_start="1" substring_length="1">
-            <oval-def:variable_component var_ref="oval:ssg-var_accounts_user_umask:var:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_second_digit_of_umask_from_var_accounts_user_umask:var:1" comment="Second octal digit of umask from var_accounts_user_umask" datatype="int" version="1">
-          <oval-def:substring substring_start="2" substring_length="1">
-            <oval-def:variable_component var_ref="oval:ssg-var_accounts_user_umask:var:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_third_digit_of_umask_from_var_accounts_user_umask:var:1" comment="Third octal digit of umask from var_accounts_user_umask" datatype="int" version="1">
-          <oval-def:substring substring_start="3" substring_length="1">
-            <oval-def:variable_component var_ref="oval:ssg-var_accounts_user_umask:var:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_accounts_user_umask_umask_as_number:var:1" comment="var_accounts_user_umask umask converted from string to a number" datatype="int" version="1">
-          <oval-def:arithmetic arithmetic_operation="add">
-            <oval-def:arithmetic arithmetic_operation="multiply">
-              <oval-def:literal_component datatype="int">64</oval-def:literal_component>
-              <oval-def:variable_component var_ref="oval:ssg-var_first_digit_of_umask_from_var_accounts_user_umask:var:1"/>
-            </oval-def:arithmetic>
-            <oval-def:arithmetic arithmetic_operation="multiply">
-              <oval-def:literal_component datatype="int">8</oval-def:literal_component>
-              <oval-def:variable_component var_ref="oval:ssg-var_second_digit_of_umask_from_var_accounts_user_umask:var:1"/>
-            </oval-def:arithmetic>
-            <oval-def:variable_component var_ref="oval:ssg-var_third_digit_of_umask_from_var_accounts_user_umask:var:1"/>
-          </oval-def:arithmetic>
-        </oval-def:local_variable>
-        <oval-def:external_variable id="oval:ssg-var_umask_for_daemons:var:1" datatype="string" version="1" comment="Value of var_umask_for_daemons (the required umask) as string"/>
-        <oval-def:local_variable id="oval:ssg-var_first_digit_of_umask_from_var_umask_for_daemons:var:1" comment="First octal digit of umask from var_umask_for_daemons" datatype="int" version="1">
-          <oval-def:substring substring_start="1" substring_length="1">
-            <oval-def:variable_component var_ref="oval:ssg-var_umask_for_daemons:var:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_second_digit_of_umask_from_var_umask_for_daemons:var:1" comment="Second octal digit of umask from var_umask_for_daemons" datatype="int" version="1">
-          <oval-def:substring substring_start="2" substring_length="1">
-            <oval-def:variable_component var_ref="oval:ssg-var_umask_for_daemons:var:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_third_digit_of_umask_from_var_umask_for_daemons:var:1" comment="Third octal digit of umask from var_umask_for_daemons" datatype="int" version="1">
-          <oval-def:substring substring_start="3" substring_length="1">
-            <oval-def:variable_component var_ref="oval:ssg-var_umask_for_daemons:var:1"/>
-          </oval-def:substring>
-        </oval-def:local_variable>
-        <oval-def:local_variable id="oval:ssg-var_umask_for_daemons_umask_as_number:var:1" comment="var_umask_for_daemons umask converted from string to a number" datatype="int" version="1">
-          <oval-def:arithmetic arithmetic_operation="add">
-            <oval-def:arithmetic arithmetic_operation="multiply">
-              <oval-def:literal_component datatype="int">64</oval-def:literal_component>
-              <oval-def:variable_component var_ref="oval:ssg-var_first_digit_of_umask_from_var_umask_for_daemons:var:1"/>
-            </oval-def:arithmetic>
-            <oval-def:arithmetic arithmetic_operation="multiply">
-              <oval-def:literal_component datatype="int">8</oval-def:literal_component>
-              <oval-def:variable_component var_ref="oval:ssg-var_second_digit_of_umask_from_var_umask_for_daemons:var:1"/>
-            </oval-def:arithmetic>
-            <oval-def:variable_component var_ref="oval:ssg-var_third_digit_of_umask_from_var_umask_for_daemons:var:1"/>
-          </oval-def:arithmetic>
-        </oval-def:local_variable>
-      </oval-def:variables>
-    </oval-def:oval_definitions>
-  </ds:component>
-  <ds:component id="scap_org.open-scap_comp_ssg-rhcos4-ocil.xml" timestamp="2022-08-11T18:55:33">
-    <ocil:ocil>
-      <ocil:generator>
-        <ocil:product_name>build_shorthand.py from SCAP Security Guide</ocil:product_name>
-        <ocil:product_version>ssg: 0.1.64</ocil:product_version>
-        <ocil:schema_version>2.0</ocil:schema_version>
-        <ocil:timestamp>2022-08-11T18:55:23</ocil:timestamp>
-      </ocil:generator>
-      <ocil:questionnaires>
-        <ocil:questionnaire id="ocil:ssg-service_cron_enabled_ocil:questionnaire:1">
-          <ocil:title>Enable cron Service</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_cron_enabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_bind_removed_ocil:questionnaire:1">
-          <ocil:title>Uninstall bind Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_bind_removed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-fapolicyd_prevent_home_folder_access_ocil:questionnaire:1">
-          <ocil:title>fapolicyd Must be Configured to Limit Access to Users Home Folders</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-fapolicyd_prevent_home_folder_access_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_fapolicyd_installed_ocil:questionnaire:1">
-          <ocil:title>Install fapolicyd Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_fapolicyd_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_fapolicyd_enabled_ocil:questionnaire:1">
-          <ocil:title>Enable the File Access Policy Service</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_fapolicyd_enabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kerberos_disable_no_keytab_ocil:questionnaire:1">
-          <ocil:title>Disable Kerberos by removing host keytab</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kerberos_disable_no_keytab_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_openldap-clients_removed_ocil:questionnaire:1">
-          <ocil:title>Ensure LDAP client is not installed</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_openldap-clients_removed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-postfix_client_configure_mail_alias_ocil:questionnaire:1">
-          <ocil:title>Configure System to Forward All Mail For The Root Account</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-postfix_client_configure_mail_alias_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-postfix_client_configure_mail_alias_postmaster_ocil:questionnaire:1">
-          <ocil:title>Configure System to Forward All Mail From Postmaster to The Root Account</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-postfix_client_configure_mail_alias_postmaster_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-postfix_client_configure_relayhost_ocil:questionnaire:1">
-          <ocil:title>Configure System to Forward All Mail through a specific host</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-postfix_client_configure_relayhost_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_postfix_installed_ocil:questionnaire:1">
-          <ocil:title>The Postfix package is installed</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_postfix_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_sendmail_removed_ocil:questionnaire:1">
-          <ocil:title>Uninstall Sendmail Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_sendmail_removed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-no_all_squash_exports_ocil:questionnaire:1">
-          <ocil:title>Ensure All-Squashing Disabled On All Exports</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-no_all_squash_exports_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-chronyd_client_only_ocil:questionnaire:1">
-          <ocil:title>Disable chrony daemon from acting as server</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-chronyd_client_only_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-chronyd_no_chronyc_network_ocil:questionnaire:1">
-          <ocil:title>Disable network management of chrony daemon</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-chronyd_no_chronyc_network_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-chronyd_or_ntpd_set_maxpoll_ocil:questionnaire:1">
-          <ocil:title>Configure Time Service Maxpoll Interval</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-chronyd_or_ntpd_set_maxpoll_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-chronyd_or_ntpd_specify_remote_server_ocil:questionnaire:1">
-          <ocil:title>Specify a Remote NTP Server</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-chronyd_or_ntpd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-chronyd_server_directive_ocil:questionnaire:1">
-          <ocil:title>Ensure Chrony is only configured with the server directive</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-chronyd_server_directive_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-chronyd_specify_remote_server_ocil:questionnaire:1">
-          <ocil:title>A remote time server for Chrony is configured</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-chronyd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-ntpd_specify_remote_server_ocil:questionnaire:1">
-          <ocil:title>Specify a Remote NTP Server</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-ntpd_specify_remote_server_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_chrony_installed_ocil:questionnaire:1">
-          <ocil:title>The Chrony package is installed</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_chrony_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_ntp_installed_ocil:questionnaire:1">
-          <ocil:title>Install the ntp service</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_ntp_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_chronyd_enabled_ocil:questionnaire:1">
-          <ocil:title>The Chronyd service is enabled</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_chronyd_enabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_chronyd_or_ntpd_enabled_ocil:questionnaire:1">
-          <ocil:title>Enable the NTP Daemon</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_chronyd_or_ntpd_enabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_ntp_enabled_ocil:questionnaire:1">
-          <ocil:title>Enable the NTP Daemon</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_ntp_enabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_ntpd_enabled_ocil:questionnaire:1">
-          <ocil:title>Enable the NTP Daemon</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_ntpd_enabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-no_rsh_trust_files_ocil:questionnaire:1">
-          <ocil:title>Remove Rsh Trust Files</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-no_rsh_trust_files_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_rngd_enabled_ocil:questionnaire:1">
-          <ocil:title>Enable the Hardware RNG Entropy Gatherer Service</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_rngd_enabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_samba-common_installed_ocil:questionnaire:1">
-          <ocil:title>Install the Samba Common Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_samba-common_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_net-snmp_removed_ocil:questionnaire:1">
-          <ocil:title>Uninstall net-snmp Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_net-snmp_removed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-ssh_client_rekey_limit_ocil:questionnaire:1">
-          <ocil:title>Configure session renegotiation for SSH client</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-ssh_client_rekey_limit_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-disable_host_auth_ocil:questionnaire:1">
-          <ocil:title>Disable Host-Based Authentication</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-disable_host_auth_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_allow_only_protocol2_ocil:questionnaire:1">
-          <ocil:title>Allow Only SSH Protocol 2</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_allow_only_protocol2_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_disable_compression_ocil:questionnaire:1">
-          <ocil:title>Disable Compression Or Set Compression to delayed</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_disable_compression_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_disable_empty_passwords_ocil:questionnaire:1">
-          <ocil:title>Disable SSH Access via Empty Passwords</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_disable_empty_passwords_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_disable_gssapi_auth_ocil:questionnaire:1">
-          <ocil:title>Disable GSSAPI Authentication</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_disable_gssapi_auth_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_disable_kerb_auth_ocil:questionnaire:1">
-          <ocil:title>Disable Kerberos Authentication</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_disable_kerb_auth_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_disable_pubkey_auth_ocil:questionnaire:1">
-          <ocil:title>Disable PubkeyAuthentication Authentication</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_ocil:questionnaire:1">
-          <ocil:title>Disable SSH Support for .rhosts Files</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_disable_rhosts_rsa_ocil:questionnaire:1">
-          <ocil:title>Disable SSH Support for Rhosts RSA Authentication</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_disable_root_login_ocil:questionnaire:1">
-          <ocil:title>Disable SSH Root Login</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_disable_root_login_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_disable_root_password_login_ocil:questionnaire:1">
-          <ocil:title>Disable SSH root Login with a Password (Insecure)</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_disable_root_password_login_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_disable_tcp_forwarding_ocil:questionnaire:1">
-          <ocil:title>Disable SSH TCP Forwarding</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_disable_user_known_hosts_ocil:questionnaire:1">
-          <ocil:title>Disable SSH Support for User Known Hosts</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_disable_x11_forwarding_ocil:questionnaire:1">
-          <ocil:title>Disable X11 Forwarding</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_disable_x11_forwarding_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_do_not_permit_user_env_ocil:questionnaire:1">
-          <ocil:title>Do Not Allow SSH Environment Options</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_enable_gssapi_auth_ocil:questionnaire:1">
-          <ocil:title>Enable GSSAPI Authentication</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_enable_gssapi_auth_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_enable_pam_ocil:questionnaire:1">
-          <ocil:title>Enable PAM</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_enable_pam_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_enable_pubkey_auth_ocil:questionnaire:1">
-          <ocil:title>Enable Public Key Authentication</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_enable_strictmodes_ocil:questionnaire:1">
-          <ocil:title>Enable Use of Strict Mode Checking</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_enable_strictmodes_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_ocil:questionnaire:1">
-          <ocil:title>Enable SSH Warning Banner</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_enable_warning_banner_net_ocil:questionnaire:1">
-          <ocil:title>Enable SSH Warning Banner</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_enable_x11_forwarding_ocil:questionnaire:1">
-          <ocil:title>Enable Encrypted X11 Forwarding</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_limit_user_access_ocil:questionnaire:1">
-          <ocil:title>Limit Users' SSH Access</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_limit_user_access_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_print_last_log_ocil:questionnaire:1">
-          <ocil:title>Enable SSH Print Last Log</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_print_last_log_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_rekey_limit_ocil:questionnaire:1">
-          <ocil:title>Force frequent session key renegotiation</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_rekey_limit_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_set_idle_timeout_ocil:questionnaire:1">
-          <ocil:title>Set SSH Idle Timeout Interval</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_set_idle_timeout_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_set_keepalive_ocil:questionnaire:1">
-          <ocil:title>Set SSH Client Alive Count Max</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_set_keepalive_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_set_keepalive_0_ocil:questionnaire:1">
-          <ocil:title>Set SSH Client Alive Count Max to zero</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_set_keepalive_0_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_set_login_grace_time_ocil:questionnaire:1">
-          <ocil:title>Ensure SSH LoginGraceTime is configured</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_set_login_grace_time_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_set_loglevel_info_ocil:questionnaire:1">
-          <ocil:title>Set LogLevel to INFO</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_set_loglevel_info_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_set_loglevel_verbose_ocil:questionnaire:1">
-          <ocil:title>Set SSH Daemon LogLevel to VERBOSE</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_set_max_auth_tries_ocil:questionnaire:1">
-          <ocil:title>Set SSH authentication attempt limit</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_set_max_auth_tries_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_set_max_sessions_ocil:questionnaire:1">
-          <ocil:title>Set SSH MaxSessions limit</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_set_max_sessions_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_set_maxstartups_ocil:questionnaire:1">
-          <ocil:title>Ensure SSH MaxStartups is configured</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_set_maxstartups_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sshd_use_priv_separation_ocil:questionnaire:1">
-          <ocil:title>Enable Use of Privilege Separation</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sshd_use_priv_separation_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_groupowner_sshd_config_ocil:questionnaire:1">
-          <ocil:title>Verify Group Who Owns SSH Server config file</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_groupowner_sshd_config_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_owner_sshd_config_ocil:questionnaire:1">
-          <ocil:title>Verify Owner on SSH Server config file</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_owner_sshd_config_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_sshd_config_ocil:questionnaire:1">
-          <ocil:title>Verify Permissions on SSH Server config file</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_sshd_config_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_sshd_private_key_ocil:questionnaire:1">
-          <ocil:title>Verify Permissions on SSH Server Private *_key Key Files</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_sshd_private_key_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_sshd_pub_key_ocil:questionnaire:1">
-          <ocil:title>Verify Permissions on SSH Server Public *.pub Key Files</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_openssh-server_installed_ocil:questionnaire:1">
-          <ocil:title>Install the OpenSSH Server Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_openssh-server_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_openssh-server_removed_ocil:questionnaire:1">
-          <ocil:title>Remove the OpenSSH Server Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_openssh-server_removed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sssd_enable_smartcards_ocil:questionnaire:1">
-          <ocil:title>Enable Smartcards in SSSD</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sssd_enable_smartcards_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sssd_offline_cred_expiration_ocil:questionnaire:1">
-          <ocil:title>Configure SSSD to Expire Offline Credentials</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sssd_offline_cred_expiration_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sssd_run_as_sssd_user_ocil:questionnaire:1">
-          <ocil:title>Configure SSSD to run as user sssd</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sssd_run_as_sssd_user_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-configure_usbguard_auditbackend_ocil:questionnaire:1">
-          <ocil:title>Log USBGuard daemon audit events using Linux Audit</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-configure_usbguard_auditbackend_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_usbguard_installed_ocil:questionnaire:1">
-          <ocil:title>Install usbguard Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_usbguard_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_usbguard_enabled_ocil:questionnaire:1">
-          <ocil:title>Enable the USBGuard Service</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_usbguard_enabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-usbguard_allow_hid_ocil:questionnaire:1">
-          <ocil:title>Authorize Human Interface Devices in USBGuard daemon</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-usbguard_allow_hid_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-usbguard_allow_hid_and_hub_ocil:questionnaire:1">
-          <ocil:title>Authorize Human Interface Devices and USB hubs in USBGuard daemon</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-usbguard_allow_hub_ocil:questionnaire:1">
-          <ocil:title>Authorize USB hubs in USBGuard daemon</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-usbguard_allow_hub_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-banner_etc_issue_ocil:questionnaire:1">
-          <ocil:title>Modify the System Login Banner</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-banner_etc_issue_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_issue_ocil:questionnaire:1">
-          <ocil:title>Verify Group Ownership of System Login Banner</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_issue_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_owner_etc_issue_ocil:questionnaire:1">
-          <ocil:title>Verify ownership of System Login Banner</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_owner_etc_issue_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_etc_issue_ocil:questionnaire:1">
-          <ocil:title>Verify permissions on System Login Banner</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_etc_issue_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_audit_ocil:questionnaire:1">
-          <ocil:title>Account Lockouts Must Be Logged</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_audit_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-account_passwords_pam_faillock_dir_ocil:questionnaire:1">
-          <ocil:title>Account Lockouts Must Persist</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-disallow_bypass_password_sudo_ocil:questionnaire:1">
-          <ocil:title>Disallow Configuration to Bypass Password Requirements for Privilege Escalation</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-disallow_bypass_password_sudo_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-display_login_attempts_ocil:questionnaire:1">
-          <ocil:title>Ensure PAM Displays Last Logon/Access Notification</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-display_login_attempts_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-configure_bashrc_exec_tmux_ocil:questionnaire:1">
-          <ocil:title>Support session locking with tmux</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-configure_bashrc_exec_tmux_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-configure_tmux_lock_after_time_ocil:questionnaire:1">
-          <ocil:title>Configure tmux to lock session after inactivity</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-configure_tmux_lock_after_time_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-configure_tmux_lock_command_ocil:questionnaire:1">
-          <ocil:title>Configure the tmux Lock Command</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-configure_tmux_lock_command_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-no_tmux_in_shells_ocil:questionnaire:1">
-          <ocil:title>Prevent user from disabling the screen lock</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-no_tmux_in_shells_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_tmux_installed_ocil:questionnaire:1">
-          <ocil:title>Install the tmux Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_tmux_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-coreos_disable_interactive_boot_ocil:questionnaire:1">
-          <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-coreos_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-disable_ctrlaltdel_burstaction_ocil:questionnaire:1">
-          <ocil:title>Disable Ctrl-Alt-Del Burst Action</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-disable_ctrlaltdel_burstaction_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-disable_ctrlaltdel_reboot_ocil:questionnaire:1">
-          <ocil:title>Disable Ctrl-Alt-Del Reboot Activation</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-disable_ctrlaltdel_reboot_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-grub2_disable_interactive_boot_ocil:questionnaire:1">
-          <ocil:title>Verify that Interactive Boot is Disabled</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-grub2_disable_interactive_boot_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-require_singleuser_auth_ocil:questionnaire:1">
-          <ocil:title>Require Authentication for Single User Mode</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-require_singleuser_auth_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_debug-shell_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable debug-shell SystemD Service</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_debug-shell_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-account_disable_post_pw_expiration_ocil:questionnaire:1">
-          <ocil:title>Set Account Expiration Following Inactivity</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-account_disable_post_pw_expiration_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-account_unique_name_ocil:questionnaire:1">
-          <ocil:title>Ensure All Accounts on the System Have Unique Names</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-account_unique_name_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-account_use_centralized_automated_auth_ocil:questionnaire:1">
-          <ocil:title>Use Centralized and Automated Authentication</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-account_use_centralized_automated_auth_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-accounts_maximum_age_login_defs_ocil:questionnaire:1">
-          <ocil:title>Set Password Maximum Age</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-accounts_minimum_age_login_defs_ocil:questionnaire:1">
-          <ocil:title>Set Password Minimum Age</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-accounts_minimum_age_login_defs_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-accounts_password_minlen_login_defs_ocil:questionnaire:1">
-          <ocil:title>Set Password Minimum Length in login.defs</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-accounts_password_minlen_login_defs_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-accounts_password_warn_age_login_defs_ocil:questionnaire:1">
-          <ocil:title>Set Password Warning Age</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-accounts_password_warn_age_login_defs_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-accounts_password_all_shadowed_ocil:questionnaire:1">
-          <ocil:title>Verify All Account Password Hashes are Shadowed</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-accounts_password_all_shadowed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-gid_passwd_group_same_ocil:questionnaire:1">
-          <ocil:title>All GIDs referenced in /etc/passwd must be defined in /etc/group</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-gid_passwd_group_same_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-no_empty_passwords_ocil:questionnaire:1">
-          <ocil:title>Prevent Login to Accounts With Empty Password</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-no_empty_passwords_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-no_empty_passwords_etc_shadow_ocil:questionnaire:1">
-          <ocil:title>Ensure There Are No Accounts With Blank or Null Passwords</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-no_empty_passwords_etc_shadow_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-no_legacy_plus_entries_etc_group_ocil:questionnaire:1">
-          <ocil:title>Ensure there are no legacy + NIS entries in /etc/group</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-no_legacy_plus_entries_etc_group_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-no_legacy_plus_entries_etc_passwd_ocil:questionnaire:1">
-          <ocil:title>Ensure there are no legacy + NIS entries in /etc/passwd</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-no_legacy_plus_entries_etc_passwd_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-no_legacy_plus_entries_etc_shadow_ocil:questionnaire:1">
-          <ocil:title>Ensure there are no legacy + NIS entries in /etc/shadow</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-no_netrc_files_ocil:questionnaire:1">
-          <ocil:title>Verify No netrc Files Exist</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-no_netrc_files_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-accounts_no_uid_except_zero_ocil:questionnaire:1">
-          <ocil:title>Verify Only Root Has UID 0</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-accounts_no_uid_except_zero_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-accounts_root_gid_zero_ocil:questionnaire:1">
-          <ocil:title>Verify Root Has A Primary GID 0</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-accounts_root_gid_zero_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-no_direct_root_logins_ocil:questionnaire:1">
-          <ocil:title>Direct root Logins Not Allowed</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-no_direct_root_logins_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-no_password_auth_for_systemaccounts_ocil:questionnaire:1">
-          <ocil:title>Ensure that System Accounts Are Locked</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-no_shelllogin_for_systemaccounts_ocil:questionnaire:1">
-          <ocil:title>Ensure that System Accounts Do Not Run a Shell Upon Login</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-restrict_serial_port_logins_ocil:questionnaire:1">
-          <ocil:title>Restrict Serial Port Root Logins</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-restrict_serial_port_logins_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-securetty_root_login_console_only_ocil:questionnaire:1">
-          <ocil:title>Restrict Virtual Console Root Logins</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-securetty_root_login_console_only_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-accounts_root_path_dirs_no_write_ocil:questionnaire:1">
-          <ocil:title>Ensure that Root's Path Does Not Include World or Group-Writable Directories</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-accounts_root_path_dirs_no_write_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-accounts_umask_etc_bashrc_ocil:questionnaire:1">
-          <ocil:title>Ensure the Default Bash Umask is Set Correctly</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-accounts_umask_etc_bashrc_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-accounts_umask_etc_csh_cshrc_ocil:questionnaire:1">
-          <ocil:title>Ensure the Default C Shell Umask is Set Correctly</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-accounts_umask_etc_login_defs_ocil:questionnaire:1">
-          <ocil:title>Ensure the Default Umask is Set Correctly in login.defs</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-accounts_umask_etc_profile_ocil:questionnaire:1">
-          <ocil:title>Ensure the Default Umask is Set Correctly in /etc/profile</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-accounts_umask_etc_profile_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-accounts_logon_fail_delay_ocil:questionnaire:1">
-          <ocil:title>Ensure the Logon Failure Delay is Set Correctly in login.defs</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-accounts_logon_fail_delay_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-accounts_max_concurrent_login_sessions_ocil:questionnaire:1">
-          <ocil:title>Limit the Number of Concurrent Login Sessions Allowed Per User</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-accounts_polyinstantiated_tmp_ocil:questionnaire:1">
-          <ocil:title>Configure Polyinstantiation of /tmp Directories</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-accounts_polyinstantiated_var_tmp_ocil:questionnaire:1">
-          <ocil:title>Configure Polyinstantiation of /var/tmp Directories</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-accounts_polyinstantiated_var_tmp_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-accounts_tmout_ocil:questionnaire:1">
-          <ocil:title>Set Interactive Session Timeout</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-accounts_tmout_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_home_dirs_ocil:questionnaire:1">
-          <ocil:title>Ensure that User Home Directories are not Group-Writable or World-Readable</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_home_dirs_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_chmod_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify the System's Discretionary Access Controls - chmod</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_chmod_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_chown_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify the System's Discretionary Access Controls - chown</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fchmod_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fchmod</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fchmod_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fchmodat_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fchmodat</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fchmodat_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fchown_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fchown</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fchownat_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fchownat</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fremovexattr_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fremovexattr</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_fsetxattr_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify the System's Discretionary Access Controls - fsetxattr</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lchown_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lchown</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lchown_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lremovexattr_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lremovexattr</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_lsetxattr_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify the System's Discretionary Access Controls - lsetxattr</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_removexattr_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify the System's Discretionary Access Controls - removexattr</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_setxattr_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify the System's Discretionary Access Controls - setxattr</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_umount_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify the System's Discretionary Access Controls - umount</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_umount_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_dac_modification_umount2_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify the System's Discretionary Access Controls - umount2</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_execution_chcon_ocil:questionnaire:1">
-          <ocil:title>Record Any Attempts to Run chcon</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_execution_chcon_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_execution_restorecon_ocil:questionnaire:1">
-          <ocil:title>Record Any Attempts to Run restorecon</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_execution_restorecon_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_execution_semanage_ocil:questionnaire:1">
-          <ocil:title>Record Any Attempts to Run semanage</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_execution_semanage_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_execution_setfiles_ocil:questionnaire:1">
-          <ocil:title>Record Any Attempts to Run setfiles</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_execution_setfiles_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_execution_setsebool_ocil:questionnaire:1">
-          <ocil:title>Record Any Attempts to Run setsebool</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_execution_setsebool_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_execution_seunshare_ocil:questionnaire:1">
-          <ocil:title>Record Any Attempts to Run seunshare</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_execution_seunshare_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects File Deletion Events by User</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rename_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects File Deletion Events by User - rename</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_renameat_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects File Deletion Events by User - renameat</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_rmdir_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects File Deletion Events by User - rmdir</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_rmdir_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_unlink_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects File Deletion Events by User - unlink</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_file_deletion_events_unlinkat_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects File Deletion Events by User - unlinkat</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful)</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chmod_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Permission Changes to Files - chmod</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chmod_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Ownership Changes to Files - chown</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_creat_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Access Attempts to Files - creat</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_creat_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_fchmod_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Permission Changes to Files - fchmod</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_fchmod_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Permission Changes to Files - fchmodat</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_fchown_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Ownership Changes to Files - fchown</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_fchown_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_fchownat_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Ownership Changes to Files - fchownat</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_fchownat_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_fremovexattr_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Permission Changes to Files - fremovexattr</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_fremovexattr_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Permission Changes to Files - fsetxattr</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Access Attempts to Files - ftruncate</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_lchown_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Ownership Changes to Files - lchown</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_lchown_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_lremovexattr_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Permission Changes to Files - lremovexattr</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_lremovexattr_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_lsetxattr_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Permission Changes to Files - lsetxattr</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_lsetxattr_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Access Attempts to Files - open</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Access Attempts to Files - open_by_handle_at</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Creation Attempts to Files - open_by_handle_at O_CREAT</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Modification Attempts to Files - open_by_handle_at O_TRUNC_WRITE</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Unauthorized Access Attempts To open_by_handle_at Are Ordered Correctly</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Creation Attempts to Files - open O_CREAT</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Modification Attempts to Files - open O_TRUNC_WRITE</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_rule_order_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Rules For Unauthorized Attempts To open Are Ordered Correctly</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_open_rule_order_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Access Attempts to Files - openat</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_openat_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Creation Attempts to Files - openat O_CREAT</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Modification Attempts to Files - openat O_TRUNC_WRITE</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Rules For Unauthorized Attempts To openat Are Ordered Correctly</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_removexattr_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Permission Changes to Files - removexattr</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_removexattr_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_rename_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Delete Attempts to Files - rename</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_rename_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_renameat_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Delete Attempts to Files - renameat</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_renameat_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Permission Changes to Files - setxattr</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Access Attempts to Files - truncate</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_unlink_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Delete Attempts to Files - unlink</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_unlink_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_ocil:questionnaire:1">
-          <ocil:title>Record Unsuccessful Delete Attempts to Files - unlinkat</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_kernel_module_loading_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on Kernel Module Loading and Unloading</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_kernel_module_loading_delete_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on Kernel Module Unloading - delete_module</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_kernel_module_loading_delete_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_kernel_module_loading_finit_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on Kernel Module Loading and Unloading - finit_module</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_kernel_module_loading_init_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on Kernel Module Loading - init_module</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_kernel_module_loading_init_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_faillock_ocil:questionnaire:1">
-          <ocil:title>Record Attempts to Alter Logon and Logout Events - faillock</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_faillock_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_lastlog_ocil:questionnaire:1">
-          <ocil:title>Record Attempts to Alter Logon and Logout Events - lastlog</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_lastlog_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_login_events_tallylog_ocil:questionnaire:1">
-          <ocil:title>Record Attempts to Alter Logon and Logout Events - tallylog</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_privileged_commands_init_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - init</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_privileged_commands_init_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_privileged_commands_poweroff_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - poweroff</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_privileged_commands_reboot_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - reboot</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_privileged_commands_reboot_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_privileged_commands_shutdown_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - shutdown</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_privileged_commands_shutdown_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_at_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - at</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_at_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chage_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chage</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_chsh_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - chsh</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_chsh_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_crontab_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - crontab</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_crontab_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_gpasswd_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - gpasswd</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_gpasswd_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_mount_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - mount</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_mount_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_newgidmap_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - newgidmap</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_newgidmap_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_newgrp_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - newgrp</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_newgrp_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_newuidmap_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - newuidmap</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_newuidmap_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - pam_timestamp_check</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_passwd_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - passwd</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_passwd_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_postdrop_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - postdrop</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_postqueue_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - postqueue</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_pt_chown_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_pt_chown_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_ssh_keysign_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - ssh-keysign</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_su_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - su</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_sudo_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - sudo</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_sudo_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_sudoedit_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - sudoedit</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_sudoedit_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_umount_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - umount</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_umount_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_unix_chkpwd_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - unix_chkpwd</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_unix_chkpwd_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_userhelper_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - userhelper</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_userhelper_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_privileged_commands_usernetctl_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on the Use of Privileged Commands - usernetctl</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_privileged_commands_usernetctl_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_time_adjtimex_ocil:questionnaire:1">
-          <ocil:title>Record attempts to alter time through adjtimex</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_time_adjtimex_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_time_clock_settime_ocil:questionnaire:1">
-          <ocil:title>Record Attempts to Alter Time Through clock_settime</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_time_clock_settime_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_time_settimeofday_ocil:questionnaire:1">
-          <ocil:title>Record attempts to alter time through settimeofday</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_time_settimeofday_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_time_stime_ocil:questionnaire:1">
-          <ocil:title>Record Attempts to Alter Time Through stime</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_time_stime_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_time_watch_localtime_ocil:questionnaire:1">
-          <ocil:title>Record Attempts to Alter the localtime File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_etc_group_open_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify User/Group Information via open syscall - /etc/group</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_etc_group_open_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_etc_group_open_by_handle_at_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/group</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_etc_group_openat_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify User/Group Information via openat syscall - /etc/group</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_etc_group_openat_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_etc_gshadow_open_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify User/Group Information via open syscall - /etc/gshadow</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_etc_gshadow_open_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_etc_gshadow_open_by_handle_at_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/gshadow</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_etc_gshadow_open_by_handle_at_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_etc_gshadow_openat_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify User/Group Information via openat syscall - /etc/gshadow</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_etc_gshadow_openat_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_etc_passwd_open_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify User/Group Information via open syscall - /etc/passwd</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_etc_passwd_open_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_etc_passwd_open_by_handle_at_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/passwd</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_etc_passwd_open_by_handle_at_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_etc_passwd_openat_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify User/Group Information via openat syscall - /etc/passwd</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_etc_passwd_openat_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_etc_shadow_open_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify User/Group Information via open syscall - /etc/shadow</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_etc_shadow_open_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_etc_shadow_open_by_handle_at_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify User/Group Information via open_by_handle_at syscall - /etc/shadow</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_etc_shadow_open_by_handle_at_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_etc_shadow_openat_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify User/Group Information via openat syscall - /etc/shadow</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_etc_shadow_openat_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_immutable_ocil:questionnaire:1">
-          <ocil:title>Make the auditd Configuration Immutable</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_immutable_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_mac_modification_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify the System's Mandatory Access Controls</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_mac_modification_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_media_export_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects Information on Exporting to Media (successful)</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_media_export_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_networkconfig_modification_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify the System's Network Environment</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_sysadmin_actions_ocil:questionnaire:1">
-          <ocil:title>Ensure auditd Collects System Administrator Actions</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_sysadmin_actions_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_usergroup_modification_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify User/Group Information</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_usergroup_modification_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_usergroup_modification_group_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify User/Group Information - /etc/group</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_usergroup_modification_group_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_usergroup_modification_gshadow_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify User/Group Information - /etc/gshadow</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_usergroup_modification_opasswd_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify User/Group Information - /etc/security/opasswd</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_usergroup_modification_opasswd_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_usergroup_modification_passwd_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify User/Group Information - /etc/passwd</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_usergroup_modification_passwd_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_usergroup_modification_shadow_ocil:questionnaire:1">
-          <ocil:title>Record Events that Modify User/Group Information - /etc/shadow</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-directory_access_var_log_audit_ocil:questionnaire:1">
-          <ocil:title>Record Access Events to Audit Log Directory</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-directory_access_var_log_audit_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-directory_permissions_var_log_audit_ocil:questionnaire:1">
-          <ocil:title>System Audit Logs Must Have Mode 0750 or Less Permissive</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-directory_permissions_var_log_audit_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_groupownership_audit_configuration_ocil:questionnaire:1">
-          <ocil:title>Audit Configuration Files Must Be Owned By Group root</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_groupownership_audit_configuration_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_ownership_audit_configuration_ocil:questionnaire:1">
-          <ocil:title>Audit Configuration Files Must Be Owned By Root</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_ownership_audit_configuration_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_ownership_var_log_audit_ocil:questionnaire:1">
-          <ocil:title>System Audit Logs Must Be Owned By Root</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_ownership_var_log_audit_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_var_log_audit_ocil:questionnaire:1">
-          <ocil:title>System Audit Logs Must Have Mode 0640 or Less Permissive</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_var_log_audit_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_audispd_configure_remote_server_ocil:questionnaire:1">
-          <ocil:title>Configure audispd Plugin To Send Logs To Remote Server</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_audispd_configure_remote_server_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_audispd_disk_full_action_ocil:questionnaire:1">
-          <ocil:title>Configure audispd's Plugin disk_full_action When Disk Is Full</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_audispd_disk_full_action_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_audispd_encrypt_sent_records_ocil:questionnaire:1">
-          <ocil:title>Encrypt Audit Records Sent With audispd Plugin</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_audispd_encrypt_sent_records_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_audispd_network_failure_action_ocil:questionnaire:1">
-          <ocil:title>Configure audispd's Plugin network_failure_action On Network Failure</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_audispd_network_failure_action_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_audispd_syslog_plugin_activated_ocil:questionnaire:1">
-          <ocil:title>Configure auditd to use audispd's syslog plugin</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_ocil:questionnaire:1">
-          <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_data_disk_error_action_stig_ocil:questionnaire:1">
-          <ocil:title>Configure auditd Disk Error Action on Disk Error</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_data_disk_full_action_ocil:questionnaire:1">
-          <ocil:title>Configure auditd Disk Full Action when Disk Space Is Full</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_data_disk_full_action_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_data_disk_full_action_stig_ocil:questionnaire:1">
-          <ocil:title>Configure auditd Disk Full Action when Disk Space Is Full</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_data_disk_full_action_stig_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_data_retention_action_mail_acct_ocil:questionnaire:1">
-          <ocil:title>Configure auditd mail_acct Action on Low Disk Space</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_data_retention_admin_space_left_action_ocil:questionnaire:1">
-          <ocil:title>Configure auditd admin_space_left Action on Low Disk Space</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_data_retention_admin_space_left_action_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_data_retention_flush_ocil:questionnaire:1">
-          <ocil:title>Configure auditd flush priority</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_data_retention_flush_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_ocil:questionnaire:1">
-          <ocil:title>Configure auditd Max Log File Size</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_ocil:questionnaire:1">
-          <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_data_retention_max_log_file_action_stig_ocil:questionnaire:1">
-          <ocil:title>Configure auditd max_log_file_action Upon Reaching Maximum Log Size</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_data_retention_max_log_file_action_stig_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_data_retention_num_logs_ocil:questionnaire:1">
-          <ocil:title>Configure auditd Number of Logs Retained</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_data_retention_num_logs_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_data_retention_space_left_ocil:questionnaire:1">
-          <ocil:title>Configure auditd space_left on Low Disk Space</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_data_retention_space_left_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_data_retention_space_left_action_ocil:questionnaire:1">
-          <ocil:title>Configure auditd space_left Action on Low Disk Space</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_data_retention_space_left_action_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_freq_ocil:questionnaire:1">
-          <ocil:title>Set number of records to cause an explicit flush to audit logs</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_freq_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_local_events_ocil:questionnaire:1">
-          <ocil:title>Include Local Events in Audit Logs</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_local_events_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_log_format_ocil:questionnaire:1">
-          <ocil:title>Resolve information before writing to audit logs</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_log_format_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_name_format_ocil:questionnaire:1">
-          <ocil:title>Set hostname as computer node name in audit logs</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_name_format_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_overflow_action_ocil:questionnaire:1">
-          <ocil:title>Appropriate Action Must be Setup When the Internal Audit Event Queue is Full</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_overflow_action_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-auditd_write_logs_ocil:questionnaire:1">
-          <ocil:title>Write Audit Logs to the Disk</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-auditd_write_logs_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_access_failed_ocil:questionnaire:1">
-          <ocil:title>Configure auditing of unsuccessful file accesses</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_access_failed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_access_success_ocil:questionnaire:1">
-          <ocil:title>Configure auditing of successful file accesses</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_access_success_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_basic_configuration_ocil:questionnaire:1">
-          <ocil:title>Configure basic parameters of Audit system</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_basic_configuration_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_create_failed_ocil:questionnaire:1">
-          <ocil:title>Configure auditing of unsuccessful file creations</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_create_failed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_create_success_ocil:questionnaire:1">
-          <ocil:title>Configure auditing of successful file creations</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_create_success_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_delete_failed_ocil:questionnaire:1">
-          <ocil:title>Configure auditing of unsuccessful file deletions</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_delete_failed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_delete_success_ocil:questionnaire:1">
-          <ocil:title>Configure auditing of successful file deletions</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_delete_success_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_immutable_login_uids_ocil:questionnaire:1">
-          <ocil:title>Configure immutable Audit login UIDs</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_immutable_login_uids_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_modify_failed_ocil:questionnaire:1">
-          <ocil:title>Configure auditing of unsuccessful file modifications</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_modify_failed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_modify_success_ocil:questionnaire:1">
-          <ocil:title>Configure auditing of successful file modifications</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_modify_success_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_module_load_ocil:questionnaire:1">
-          <ocil:title>Configure auditing of loading and unloading of kernel modules</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_module_load_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_ospp_general_ocil:questionnaire:1">
-          <ocil:title>Perform general configuration of Audit for OSPP</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_ospp_general_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_owner_change_failed_ocil:questionnaire:1">
-          <ocil:title>Configure auditing of unsuccessful ownership changes</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_owner_change_failed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_owner_change_success_ocil:questionnaire:1">
-          <ocil:title>Configure auditing of successful ownership changes</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_owner_change_success_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_perm_change_failed_ocil:questionnaire:1">
-          <ocil:title>Configure auditing of unsuccessful permission changes</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_perm_change_failed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_perm_change_success_ocil:questionnaire:1">
-          <ocil:title>Configure auditing of successful permission changes</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_perm_change_success_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-audit_rules_for_ospp_ocil:questionnaire:1">
-          <ocil:title>Configure audit according to OSPP requirements</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-audit_rules_for_ospp_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-coreos_audit_backlog_limit_kernel_argument_ocil:questionnaire:1">
-          <ocil:title>Extend Audit Backlog Limit for the Audit Daemon</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-coreos_audit_backlog_limit_kernel_argument_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-coreos_audit_option_ocil:questionnaire:1">
-          <ocil:title>Enable Auditing for Processes Which Start Prior to the Audit Daemon</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-coreos_audit_option_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_audispd-plugins_installed_ocil:questionnaire:1">
-          <ocil:title>Install audispd-plugins Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_audispd-plugins_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_audit-audispd-plugins_installed_ocil:questionnaire:1">
-          <ocil:title>Ensure the default plugins for the audit dispatcher are Installed</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_audit-audispd-plugins_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_audit_installed_ocil:questionnaire:1">
-          <ocil:title>Ensure the audit Subsystem is Installed</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_audit_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_auditd_enabled_ocil:questionnaire:1">
-          <ocil:title>Enable auditd Service</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_auditd_enabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-grub2_uefi_admin_username_ocil:questionnaire:1">
-          <ocil:title>Set the UEFI Boot Loader Admin Username to a Non-Default Value</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-grub2_uefi_admin_username_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-grub2_uefi_password_ocil:questionnaire:1">
-          <ocil:title>Set the UEFI Boot Loader Password</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-grub2_uefi_password_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-coreos_pti_kernel_argument_ocil:questionnaire:1">
-          <ocil:title>Enable Kernel Page-Table Isolation (KPTI)</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-coreos_pti_kernel_argument_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-coreos_vsyscall_kernel_argument_ocil:questionnaire:1">
-          <ocil:title>Disable vsyscalls</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-coreos_vsyscall_kernel_argument_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-grub2_disable_recovery_ocil:questionnaire:1">
-          <ocil:title>Disable Recovery Booting</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-grub2_disable_recovery_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-grub2_enable_iommu_force_ocil:questionnaire:1">
-          <ocil:title>IOMMU configuration directive</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-grub2_enable_iommu_force_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-grub2_l1tf_argument_ocil:questionnaire:1">
-          <ocil:title>Configure L1 Terminal Fault mitigations</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-grub2_l1tf_argument_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-grub2_mce_argument_ocil:questionnaire:1">
-          <ocil:title>Force kernel panic on uncorrected MCEs</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-grub2_mce_argument_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-grub2_nosmap_argument_absent_ocil:questionnaire:1">
-          <ocil:title>Ensure SMAP is not disabled during boot</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-grub2_nosmep_argument_absent_ocil:questionnaire:1">
-          <ocil:title>Ensure SMEP is not disabled during boot</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-grub2_rng_core_default_quality_argument_ocil:questionnaire:1">
-          <ocil:title>Configure the confidence in TPM for entropy</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-grub2_rng_core_default_quality_argument_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-grub2_slab_nomerge_argument_ocil:questionnaire:1">
-          <ocil:title>Disable merging of slabs with similar size</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-grub2_spec_store_bypass_disable_argument_ocil:questionnaire:1">
-          <ocil:title>Configure Speculative Store Bypass Mitigation</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-grub2_spec_store_bypass_disable_argument_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-grub2_spectre_v2_argument_ocil:questionnaire:1">
-          <ocil:title>Enforce Spectre v2 mitigation</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-grub2_spectre_v2_argument_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-grub2_systemd_debug-shell_argument_absent_ocil:questionnaire:1">
-          <ocil:title>Ensure debug-shell service is not enabled during boot</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-grub2_systemd_debug-shell_argument_absent_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-zipl_audit_argument_ocil:questionnaire:1">
-          <ocil:title>Enable Auditing to Start Prior to the Audit Daemon in zIPL</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-zipl_audit_argument_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-zipl_audit_backlog_limit_argument_ocil:questionnaire:1">
-          <ocil:title>Extend Audit Backlog Limit for the Audit Daemon in zIPL</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-zipl_audit_backlog_limit_argument_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-zipl_bls_entries_only_ocil:questionnaire:1">
-          <ocil:title>Ensure all zIPL boot entries are BLS compliant</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-zipl_bls_entries_only_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-zipl_bootmap_is_up_to_date_ocil:questionnaire:1">
-          <ocil:title>Ensure zIPL bootmap is up to date</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-zipl_enable_selinux_ocil:questionnaire:1">
-          <ocil:title>Ensure SELinux Not Disabled in zIPL</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-zipl_enable_selinux_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-zipl_page_poison_argument_ocil:questionnaire:1">
-          <ocil:title>Enable page allocator poisoning in zIPL</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-zipl_page_poison_argument_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-zipl_slub_debug_argument_ocil:questionnaire:1">
-          <ocil:title>Enable SLUB/SLAB allocator poisoning in zIPL</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-zipl_slub_debug_argument_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-zipl_systemd_debug-shell_argument_absent_ocil:questionnaire:1">
-          <ocil:title>Ensure debug-shell service is not enabled in zIPL</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-zipl_systemd_debug-shell_argument_absent_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-zipl_vsyscall_argument_ocil:questionnaire:1">
-          <ocil:title>Disable vsyscalls in zIPL</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-zipl_vsyscall_argument_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_acpi_custom_method_ocil:questionnaire:1">
-          <ocil:title>Do not allow ACPI methods to be inserted/replaced at run time</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_acpi_custom_method_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_binfmt_misc_ocil:questionnaire:1">
-          <ocil:title>Disable kernel support for MISC binaries</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_binfmt_misc_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_bug_ocil:questionnaire:1">
-          <ocil:title>Enable support for BUG()</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_bug_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_compat_brk_ocil:questionnaire:1">
-          <ocil:title>Disable compatibility with brk()</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_compat_brk_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_compat_vdso_ocil:questionnaire:1">
-          <ocil:title>Disable the 32-bit vDSO</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_compat_vdso_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_debug_credentials_ocil:questionnaire:1">
-          <ocil:title>Enable checks on credential management</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_debug_credentials_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_debug_fs_ocil:questionnaire:1">
-          <ocil:title>Disable kernel debugfs</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_debug_fs_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_debug_list_ocil:questionnaire:1">
-          <ocil:title>Enable checks on linked list manipulation</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_debug_list_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_debug_notifiers_ocil:questionnaire:1">
-          <ocil:title>Enable checks on notifier call chains</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_debug_notifiers_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_debug_sg_ocil:questionnaire:1">
-          <ocil:title>Enable checks on scatter-gather (SG) table operations</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_debug_sg_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_default_mmap_min_addr_ocil:questionnaire:1">
-          <ocil:title>Configure low address space to protect from user allocation</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_devkmem_ocil:questionnaire:1">
-          <ocil:title>Disable /dev/kmem virtual device support</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_devkmem_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_hibernation_ocil:questionnaire:1">
-          <ocil:title>Disable hibernation</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_hibernation_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_ia32_emulation_ocil:questionnaire:1">
-          <ocil:title>Disable IA32 emulation</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_ia32_emulation_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_ipv6_ocil:questionnaire:1">
-          <ocil:title>Disable the IPv6 protocol</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_ipv6_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_kexec_ocil:questionnaire:1">
-          <ocil:title>Disable kexec system call</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_kexec_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_legacy_ptys_ocil:questionnaire:1">
-          <ocil:title>Disable legacy (BSD) PTY support</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_legacy_ptys_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_module_sig_ocil:questionnaire:1">
-          <ocil:title>Enable module signature verification</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_module_sig_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_module_sig_all_ocil:questionnaire:1">
-          <ocil:title>Enable automatic signing of all modules</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_module_sig_all_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_module_sig_force_ocil:questionnaire:1">
-          <ocil:title>Require modules to be validly signed</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_module_sig_force_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_module_sig_hash_ocil:questionnaire:1">
-          <ocil:title>Specify the hash to use when signing modules</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_module_sig_hash_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_module_sig_key_ocil:questionnaire:1">
-          <ocil:title>Specify module signing key to use</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_module_sig_key_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_module_sig_sha512_ocil:questionnaire:1">
-          <ocil:title>Sign kernel modules with SHA-512</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_module_sig_sha512_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_page_poisoning_no_sanity_ocil:questionnaire:1">
-          <ocil:title>Enable poison without sanity check</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_page_poisoning_zero_ocil:questionnaire:1">
-          <ocil:title>Use zero for poisoning instead of debugging value</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_page_poisoning_zero_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_page_table_isolation_ocil:questionnaire:1">
-          <ocil:title>Remove the kernel mapping in user mode</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_page_table_isolation_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_panic_on_oops_ocil:questionnaire:1">
-          <ocil:title>Kernel panic oops</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_panic_on_oops_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_panic_timeout_ocil:questionnaire:1">
-          <ocil:title>Kernel panic timeout</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_panic_timeout_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_proc_kcore_ocil:questionnaire:1">
-          <ocil:title>Disable support for /proc/kkcore</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_proc_kcore_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_randomize_base_ocil:questionnaire:1">
-          <ocil:title>Randomize the address of the kernel image (KASLR)</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_randomize_base_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_randomize_memory_ocil:questionnaire:1">
-          <ocil:title>Randomize the kernel memory sections</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_randomize_memory_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_retpoline_ocil:questionnaire:1">
-          <ocil:title>Avoid speculative indirect branches in kernel</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_retpoline_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_seccomp_ocil:questionnaire:1">
-          <ocil:title>Enable seccomp to safely compute untrusted bytecode</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_seccomp_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_seccomp_filter_ocil:questionnaire:1">
-          <ocil:title>Enable use of Berkeley Packet Filter with seccomp</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_seccomp_filter_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_security_ocil:questionnaire:1">
-          <ocil:title>Enable different security models</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_security_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_security_dmesg_restrict_ocil:questionnaire:1">
-          <ocil:title>Restrict unprivileged access to the kernel syslog</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_security_dmesg_restrict_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_security_writable_hooks_ocil:questionnaire:1">
-          <ocil:title>Disable mutable hooks</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_security_writable_hooks_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_security_yama_ocil:questionnaire:1">
-          <ocil:title>Enable Yama support</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_security_yama_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_slub_debug_ocil:questionnaire:1">
-          <ocil:title>Enable SLUB debugging support</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_slub_debug_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_syn_cookies_ocil:questionnaire:1">
-          <ocil:title>Enable TCP/IP syncookie support</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_syn_cookies_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_unmap_kernel_at_el0_ocil:questionnaire:1">
-          <ocil:title>Unmap kernel when running in userspace (aka KAISER)</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_unmap_kernel_at_el0_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_config_x86_vsyscall_emulation_ocil:questionnaire:1">
-          <ocil:title>Disable x86 vsyscall emulation</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode_ocil:questionnaire:1">
-          <ocil:title>Ensure Rsyslog Authenticates Off-Loaded Audit Records</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode_ocil:questionnaire:1">
-          <ocil:title>Ensure Rsyslog Encrypts Off-Loaded Audit Records</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_ocil:questionnaire:1">
-          <ocil:title>Ensure Rsyslog Encrypts Off-Loaded Audit Records</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-rsyslog_files_groupownership_ocil:questionnaire:1">
-          <ocil:title>Ensure Log Files Are Owned By Appropriate Group</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-rsyslog_files_groupownership_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-rsyslog_files_ownership_ocil:questionnaire:1">
-          <ocil:title>Ensure Log Files Are Owned By Appropriate User</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-rsyslog_files_ownership_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-rsyslog_files_permissions_ocil:questionnaire:1">
-          <ocil:title>Ensure System Log Files Have Correct Permissions</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-rsyslog_files_permissions_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_systemd-journald_enabled_ocil:questionnaire:1">
-          <ocil:title>Enable systemd-journald Service</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_systemd-journald_enabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-ensure_logrotate_activated_ocil:questionnaire:1">
-          <ocil:title>Ensure Logrotate Runs Periodically</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-ensure_logrotate_activated_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_syslogng_installed_ocil:questionnaire:1">
-          <ocil:title>Ensure syslog-ng is Installed</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_syslogng_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_syslogng_enabled_ocil:questionnaire:1">
-          <ocil:title>Enable syslog-ng Service</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_syslogng_enabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-rsyslog_remote_loghost_ocil:questionnaire:1">
-          <ocil:title>Ensure Logs Sent To Remote Host</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-rsyslog_remote_loghost_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_rsyslog_installed_ocil:questionnaire:1">
-          <ocil:title>Ensure rsyslog is Installed</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_rsyslog_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_rsyslog_enabled_ocil:questionnaire:1">
-          <ocil:title>Enable rsyslog Service</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_rsyslog_enabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_firewalld_installed_ocil:questionnaire:1">
-          <ocil:title>Install firewalld Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_firewalld_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_firewalld_enabled_ocil:questionnaire:1">
-          <ocil:title>Verify firewalld Enabled</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_firewalld_enabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_libreswan_installed_ocil:questionnaire:1">
-          <ocil:title>Install libreswan Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_libreswan_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_ip6tables_enabled_ocil:questionnaire:1">
-          <ocil:title>Verify ip6tables Enabled if Using IPv6</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_ip6tables_enabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_iptables_enabled_ocil:questionnaire:1">
-          <ocil:title>Verify iptables Enabled</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_iptables_enabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-set_ip6tables_default_rule_ocil:questionnaire:1">
-          <ocil:title>Set Default ip6tables Policy for Incoming Packets</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-set_ip6tables_default_rule_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_ocil:questionnaire:1">
-          <ocil:title>Set Default iptables Policy for Incoming Packets</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-set_iptables_default_rule_forward_ocil:questionnaire:1">
-          <ocil:title>Set Default iptables Policy for Forwarded Packets</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-set_iptables_default_rule_forward_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_iptables_installed_ocil:questionnaire:1">
-          <ocil:title>Install iptables Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_iptables_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_ocil:questionnaire:1">
-          <ocil:title>Configure Accepting Router Advertisements on All IPv6 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_redirects_ocil:questionnaire:1">
-          <ocil:title>Disable Accepting ICMP Redirects for All IPv6 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_redirects_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_source_route_ocil:questionnaire:1">
-          <ocil:title>Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv6 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_accept_source_route_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_ocil:questionnaire:1">
-          <ocil:title>Disable Accepting Router Advertisements on all IPv6 Interfaces by Default</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_redirects_ocil:questionnaire:1">
-          <ocil:title>Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv6 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_redirects_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_ocil:questionnaire:1">
-          <ocil:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv6 Interfaces by Default</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-grub2_ipv6_disable_argument_ocil:questionnaire:1">
-          <ocil:title>Ensure IPv6 is disabled through kernel boot parameter</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-grub2_ipv6_disable_argument_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_module_ipv6_option_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable IPv6 Networking Support Automatic Loading</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_module_ipv6_option_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_ocil:questionnaire:1">
-          <ocil:title>Disable IPv6 Addressing on All IPv6 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv6_conf_default_disable_ipv6_ocil:questionnaire:1">
-          <ocil:title>Disable IPv6 Addressing on IPv6 Interfaces by Default</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv6_conf_default_disable_ipv6_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_all_accept_local_ocil:questionnaire:1">
-          <ocil:title>Disable Accepting Packets Routed Between Local Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_all_accept_local_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_all_accept_redirects_ocil:questionnaire:1">
-          <ocil:title>Disable Accepting ICMP Redirects for All IPv4 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_all_accept_redirects_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_all_accept_source_route_ocil:questionnaire:1">
-          <ocil:title>Disable Kernel Parameter for Accepting Source-Routed Packets on all IPv4 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_all_accept_source_route_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_ocil:questionnaire:1">
-          <ocil:title>Configure ARP filtering for All IPv4 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_ocil:questionnaire:1">
-          <ocil:title>Configure Response Mode of ARP Requests for All IPv4 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_all_log_martians_ocil:questionnaire:1">
-          <ocil:title>Enable Kernel Parameter to Log Martian Packets on all IPv4 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_all_log_martians_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_all_route_localnet_ocil:questionnaire:1">
-          <ocil:title>Prevent Routing External Traffic to Local Loopback on All IPv4 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_all_route_localnet_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_all_rp_filter_ocil:questionnaire:1">
-          <ocil:title>Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_all_rp_filter_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_all_secure_redirects_ocil:questionnaire:1">
-          <ocil:title>Disable Kernel Parameter for Accepting Secure ICMP Redirects on all IPv4 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_all_secure_redirects_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_all_shared_media_ocil:questionnaire:1">
-          <ocil:title>Configure Sending and Accepting Shared Media Redirects for All IPv4 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_all_shared_media_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_ocil:questionnaire:1">
-          <ocil:title>Disable Kernel Parameter for Accepting ICMP Redirects by Default on IPv4 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_accept_source_route_ocil:questionnaire:1">
-          <ocil:title>Disable Kernel Parameter for Accepting Source-Routed Packets on IPv4 Interfaces by Default</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_accept_source_route_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_log_martians_ocil:questionnaire:1">
-          <ocil:title>Enable Kernel Paremeter to Log Martian Packets on all IPv4 Interfaces by Default</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_log_martians_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_rp_filter_ocil:questionnaire:1">
-          <ocil:title>Enable Kernel Parameter to Use Reverse Path Filtering on all IPv4 Interfaces by Default</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_rp_filter_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_ocil:questionnaire:1">
-          <ocil:title>Configure Kernel Parameter for Accepting Secure Redirects By Default</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_shared_media_ocil:questionnaire:1">
-          <ocil:title>Configure Sending and Accepting Shared Media Redirects by Default</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_shared_media_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_ocil:questionnaire:1">
-          <ocil:title>Enable Kernel Parameter to Ignore ICMP Broadcast Echo Requests on IPv4 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_ocil:questionnaire:1">
-          <ocil:title>Enable Kernel Parameter to Ignore Bogus ICMP Error Responses on IPv4 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_ocil:questionnaire:1">
-          <ocil:title>Configure Kernel to Rate Limit Sending of Duplicate TCP Acknowledgments</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_tcp_syncookies_ocil:questionnaire:1">
-          <ocil:title>Enable Kernel Parameter to Use TCP Syncookies on Network Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_tcp_syncookies_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_all_send_redirects_ocil:questionnaire:1">
-          <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_all_send_redirects_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_ocil:questionnaire:1">
-          <ocil:title>Disable Kernel Parameter for Sending ICMP Redirects on all IPv4 Interfaces by Default</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_ipv4_ip_forward_ocil:questionnaire:1">
-          <ocil:title>Disable Kernel Parameter for IP Forwarding on IPv4 Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_ipv4_ip_forward_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_ufw_enabled_ocil:questionnaire:1">
-          <ocil:title>Verify ufw Enabled</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_ufw_enabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_module_atm_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable ATM Support</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_module_atm_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_module_can_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable CAN Support</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_module_can_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_module_firewire-core_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable IEEE 1394 (FireWire) Support</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_module_firewire-core_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_module_rds_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable RDS Support</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_module_rds_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_module_sctp_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable SCTP Support</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_module_sctp_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_module_tipc_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable TIPC Support</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_module_tipc_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_module_bluetooth_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable Bluetooth Kernel Module</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_module_bluetooth_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_module_cfg80211_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable Kernel cfg80211 Module</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_module_cfg80211_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_module_iwlmvm_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable Kernel iwlmvm Module</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_module_iwlmvm_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_module_iwlwifi_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable Kernel iwlwifi Module</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_module_iwlwifi_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_module_mac80211_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable Kernel mac80211 Module</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_module_mac80211_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_bluetooth_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable Bluetooth Service</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_bluetooth_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-wireless_disable_interfaces_ocil:questionnaire:1">
-          <ocil:title>Deactivate Wireless Network Interfaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-wireless_disable_interfaces_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-network_nmcli_permissions_ocil:questionnaire:1">
-          <ocil:title>Prevent non-Privileged Users from Modifying Network Interfaces using nmcli</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-network_nmcli_permissions_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_group_ocil:questionnaire:1">
-          <ocil:title>Verify Group Who Owns Backup group File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_gshadow_ocil:questionnaire:1">
-          <ocil:title>Verify Group Who Owns Backup gshadow File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_passwd_ocil:questionnaire:1">
-          <ocil:title>Verify Group Who Owns Backup passwd File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_passwd_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_groupowner_backup_etc_shadow_ocil:questionnaire:1">
-          <ocil:title>Verify User Who Owns Backup shadow File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_group_ocil:questionnaire:1">
-          <ocil:title>Verify Group Who Owns group File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_group_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_gshadow_ocil:questionnaire:1">
-          <ocil:title>Verify Group Who Owns gshadow File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_gshadow_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_passwd_ocil:questionnaire:1">
-          <ocil:title>Verify Group Who Owns passwd File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_passwd_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_groupowner_etc_shadow_ocil:questionnaire:1">
-          <ocil:title>Verify Group Who Owns shadow File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_groupowner_etc_shadow_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_group_ocil:questionnaire:1">
-          <ocil:title>Verify User Who Owns Backup group File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_group_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_gshadow_ocil:questionnaire:1">
-          <ocil:title>Verify User Who Owns Backup gshadow File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_passwd_ocil:questionnaire:1">
-          <ocil:title>Verify User Who Owns Backup passwd File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_passwd_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_owner_backup_etc_shadow_ocil:questionnaire:1">
-          <ocil:title>Verify Group Who Owns Backup shadow File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_owner_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_owner_etc_group_ocil:questionnaire:1">
-          <ocil:title>Verify User Who Owns group File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_owner_etc_group_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_owner_etc_gshadow_ocil:questionnaire:1">
-          <ocil:title>Verify User Who Owns gshadow File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_owner_etc_gshadow_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_owner_etc_passwd_ocil:questionnaire:1">
-          <ocil:title>Verify User Who Owns passwd File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_owner_etc_passwd_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_owner_etc_shadow_ocil:questionnaire:1">
-          <ocil:title>Verify User Who Owns shadow File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_owner_etc_shadow_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_backup_etc_group_ocil:questionnaire:1">
-          <ocil:title>Verify Permissions on Backup group File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_backup_etc_group_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_backup_etc_gshadow_ocil:questionnaire:1">
-          <ocil:title>Verify Permissions on Backup gshadow File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_backup_etc_gshadow_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_backup_etc_passwd_ocil:questionnaire:1">
-          <ocil:title>Verify Permissions on Backup passwd File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_backup_etc_shadow_ocil:questionnaire:1">
-          <ocil:title>Verify Permissions on Backup shadow File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_etc_group_ocil:questionnaire:1">
-          <ocil:title>Verify Permissions on group File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_etc_group_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_etc_gshadow_ocil:questionnaire:1">
-          <ocil:title>Verify Permissions on gshadow File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_etc_gshadow_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_etc_passwd_ocil:questionnaire:1">
-          <ocil:title>Verify Permissions on passwd File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_etc_passwd_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_etc_shadow_ocil:questionnaire:1">
-          <ocil:title>Verify Permissions on shadow File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_etc_shadow_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_groupowner_var_log_ocil:questionnaire:1">
-          <ocil:title>Verify Group Who Owns /var/log Directory</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_groupowner_var_log_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_groupowner_var_log_messages_ocil:questionnaire:1">
-          <ocil:title>Verify Group Who Owns /var/log/messages File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_groupowner_var_log_messages_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_groupowner_var_log_syslog_ocil:questionnaire:1">
-          <ocil:title>Verify Group Who Owns /var/log/syslog File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_owner_var_log_ocil:questionnaire:1">
-          <ocil:title>Verify User Who Owns /var/log Directory</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_owner_var_log_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_owner_var_log_messages_ocil:questionnaire:1">
-          <ocil:title>Verify User Who Owns /var/log/messages File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_owner_var_log_messages_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_owner_var_log_syslog_ocil:questionnaire:1">
-          <ocil:title>Verify User Who Owns /var/log/syslog File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_owner_var_log_syslog_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_var_log_ocil:questionnaire:1">
-          <ocil:title>Verify Permissions on /var/log Directory</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_var_log_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_var_log_messages_ocil:questionnaire:1">
-          <ocil:title>Verify Permissions on /var/log/messages File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_var_log_messages_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_var_log_syslog_ocil:questionnaire:1">
-          <ocil:title>Verify Permissions on /var/log/syslog File</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_var_log_syslog_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-dir_ownership_binary_dirs_ocil:questionnaire:1">
-          <ocil:title>Verify that System Executable Have Root Ownership</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-dir_ownership_binary_dirs_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-dir_ownership_library_dirs_ocil:questionnaire:1">
-          <ocil:title>Verify that Shared Library Directories Have Root Ownership</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-dir_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-dir_permissions_binary_dirs_ocil:questionnaire:1">
-          <ocil:title>Verify that System Executable Directories Have Restrictive Permissions</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-dir_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-dir_permissions_library_dirs_ocil:questionnaire:1">
-          <ocil:title>Verify that Shared Library Directories Have Restrictive Permissions</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-dir_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_ownership_binary_dirs_ocil:questionnaire:1">
-          <ocil:title>Verify that System Executables Have Root Ownership</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_ownership_binary_dirs_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_ownership_library_dirs_ocil:questionnaire:1">
-          <ocil:title>Verify that Shared Library Files Have Root Ownership</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_ownership_library_dirs_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_binary_dirs_ocil:questionnaire:1">
-          <ocil:title>Verify that System Executables Have Restrictive Permissions</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_binary_dirs_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_library_dirs_ocil:questionnaire:1">
-          <ocil:title>Verify that Shared Library Files Have Restrictive Permissions</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_library_dirs_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-dir_perms_world_writable_sticky_bits_ocil:questionnaire:1">
-          <ocil:title>Verify that All World-Writable Directories Have Sticky Bits Set</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_systemmap_ocil:questionnaire:1">
-          <ocil:title>Verify that local System.map file (if exists) is readable only by root</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_systemmap_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-file_permissions_unauthorized_world_writable_ocil:questionnaire:1">
-          <ocil:title>Ensure No World-Writable Files Exist</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_fs_protected_hardlinks_ocil:questionnaire:1">
-          <ocil:title>Enable Kernel Parameter to Enforce DAC on Hardlinks</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_fs_protected_hardlinks_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_fs_protected_symlinks_ocil:questionnaire:1">
-          <ocil:title>Enable Kernel Parameter to Enforce DAC on Symlinks</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_fs_protected_symlinks_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_module_cramfs_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable Mounting of cramfs</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_module_usb-storage_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable Modprobe Loading of USB Storage Driver</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_module_usb-storage_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_autofs_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable the Automounter</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_autofs_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_boot_nodev_ocil:questionnaire:1">
-          <ocil:title>Add nodev Option to /boot</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_boot_nodev_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_boot_nosuid_ocil:questionnaire:1">
-          <ocil:title>Add nosuid Option to /boot</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_boot_nosuid_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_dev_shm_nodev_ocil:questionnaire:1">
-          <ocil:title>Add nodev Option to /dev/shm</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_dev_shm_nodev_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_dev_shm_noexec_ocil:questionnaire:1">
-          <ocil:title>Add noexec Option to /dev/shm</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_dev_shm_noexec_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_dev_shm_nosuid_ocil:questionnaire:1">
-          <ocil:title>Add nosuid Option to /dev/shm</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_dev_shm_nosuid_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_home_nodev_ocil:questionnaire:1">
-          <ocil:title>Add nodev Option to /home</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_home_nodev_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_home_nosuid_ocil:questionnaire:1">
-          <ocil:title>Add nosuid Option to /home</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_home_nosuid_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_nodev_nonroot_local_partitions_ocil:questionnaire:1">
-          <ocil:title>Add nodev Option to Non-Root Local Partitions</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_nodev_removable_partitions_ocil:questionnaire:1">
-          <ocil:title>Add nodev Option to Removable Media Partitions</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_nodev_removable_partitions_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_noexec_removable_partitions_ocil:questionnaire:1">
-          <ocil:title>Add noexec Option to Removable Media Partitions</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_nosuid_removable_partitions_ocil:questionnaire:1">
-          <ocil:title>Add nosuid Option to Removable Media Partitions</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_nosuid_removable_partitions_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nodev_ocil:questionnaire:1">
-          <ocil:title>Add nodev Option to /tmp</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nodev_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_tmp_noexec_ocil:questionnaire:1">
-          <ocil:title>Add noexec Option to /tmp</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_tmp_noexec_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_tmp_nosuid_ocil:questionnaire:1">
-          <ocil:title>Add nosuid Option to /tmp</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_tmp_nosuid_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_var_log_audit_nodev_ocil:questionnaire:1">
-          <ocil:title>Add nodev Option to /var/log/audit</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_var_log_audit_noexec_ocil:questionnaire:1">
-          <ocil:title>Add noexec Option to /var/log/audit</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_var_log_audit_noexec_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_var_log_audit_nosuid_ocil:questionnaire:1">
-          <ocil:title>Add nosuid Option to /var/log/audit</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_var_log_nodev_ocil:questionnaire:1">
-          <ocil:title>Add nodev Option to /var/log</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_var_log_nodev_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_var_log_noexec_ocil:questionnaire:1">
-          <ocil:title>Add noexec Option to /var/log</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_var_log_noexec_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_var_log_nosuid_ocil:questionnaire:1">
-          <ocil:title>Add nosuid Option to /var/log</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_var_log_nosuid_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_var_nodev_ocil:questionnaire:1">
-          <ocil:title>Add nodev Option to /var</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_var_nodev_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_var_nosuid_ocil:questionnaire:1">
-          <ocil:title>Add nosuid Option to /var</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_var_nosuid_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_var_tmp_nodev_ocil:questionnaire:1">
-          <ocil:title>Add nodev Option to /var/tmp</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_var_tmp_nodev_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_var_tmp_noexec_ocil:questionnaire:1">
-          <ocil:title>Add noexec Option to /var/tmp</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_var_tmp_noexec_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-mount_option_var_tmp_nosuid_ocil:questionnaire:1">
-          <ocil:title>Add nosuid Option to /var/tmp</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-mount_option_var_tmp_nosuid_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-coredump_disable_backtraces_ocil:questionnaire:1">
-          <ocil:title>Disable core dump backtraces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-coredump_disable_backtraces_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-coredump_disable_storage_ocil:questionnaire:1">
-          <ocil:title>Disable storing core dump</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-coredump_disable_storage_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-disable_users_coredumps_ocil:questionnaire:1">
-          <ocil:title>Disable Core Dumps for All Users</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-disable_users_coredumps_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-service_systemd-coredump_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable acquiring, saving, and processing core dumps</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-service_systemd-coredump_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_fs_suid_dumpable_ocil:questionnaire:1">
-          <ocil:title>Disable Core Dumps for SUID programs</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_kernel_kptr_restrict_ocil:questionnaire:1">
-          <ocil:title>Restrict Exposed Kernel Pointer Addresses Access</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_kernel_randomize_va_space_ocil:questionnaire:1">
-          <ocil:title>Enable Randomized Layout of Virtual Address Space</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-coreos_page_poison_kernel_argument_ocil:questionnaire:1">
-          <ocil:title>Enable page allocator poisoning</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-coreos_page_poison_kernel_argument_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-coreos_slub_debug_kernel_argument_ocil:questionnaire:1">
-          <ocil:title>Enable SLUB/SLAB allocator poisoning</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-coreos_slub_debug_kernel_argument_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-kernel_module_uvcvideo_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable the uvcvideo module</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_kernel_core_pattern_ocil:questionnaire:1">
-          <ocil:title>Disable storing core dumps</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_kernel_core_pattern_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_kernel_core_pattern_empty_string_ocil:questionnaire:1">
-          <ocil:title>Disable storing core dumps</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_kernel_core_pattern_empty_string_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_kernel_core_uses_pid_ocil:questionnaire:1">
-          <ocil:title>Configure file name of core dumps</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_kernel_core_uses_pid_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_kernel_dmesg_restrict_ocil:questionnaire:1">
-          <ocil:title>Restrict Access to Kernel Message Buffer</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_kernel_dmesg_restrict_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_kernel_kexec_load_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable Kernel Image Loading</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_kernel_kexec_load_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_kernel_panic_on_oops_ocil:questionnaire:1">
-          <ocil:title>Kernel panic on oops</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_kernel_panic_on_oops_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_kernel_perf_event_paranoid_ocil:questionnaire:1">
-          <ocil:title>Disallow kernel profiling by unprivileged users</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_kernel_perf_event_paranoid_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_kernel_unprivileged_bpf_disabled_ocil:questionnaire:1">
-          <ocil:title>Disable Access to Network bpf() Syscall From Unprivileged Processes</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_kernel_unprivileged_bpf_disabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_kernel_yama_ptrace_scope_ocil:questionnaire:1">
-          <ocil:title>Restrict usage of ptrace to descendant processes</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_kernel_yama_ptrace_scope_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_net_core_bpf_jit_harden_ocil:questionnaire:1">
-          <ocil:title>Harden the operation of the BPF just-in-time compiler</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_net_core_bpf_jit_harden_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_user_max_user_namespaces_ocil:questionnaire:1">
-          <ocil:title>Disable the use of user namespaces</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-coreos_enable_selinux_kernel_argument_ocil:questionnaire:1">
-          <ocil:title>Ensure SELinux Not Disabled in the kernel arguments</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-coreos_enable_selinux_kernel_argument_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-grub2_enable_selinux_ocil:questionnaire:1">
-          <ocil:title>Ensure SELinux Not Disabled in /etc/default/grub</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-grub2_enable_selinux_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_libselinux_installed_ocil:questionnaire:1">
-          <ocil:title>Install libselinux Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_libselinux_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_setroubleshoot-plugins_removed_ocil:questionnaire:1">
-          <ocil:title>Uninstall setroubleshoot-plugins Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_setroubleshoot-plugins_removed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_setroubleshoot-server_removed_ocil:questionnaire:1">
-          <ocil:title>Uninstall setroubleshoot-server Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_setroubleshoot-server_removed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-selinux_confinement_of_daemons_ocil:questionnaire:1">
-          <ocil:title>Ensure No Daemons are Unconfined by SELinux</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-selinux_confinement_of_daemons_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-selinux_policytype_ocil:questionnaire:1">
-          <ocil:title>Configure SELinux Policy</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-selinux_policytype_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-selinux_state_ocil:questionnaire:1">
-          <ocil:title>Ensure SELinux State is Enforcing</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-selinux_state_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-encrypt_partitions_ocil:questionnaire:1">
-          <ocil:title>Encrypt Partitions</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-encrypt_partitions_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-partition_for_home_ocil:questionnaire:1">
-          <ocil:title>Ensure /home Located On Separate Partition</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-partition_for_home_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-partition_for_srv_ocil:questionnaire:1">
-          <ocil:title>Ensure /srv Located On Separate Partition</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-partition_for_srv_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-partition_for_tmp_ocil:questionnaire:1">
-          <ocil:title>Ensure /tmp Located On Separate Partition</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-partition_for_tmp_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-partition_for_var_ocil:questionnaire:1">
-          <ocil:title>Ensure /var Located On Separate Partition</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-partition_for_var_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-partition_for_var_log_ocil:questionnaire:1">
-          <ocil:title>Ensure /var/log Located On Separate Partition</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-partition_for_var_log_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-partition_for_var_log_audit_ocil:questionnaire:1">
-          <ocil:title>Ensure /var/log/audit Located On Separate Partition</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-partition_for_var_log_audit_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-partition_for_var_tmp_ocil:questionnaire:1">
-          <ocil:title>Ensure /var/tmp Located On Separate Partition</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-partition_for_var_tmp_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-gnome_gdm_disable_xdmcp_ocil:questionnaire:1">
-          <ocil:title>Disable XDMCP in GDM</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-gnome_gdm_disable_xdmcp_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-installed_OS_is_FIPS_certified_ocil:questionnaire:1">
-          <ocil:title>The Installed Operating System Is FIPS 140-2 Certified</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-installed_OS_is_FIPS_certified_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-configure_bind_crypto_policy_ocil:questionnaire:1">
-          <ocil:title>Configure BIND to use System Crypto Policy</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-configure_bind_crypto_policy_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-configure_crypto_policy_ocil:questionnaire:1">
-          <ocil:title>Configure System Cryptography Policy</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-configure_crypto_policy_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-configure_kerberos_crypto_policy_ocil:questionnaire:1">
-          <ocil:title>Configure Kerberos to use System Crypto Policy</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-configure_libreswan_crypto_policy_ocil:questionnaire:1">
-          <ocil:title>Configure Libreswan to use System Crypto Policy</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-configure_openssl_crypto_policy_ocil:questionnaire:1">
-          <ocil:title>Configure OpenSSL library to use System Crypto Policy</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-configure_openssl_crypto_policy_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-configure_ssh_crypto_policy_ocil:questionnaire:1">
-          <ocil:title>Configure SSH to use System Crypto Policy</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-configure_ssh_crypto_policy_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-harden_openssl_crypto_policy_ocil:questionnaire:1">
-          <ocil:title>Harden OpenSSL Crypto Policy</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-harden_openssl_crypto_policy_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-harden_ssh_client_crypto_policy_ocil:questionnaire:1">
-          <ocil:title>Harden SSH client Crypto Policy</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-harden_sshd_crypto_policy_ocil:questionnaire:1">
-          <ocil:title>Harden SSHD Crypto Policy</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-harden_sshd_crypto_policy_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_MFEhiplsm_installed_ocil:questionnaire:1">
-          <ocil:title>Install the Host Intrusion Prevention System (HIPS) Module</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_MFEhiplsm_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-configure_user_data_backups_ocil:questionnaire:1">
-          <ocil:title>Configure Backups of User Data</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-configure_user_data_backups_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-enable_dracut_fips_module_ocil:questionnaire:1">
-          <ocil:title>Enable Dracut FIPS Module</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-enable_dracut_fips_module_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-enable_fips_mode_ocil:questionnaire:1">
-          <ocil:title>Enable FIPS Mode</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-enable_fips_mode_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-etc_system_fips_exists_ocil:questionnaire:1">
-          <ocil:title>Ensure '/etc/system-fips' exists</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-etc_system_fips_exists_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-grub2_enable_fips_mode_ocil:questionnaire:1">
-          <ocil:title>Enable FIPS Mode in GRUB2</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-grub2_enable_fips_mode_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_dracut-fips-aesni_installed_ocil:questionnaire:1">
-          <ocil:title>Install the dracut-fips-aesni Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_dracut-fips-aesni_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_dracut-fips_installed_ocil:questionnaire:1">
-          <ocil:title>Install the dracut-fips Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_dracut-fips_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sysctl_crypto_fips_enabled_ocil:questionnaire:1">
-          <ocil:title>Set kernel parameter 'crypto.fips_enabled' to 1</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sysctl_crypto_fips_enabled_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-aide_build_database_ocil:questionnaire:1">
-          <ocil:title>Build and Test AIDE Database</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-aide_build_database_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_aide_installed_ocil:questionnaire:1">
-          <ocil:title>Install AIDE</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_aide_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-rpm_verify_ownership_ocil:questionnaire:1">
-          <ocil:title>Verify and Correct Ownership with RPM</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-rpm_verify_ownership_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-rpm_verify_permissions_ocil:questionnaire:1">
-          <ocil:title>Verify and Correct File Permissions with RPM</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-rpm_verify_permissions_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_sudo_installed_ocil:questionnaire:1">
-          <ocil:title>Install sudo Package</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_sudo_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sudo_add_noexec_ocil:questionnaire:1">
-          <ocil:title>Ensure Privileged Escalated Commands Cannot Execute Other Commands - sudo NOEXEC</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sudo_add_noexec_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sudo_add_requiretty_ocil:questionnaire:1">
-          <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo requiretty</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sudo_add_requiretty_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sudo_add_use_pty_ocil:questionnaire:1">
-          <ocil:title>Ensure Only Users Logged In To Real tty Can Execute Sudo - sudo use_pty</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sudo_add_use_pty_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sudo_custom_logfile_ocil:questionnaire:1">
-          <ocil:title>Ensure Sudo Logfile Exists - sudo logfile</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sudo_custom_logfile_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sudo_remove_no_authenticate_ocil:questionnaire:1">
-          <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo !authenticate</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sudo_remove_no_authenticate_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sudo_remove_nopasswd_ocil:questionnaire:1">
-          <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo NOPASSWD</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sudo_remove_nopasswd_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sudo_require_authentication_ocil:questionnaire:1">
-          <ocil:title>Ensure Users Re-Authenticate for Privilege Escalation - sudo</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sudo_require_authentication_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sudo_vdsm_nopasswd_ocil:questionnaire:1">
-          <ocil:title>Only the VDSM User Can Use sudo NOPASSWD</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sudoers_explicit_command_args_ocil:questionnaire:1">
-          <ocil:title>Explicit arguments in sudo specifications</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sudoers_explicit_command_args_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sudoers_no_command_negation_ocil:questionnaire:1">
-          <ocil:title>Don't define allowed commands in sudoers by means of exclusion</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sudoers_no_command_negation_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-sudoers_no_root_target_ocil:questionnaire:1">
-          <ocil:title>Don't target root user in the sudoers file</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-sudoers_no_root_target_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_gnutls-utils_installed_ocil:questionnaire:1">
-          <ocil:title>Ensure gnutls-utils is installed</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_gnutls-utils_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-package_nss-tools_installed_ocil:questionnaire:1">
-          <ocil:title>Ensure nss-tools is installed</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-package_nss-tools_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-ensure_redhat_gpgkey_installed_ocil:questionnaire:1">
-          <ocil:title>Ensure Red Hat GPG Key Installed</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-ensure_redhat_gpgkey_installed_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-        <ocil:questionnaire id="ocil:ssg-prefer_64bit_os_ocil:questionnaire:1">
-          <ocil:title>Prefer to use a 64-bit Operating System when supported</ocil:title>
-          <ocil:actions>
-            <ocil:test_action_ref>ocil:ssg-prefer_64bit_os_action:testaction:1</ocil:test_action_ref>
-          </ocil:actions>
-        </ocil:questionnaire>
-      </ocil:questionnaires>
-      <ocil:test_actions>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_cron_enabled_action:testaction:1" question_ref="ocil:ssg-service_cron_enabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_bind_removed_action:testaction:1" question_ref="ocil:ssg-package_bind_removed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-fapolicyd_prevent_home_folder_access_action:testaction:1" question_ref="ocil:ssg-fapolicyd_prevent_home_folder_access_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_fapolicyd_installed_action:testaction:1" question_ref="ocil:ssg-package_fapolicyd_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_fapolicyd_enabled_action:testaction:1" question_ref="ocil:ssg-service_fapolicyd_enabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kerberos_disable_no_keytab_action:testaction:1" question_ref="ocil:ssg-kerberos_disable_no_keytab_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_openldap-clients_removed_action:testaction:1" question_ref="ocil:ssg-package_openldap-clients_removed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-postfix_client_configure_mail_alias_action:testaction:1" question_ref="ocil:ssg-postfix_client_configure_mail_alias_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-postfix_client_configure_mail_alias_postmaster_action:testaction:1" question_ref="ocil:ssg-postfix_client_configure_mail_alias_postmaster_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-postfix_client_configure_relayhost_action:testaction:1" question_ref="ocil:ssg-postfix_client_configure_relayhost_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_postfix_installed_action:testaction:1" question_ref="ocil:ssg-package_postfix_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_sendmail_removed_action:testaction:1" question_ref="ocil:ssg-package_sendmail_removed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-no_all_squash_exports_action:testaction:1" question_ref="ocil:ssg-no_all_squash_exports_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-chronyd_client_only_action:testaction:1" question_ref="ocil:ssg-chronyd_client_only_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-chronyd_no_chronyc_network_action:testaction:1" question_ref="ocil:ssg-chronyd_no_chronyc_network_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-chronyd_or_ntpd_set_maxpoll_action:testaction:1" question_ref="ocil:ssg-chronyd_or_ntpd_set_maxpoll_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-chronyd_or_ntpd_specify_remote_server_action:testaction:1" question_ref="ocil:ssg-chronyd_or_ntpd_specify_remote_server_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-chronyd_server_directive_action:testaction:1" question_ref="ocil:ssg-chronyd_server_directive_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-chronyd_specify_remote_server_action:testaction:1" question_ref="ocil:ssg-chronyd_specify_remote_server_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-ntpd_specify_remote_server_action:testaction:1" question_ref="ocil:ssg-ntpd_specify_remote_server_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_chrony_installed_action:testaction:1" question_ref="ocil:ssg-package_chrony_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_ntp_installed_action:testaction:1" question_ref="ocil:ssg-package_ntp_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_chronyd_enabled_action:testaction:1" question_ref="ocil:ssg-service_chronyd_enabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_chronyd_or_ntpd_enabled_action:testaction:1" question_ref="ocil:ssg-service_chronyd_or_ntpd_enabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_ntp_enabled_action:testaction:1" question_ref="ocil:ssg-service_ntp_enabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_ntpd_enabled_action:testaction:1" question_ref="ocil:ssg-service_ntpd_enabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-no_rsh_trust_files_action:testaction:1" question_ref="ocil:ssg-no_rsh_trust_files_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_rngd_enabled_action:testaction:1" question_ref="ocil:ssg-service_rngd_enabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_samba-common_installed_action:testaction:1" question_ref="ocil:ssg-package_samba-common_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_net-snmp_removed_action:testaction:1" question_ref="ocil:ssg-package_net-snmp_removed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-ssh_client_rekey_limit_action:testaction:1" question_ref="ocil:ssg-ssh_client_rekey_limit_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-disable_host_auth_action:testaction:1" question_ref="ocil:ssg-disable_host_auth_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_allow_only_protocol2_action:testaction:1" question_ref="ocil:ssg-sshd_allow_only_protocol2_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_disable_compression_action:testaction:1" question_ref="ocil:ssg-sshd_disable_compression_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_disable_empty_passwords_action:testaction:1" question_ref="ocil:ssg-sshd_disable_empty_passwords_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_disable_gssapi_auth_action:testaction:1" question_ref="ocil:ssg-sshd_disable_gssapi_auth_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_disable_kerb_auth_action:testaction:1" question_ref="ocil:ssg-sshd_disable_kerb_auth_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_disable_pubkey_auth_action:testaction:1" question_ref="ocil:ssg-sshd_disable_pubkey_auth_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_disable_rhosts_action:testaction:1" question_ref="ocil:ssg-sshd_disable_rhosts_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_disable_rhosts_rsa_action:testaction:1" question_ref="ocil:ssg-sshd_disable_rhosts_rsa_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_disable_root_login_action:testaction:1" question_ref="ocil:ssg-sshd_disable_root_login_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_disable_root_password_login_action:testaction:1" question_ref="ocil:ssg-sshd_disable_root_password_login_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_disable_tcp_forwarding_action:testaction:1" question_ref="ocil:ssg-sshd_disable_tcp_forwarding_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_disable_user_known_hosts_action:testaction:1" question_ref="ocil:ssg-sshd_disable_user_known_hosts_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_disable_x11_forwarding_action:testaction:1" question_ref="ocil:ssg-sshd_disable_x11_forwarding_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_do_not_permit_user_env_action:testaction:1" question_ref="ocil:ssg-sshd_do_not_permit_user_env_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_enable_gssapi_auth_action:testaction:1" question_ref="ocil:ssg-sshd_enable_gssapi_auth_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_enable_pam_action:testaction:1" question_ref="ocil:ssg-sshd_enable_pam_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_enable_pubkey_auth_action:testaction:1" question_ref="ocil:ssg-sshd_enable_pubkey_auth_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_enable_strictmodes_action:testaction:1" question_ref="ocil:ssg-sshd_enable_strictmodes_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_enable_warning_banner_action:testaction:1" question_ref="ocil:ssg-sshd_enable_warning_banner_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_enable_warning_banner_net_action:testaction:1" question_ref="ocil:ssg-sshd_enable_warning_banner_net_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_enable_x11_forwarding_action:testaction:1" question_ref="ocil:ssg-sshd_enable_x11_forwarding_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_limit_user_access_action:testaction:1" question_ref="ocil:ssg-sshd_limit_user_access_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_print_last_log_action:testaction:1" question_ref="ocil:ssg-sshd_print_last_log_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_rekey_limit_action:testaction:1" question_ref="ocil:ssg-sshd_rekey_limit_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_set_idle_timeout_action:testaction:1" question_ref="ocil:ssg-sshd_set_idle_timeout_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_set_keepalive_action:testaction:1" question_ref="ocil:ssg-sshd_set_keepalive_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_set_keepalive_0_action:testaction:1" question_ref="ocil:ssg-sshd_set_keepalive_0_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_set_login_grace_time_action:testaction:1" question_ref="ocil:ssg-sshd_set_login_grace_time_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_set_loglevel_info_action:testaction:1" question_ref="ocil:ssg-sshd_set_loglevel_info_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_set_loglevel_verbose_action:testaction:1" question_ref="ocil:ssg-sshd_set_loglevel_verbose_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_set_max_auth_tries_action:testaction:1" question_ref="ocil:ssg-sshd_set_max_auth_tries_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_set_max_sessions_action:testaction:1" question_ref="ocil:ssg-sshd_set_max_sessions_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_set_maxstartups_action:testaction:1" question_ref="ocil:ssg-sshd_set_maxstartups_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sshd_use_priv_separation_action:testaction:1" question_ref="ocil:ssg-sshd_use_priv_separation_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_sshd_config_action:testaction:1" question_ref="ocil:ssg-file_groupowner_sshd_config_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_sshd_config_action:testaction:1" question_ref="ocil:ssg-file_owner_sshd_config_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_sshd_config_action:testaction:1" question_ref="ocil:ssg-file_permissions_sshd_config_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_sshd_private_key_action:testaction:1" question_ref="ocil:ssg-file_permissions_sshd_private_key_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_sshd_pub_key_action:testaction:1" question_ref="ocil:ssg-file_permissions_sshd_pub_key_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_openssh-server_installed_action:testaction:1" question_ref="ocil:ssg-package_openssh-server_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_openssh-server_removed_action:testaction:1" question_ref="ocil:ssg-package_openssh-server_removed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sssd_enable_smartcards_action:testaction:1" question_ref="ocil:ssg-sssd_enable_smartcards_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sssd_offline_cred_expiration_action:testaction:1" question_ref="ocil:ssg-sssd_offline_cred_expiration_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sssd_run_as_sssd_user_action:testaction:1" question_ref="ocil:ssg-sssd_run_as_sssd_user_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-configure_usbguard_auditbackend_action:testaction:1" question_ref="ocil:ssg-configure_usbguard_auditbackend_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_usbguard_installed_action:testaction:1" question_ref="ocil:ssg-package_usbguard_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_usbguard_enabled_action:testaction:1" question_ref="ocil:ssg-service_usbguard_enabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-usbguard_allow_hid_action:testaction:1" question_ref="ocil:ssg-usbguard_allow_hid_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-usbguard_allow_hid_and_hub_action:testaction:1" question_ref="ocil:ssg-usbguard_allow_hid_and_hub_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-usbguard_allow_hub_action:testaction:1" question_ref="ocil:ssg-usbguard_allow_hub_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-banner_etc_issue_action:testaction:1" question_ref="ocil:ssg-banner_etc_issue_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_etc_issue_action:testaction:1" question_ref="ocil:ssg-file_groupowner_etc_issue_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_etc_issue_action:testaction:1" question_ref="ocil:ssg-file_owner_etc_issue_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_etc_issue_action:testaction:1" question_ref="ocil:ssg-file_permissions_etc_issue_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-account_passwords_pam_faillock_audit_action:testaction:1" question_ref="ocil:ssg-account_passwords_pam_faillock_audit_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-account_passwords_pam_faillock_dir_action:testaction:1" question_ref="ocil:ssg-account_passwords_pam_faillock_dir_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-disallow_bypass_password_sudo_action:testaction:1" question_ref="ocil:ssg-disallow_bypass_password_sudo_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-display_login_attempts_action:testaction:1" question_ref="ocil:ssg-display_login_attempts_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-configure_bashrc_exec_tmux_action:testaction:1" question_ref="ocil:ssg-configure_bashrc_exec_tmux_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-configure_tmux_lock_after_time_action:testaction:1" question_ref="ocil:ssg-configure_tmux_lock_after_time_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-configure_tmux_lock_command_action:testaction:1" question_ref="ocil:ssg-configure_tmux_lock_command_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-no_tmux_in_shells_action:testaction:1" question_ref="ocil:ssg-no_tmux_in_shells_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_tmux_installed_action:testaction:1" question_ref="ocil:ssg-package_tmux_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-coreos_disable_interactive_boot_action:testaction:1" question_ref="ocil:ssg-coreos_disable_interactive_boot_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-disable_ctrlaltdel_burstaction_action:testaction:1" question_ref="ocil:ssg-disable_ctrlaltdel_burstaction_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-disable_ctrlaltdel_reboot_action:testaction:1" question_ref="ocil:ssg-disable_ctrlaltdel_reboot_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-grub2_disable_interactive_boot_action:testaction:1" question_ref="ocil:ssg-grub2_disable_interactive_boot_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-require_singleuser_auth_action:testaction:1" question_ref="ocil:ssg-require_singleuser_auth_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_debug-shell_disabled_action:testaction:1" question_ref="ocil:ssg-service_debug-shell_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-account_disable_post_pw_expiration_action:testaction:1" question_ref="ocil:ssg-account_disable_post_pw_expiration_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-account_unique_name_action:testaction:1" question_ref="ocil:ssg-account_unique_name_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-account_use_centralized_automated_auth_action:testaction:1" question_ref="ocil:ssg-account_use_centralized_automated_auth_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-accounts_maximum_age_login_defs_action:testaction:1" question_ref="ocil:ssg-accounts_maximum_age_login_defs_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-accounts_minimum_age_login_defs_action:testaction:1" question_ref="ocil:ssg-accounts_minimum_age_login_defs_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-accounts_password_minlen_login_defs_action:testaction:1" question_ref="ocil:ssg-accounts_password_minlen_login_defs_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-accounts_password_warn_age_login_defs_action:testaction:1" question_ref="ocil:ssg-accounts_password_warn_age_login_defs_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-accounts_password_all_shadowed_action:testaction:1" question_ref="ocil:ssg-accounts_password_all_shadowed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-gid_passwd_group_same_action:testaction:1" question_ref="ocil:ssg-gid_passwd_group_same_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-no_empty_passwords_action:testaction:1" question_ref="ocil:ssg-no_empty_passwords_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-no_empty_passwords_etc_shadow_action:testaction:1" question_ref="ocil:ssg-no_empty_passwords_etc_shadow_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-no_legacy_plus_entries_etc_group_action:testaction:1" question_ref="ocil:ssg-no_legacy_plus_entries_etc_group_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-no_legacy_plus_entries_etc_passwd_action:testaction:1" question_ref="ocil:ssg-no_legacy_plus_entries_etc_passwd_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-no_legacy_plus_entries_etc_shadow_action:testaction:1" question_ref="ocil:ssg-no_legacy_plus_entries_etc_shadow_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-no_netrc_files_action:testaction:1" question_ref="ocil:ssg-no_netrc_files_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-accounts_no_uid_except_zero_action:testaction:1" question_ref="ocil:ssg-accounts_no_uid_except_zero_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-accounts_root_gid_zero_action:testaction:1" question_ref="ocil:ssg-accounts_root_gid_zero_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-no_direct_root_logins_action:testaction:1" question_ref="ocil:ssg-no_direct_root_logins_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-no_password_auth_for_systemaccounts_action:testaction:1" question_ref="ocil:ssg-no_password_auth_for_systemaccounts_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-no_shelllogin_for_systemaccounts_action:testaction:1" question_ref="ocil:ssg-no_shelllogin_for_systemaccounts_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-restrict_serial_port_logins_action:testaction:1" question_ref="ocil:ssg-restrict_serial_port_logins_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-securetty_root_login_console_only_action:testaction:1" question_ref="ocil:ssg-securetty_root_login_console_only_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-accounts_root_path_dirs_no_write_action:testaction:1" question_ref="ocil:ssg-accounts_root_path_dirs_no_write_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-accounts_umask_etc_bashrc_action:testaction:1" question_ref="ocil:ssg-accounts_umask_etc_bashrc_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-accounts_umask_etc_csh_cshrc_action:testaction:1" question_ref="ocil:ssg-accounts_umask_etc_csh_cshrc_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-accounts_umask_etc_login_defs_action:testaction:1" question_ref="ocil:ssg-accounts_umask_etc_login_defs_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-accounts_umask_etc_profile_action:testaction:1" question_ref="ocil:ssg-accounts_umask_etc_profile_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-accounts_logon_fail_delay_action:testaction:1" question_ref="ocil:ssg-accounts_logon_fail_delay_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-accounts_max_concurrent_login_sessions_action:testaction:1" question_ref="ocil:ssg-accounts_max_concurrent_login_sessions_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-accounts_polyinstantiated_tmp_action:testaction:1" question_ref="ocil:ssg-accounts_polyinstantiated_tmp_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-accounts_polyinstantiated_var_tmp_action:testaction:1" question_ref="ocil:ssg-accounts_polyinstantiated_var_tmp_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-accounts_tmout_action:testaction:1" question_ref="ocil:ssg-accounts_tmout_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_home_dirs_action:testaction:1" question_ref="ocil:ssg-file_permissions_home_dirs_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_dac_modification_chmod_action:testaction:1" question_ref="ocil:ssg-audit_rules_dac_modification_chmod_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_dac_modification_chown_action:testaction:1" question_ref="ocil:ssg-audit_rules_dac_modification_chown_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_dac_modification_fchmod_action:testaction:1" question_ref="ocil:ssg-audit_rules_dac_modification_fchmod_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_dac_modification_fchmodat_action:testaction:1" question_ref="ocil:ssg-audit_rules_dac_modification_fchmodat_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_dac_modification_fchown_action:testaction:1" question_ref="ocil:ssg-audit_rules_dac_modification_fchown_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_dac_modification_fchownat_action:testaction:1" question_ref="ocil:ssg-audit_rules_dac_modification_fchownat_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_dac_modification_fremovexattr_action:testaction:1" question_ref="ocil:ssg-audit_rules_dac_modification_fremovexattr_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_dac_modification_fsetxattr_action:testaction:1" question_ref="ocil:ssg-audit_rules_dac_modification_fsetxattr_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_dac_modification_lchown_action:testaction:1" question_ref="ocil:ssg-audit_rules_dac_modification_lchown_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_dac_modification_lremovexattr_action:testaction:1" question_ref="ocil:ssg-audit_rules_dac_modification_lremovexattr_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_dac_modification_lsetxattr_action:testaction:1" question_ref="ocil:ssg-audit_rules_dac_modification_lsetxattr_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_dac_modification_removexattr_action:testaction:1" question_ref="ocil:ssg-audit_rules_dac_modification_removexattr_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_dac_modification_setxattr_action:testaction:1" question_ref="ocil:ssg-audit_rules_dac_modification_setxattr_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_dac_modification_umount_action:testaction:1" question_ref="ocil:ssg-audit_rules_dac_modification_umount_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_dac_modification_umount2_action:testaction:1" question_ref="ocil:ssg-audit_rules_dac_modification_umount2_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_execution_chcon_action:testaction:1" question_ref="ocil:ssg-audit_rules_execution_chcon_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_execution_restorecon_action:testaction:1" question_ref="ocil:ssg-audit_rules_execution_restorecon_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_execution_semanage_action:testaction:1" question_ref="ocil:ssg-audit_rules_execution_semanage_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_execution_setfiles_action:testaction:1" question_ref="ocil:ssg-audit_rules_execution_setfiles_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_execution_setsebool_action:testaction:1" question_ref="ocil:ssg-audit_rules_execution_setsebool_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_execution_seunshare_action:testaction:1" question_ref="ocil:ssg-audit_rules_execution_seunshare_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_file_deletion_events_action:testaction:1" question_ref="ocil:ssg-audit_rules_file_deletion_events_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_file_deletion_events_rename_action:testaction:1" question_ref="ocil:ssg-audit_rules_file_deletion_events_rename_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_file_deletion_events_renameat_action:testaction:1" question_ref="ocil:ssg-audit_rules_file_deletion_events_renameat_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_file_deletion_events_rmdir_action:testaction:1" question_ref="ocil:ssg-audit_rules_file_deletion_events_rmdir_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_file_deletion_events_unlink_action:testaction:1" question_ref="ocil:ssg-audit_rules_file_deletion_events_unlink_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_file_deletion_events_unlinkat_action:testaction:1" question_ref="ocil:ssg-audit_rules_file_deletion_events_unlinkat_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_chmod_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_chmod_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_creat_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_creat_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_fchmod_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_fchmod_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_fchown_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_fchown_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_fchownat_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_fchownat_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_fremovexattr_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_fremovexattr_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_lchown_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_lchown_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_lremovexattr_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_lremovexattr_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_lsetxattr_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_lsetxattr_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_open_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_rule_order_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_open_rule_order_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_removexattr_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_removexattr_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_rename_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_rename_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_renameat_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_renameat_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_unlink_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_unlink_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_action:testaction:1" question_ref="ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_kernel_module_loading_action:testaction:1" question_ref="ocil:ssg-audit_rules_kernel_module_loading_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_kernel_module_loading_delete_action:testaction:1" question_ref="ocil:ssg-audit_rules_kernel_module_loading_delete_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_kernel_module_loading_finit_action:testaction:1" question_ref="ocil:ssg-audit_rules_kernel_module_loading_finit_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_kernel_module_loading_init_action:testaction:1" question_ref="ocil:ssg-audit_rules_kernel_module_loading_init_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_login_events_faillock_action:testaction:1" question_ref="ocil:ssg-audit_rules_login_events_faillock_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_login_events_lastlog_action:testaction:1" question_ref="ocil:ssg-audit_rules_login_events_lastlog_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_login_events_tallylog_action:testaction:1" question_ref="ocil:ssg-audit_rules_login_events_tallylog_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_privileged_commands_init_action:testaction:1" question_ref="ocil:ssg-audit_privileged_commands_init_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_privileged_commands_poweroff_action:testaction:1" question_ref="ocil:ssg-audit_privileged_commands_poweroff_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_privileged_commands_reboot_action:testaction:1" question_ref="ocil:ssg-audit_privileged_commands_reboot_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_privileged_commands_shutdown_action:testaction:1" question_ref="ocil:ssg-audit_privileged_commands_shutdown_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_at_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_at_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_chage_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_chage_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_chsh_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_chsh_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_crontab_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_crontab_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_gpasswd_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_gpasswd_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_mount_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_mount_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_newgidmap_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_newgidmap_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_newgrp_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_newgrp_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_newuidmap_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_newuidmap_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_passwd_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_passwd_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_postdrop_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_postdrop_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_postqueue_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_postqueue_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_pt_chown_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_pt_chown_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_ssh_keysign_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_ssh_keysign_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_su_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_su_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_sudo_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_sudo_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_sudoedit_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_sudoedit_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_umount_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_umount_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_unix_chkpwd_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_unix_chkpwd_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_userhelper_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_userhelper_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_privileged_commands_usernetctl_action:testaction:1" question_ref="ocil:ssg-audit_rules_privileged_commands_usernetctl_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_time_adjtimex_action:testaction:1" question_ref="ocil:ssg-audit_rules_time_adjtimex_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_time_clock_settime_action:testaction:1" question_ref="ocil:ssg-audit_rules_time_clock_settime_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_time_settimeofday_action:testaction:1" question_ref="ocil:ssg-audit_rules_time_settimeofday_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_time_stime_action:testaction:1" question_ref="ocil:ssg-audit_rules_time_stime_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_time_watch_localtime_action:testaction:1" question_ref="ocil:ssg-audit_rules_time_watch_localtime_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_etc_group_open_action:testaction:1" question_ref="ocil:ssg-audit_rules_etc_group_open_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_etc_group_open_by_handle_at_action:testaction:1" question_ref="ocil:ssg-audit_rules_etc_group_open_by_handle_at_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_etc_group_openat_action:testaction:1" question_ref="ocil:ssg-audit_rules_etc_group_openat_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_etc_gshadow_open_action:testaction:1" question_ref="ocil:ssg-audit_rules_etc_gshadow_open_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_etc_gshadow_open_by_handle_at_action:testaction:1" question_ref="ocil:ssg-audit_rules_etc_gshadow_open_by_handle_at_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_etc_gshadow_openat_action:testaction:1" question_ref="ocil:ssg-audit_rules_etc_gshadow_openat_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_etc_passwd_open_action:testaction:1" question_ref="ocil:ssg-audit_rules_etc_passwd_open_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_etc_passwd_open_by_handle_at_action:testaction:1" question_ref="ocil:ssg-audit_rules_etc_passwd_open_by_handle_at_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_etc_passwd_openat_action:testaction:1" question_ref="ocil:ssg-audit_rules_etc_passwd_openat_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_etc_shadow_open_action:testaction:1" question_ref="ocil:ssg-audit_rules_etc_shadow_open_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_etc_shadow_open_by_handle_at_action:testaction:1" question_ref="ocil:ssg-audit_rules_etc_shadow_open_by_handle_at_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_etc_shadow_openat_action:testaction:1" question_ref="ocil:ssg-audit_rules_etc_shadow_openat_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_immutable_action:testaction:1" question_ref="ocil:ssg-audit_rules_immutable_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_mac_modification_action:testaction:1" question_ref="ocil:ssg-audit_rules_mac_modification_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_media_export_action:testaction:1" question_ref="ocil:ssg-audit_rules_media_export_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_networkconfig_modification_action:testaction:1" question_ref="ocil:ssg-audit_rules_networkconfig_modification_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_sysadmin_actions_action:testaction:1" question_ref="ocil:ssg-audit_rules_sysadmin_actions_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_usergroup_modification_action:testaction:1" question_ref="ocil:ssg-audit_rules_usergroup_modification_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_usergroup_modification_group_action:testaction:1" question_ref="ocil:ssg-audit_rules_usergroup_modification_group_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_usergroup_modification_gshadow_action:testaction:1" question_ref="ocil:ssg-audit_rules_usergroup_modification_gshadow_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_usergroup_modification_opasswd_action:testaction:1" question_ref="ocil:ssg-audit_rules_usergroup_modification_opasswd_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_usergroup_modification_passwd_action:testaction:1" question_ref="ocil:ssg-audit_rules_usergroup_modification_passwd_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_usergroup_modification_shadow_action:testaction:1" question_ref="ocil:ssg-audit_rules_usergroup_modification_shadow_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-directory_access_var_log_audit_action:testaction:1" question_ref="ocil:ssg-directory_access_var_log_audit_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-directory_permissions_var_log_audit_action:testaction:1" question_ref="ocil:ssg-directory_permissions_var_log_audit_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_groupownership_audit_configuration_action:testaction:1" question_ref="ocil:ssg-file_groupownership_audit_configuration_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_ownership_audit_configuration_action:testaction:1" question_ref="ocil:ssg-file_ownership_audit_configuration_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_ownership_var_log_audit_action:testaction:1" question_ref="ocil:ssg-file_ownership_var_log_audit_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_var_log_audit_action:testaction:1" question_ref="ocil:ssg-file_permissions_var_log_audit_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_audispd_configure_remote_server_action:testaction:1" question_ref="ocil:ssg-auditd_audispd_configure_remote_server_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_audispd_disk_full_action_action:testaction:1" question_ref="ocil:ssg-auditd_audispd_disk_full_action_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_audispd_encrypt_sent_records_action:testaction:1" question_ref="ocil:ssg-auditd_audispd_encrypt_sent_records_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_audispd_network_failure_action_action:testaction:1" question_ref="ocil:ssg-auditd_audispd_network_failure_action_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_audispd_syslog_plugin_activated_action:testaction:1" question_ref="ocil:ssg-auditd_audispd_syslog_plugin_activated_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_data_disk_error_action_action:testaction:1" question_ref="ocil:ssg-auditd_data_disk_error_action_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_data_disk_error_action_stig_action:testaction:1" question_ref="ocil:ssg-auditd_data_disk_error_action_stig_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_data_disk_full_action_action:testaction:1" question_ref="ocil:ssg-auditd_data_disk_full_action_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_data_disk_full_action_stig_action:testaction:1" question_ref="ocil:ssg-auditd_data_disk_full_action_stig_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_data_retention_action_mail_acct_action:testaction:1" question_ref="ocil:ssg-auditd_data_retention_action_mail_acct_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_data_retention_admin_space_left_action_action:testaction:1" question_ref="ocil:ssg-auditd_data_retention_admin_space_left_action_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_data_retention_flush_action:testaction:1" question_ref="ocil:ssg-auditd_data_retention_flush_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_data_retention_max_log_file_action:testaction:1" question_ref="ocil:ssg-auditd_data_retention_max_log_file_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_data_retention_max_log_file_action_action:testaction:1" question_ref="ocil:ssg-auditd_data_retention_max_log_file_action_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_data_retention_max_log_file_action_stig_action:testaction:1" question_ref="ocil:ssg-auditd_data_retention_max_log_file_action_stig_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_data_retention_num_logs_action:testaction:1" question_ref="ocil:ssg-auditd_data_retention_num_logs_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_data_retention_space_left_action:testaction:1" question_ref="ocil:ssg-auditd_data_retention_space_left_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_data_retention_space_left_action_action:testaction:1" question_ref="ocil:ssg-auditd_data_retention_space_left_action_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_freq_action:testaction:1" question_ref="ocil:ssg-auditd_freq_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_local_events_action:testaction:1" question_ref="ocil:ssg-auditd_local_events_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_log_format_action:testaction:1" question_ref="ocil:ssg-auditd_log_format_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_name_format_action:testaction:1" question_ref="ocil:ssg-auditd_name_format_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_overflow_action_action:testaction:1" question_ref="ocil:ssg-auditd_overflow_action_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-auditd_write_logs_action:testaction:1" question_ref="ocil:ssg-auditd_write_logs_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_access_failed_action:testaction:1" question_ref="ocil:ssg-audit_access_failed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_access_success_action:testaction:1" question_ref="ocil:ssg-audit_access_success_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_basic_configuration_action:testaction:1" question_ref="ocil:ssg-audit_basic_configuration_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_create_failed_action:testaction:1" question_ref="ocil:ssg-audit_create_failed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_create_success_action:testaction:1" question_ref="ocil:ssg-audit_create_success_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_delete_failed_action:testaction:1" question_ref="ocil:ssg-audit_delete_failed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_delete_success_action:testaction:1" question_ref="ocil:ssg-audit_delete_success_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_immutable_login_uids_action:testaction:1" question_ref="ocil:ssg-audit_immutable_login_uids_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_modify_failed_action:testaction:1" question_ref="ocil:ssg-audit_modify_failed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_modify_success_action:testaction:1" question_ref="ocil:ssg-audit_modify_success_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_module_load_action:testaction:1" question_ref="ocil:ssg-audit_module_load_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_ospp_general_action:testaction:1" question_ref="ocil:ssg-audit_ospp_general_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_owner_change_failed_action:testaction:1" question_ref="ocil:ssg-audit_owner_change_failed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_owner_change_success_action:testaction:1" question_ref="ocil:ssg-audit_owner_change_success_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_perm_change_failed_action:testaction:1" question_ref="ocil:ssg-audit_perm_change_failed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_perm_change_success_action:testaction:1" question_ref="ocil:ssg-audit_perm_change_success_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-audit_rules_for_ospp_action:testaction:1" question_ref="ocil:ssg-audit_rules_for_ospp_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-coreos_audit_backlog_limit_kernel_argument_action:testaction:1" question_ref="ocil:ssg-coreos_audit_backlog_limit_kernel_argument_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-coreos_audit_option_action:testaction:1" question_ref="ocil:ssg-coreos_audit_option_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_audispd-plugins_installed_action:testaction:1" question_ref="ocil:ssg-package_audispd-plugins_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_audit-audispd-plugins_installed_action:testaction:1" question_ref="ocil:ssg-package_audit-audispd-plugins_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_audit_installed_action:testaction:1" question_ref="ocil:ssg-package_audit_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_auditd_enabled_action:testaction:1" question_ref="ocil:ssg-service_auditd_enabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-grub2_uefi_admin_username_action:testaction:1" question_ref="ocil:ssg-grub2_uefi_admin_username_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-grub2_uefi_password_action:testaction:1" question_ref="ocil:ssg-grub2_uefi_password_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-coreos_pti_kernel_argument_action:testaction:1" question_ref="ocil:ssg-coreos_pti_kernel_argument_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-coreos_vsyscall_kernel_argument_action:testaction:1" question_ref="ocil:ssg-coreos_vsyscall_kernel_argument_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-grub2_disable_recovery_action:testaction:1" question_ref="ocil:ssg-grub2_disable_recovery_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-grub2_enable_iommu_force_action:testaction:1" question_ref="ocil:ssg-grub2_enable_iommu_force_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-grub2_l1tf_argument_action:testaction:1" question_ref="ocil:ssg-grub2_l1tf_argument_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-grub2_mce_argument_action:testaction:1" question_ref="ocil:ssg-grub2_mce_argument_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-grub2_nosmap_argument_absent_action:testaction:1" question_ref="ocil:ssg-grub2_nosmap_argument_absent_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-grub2_nosmep_argument_absent_action:testaction:1" question_ref="ocil:ssg-grub2_nosmep_argument_absent_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-grub2_rng_core_default_quality_argument_action:testaction:1" question_ref="ocil:ssg-grub2_rng_core_default_quality_argument_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-grub2_slab_nomerge_argument_action:testaction:1" question_ref="ocil:ssg-grub2_slab_nomerge_argument_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-grub2_spec_store_bypass_disable_argument_action:testaction:1" question_ref="ocil:ssg-grub2_spec_store_bypass_disable_argument_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-grub2_spectre_v2_argument_action:testaction:1" question_ref="ocil:ssg-grub2_spectre_v2_argument_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-grub2_systemd_debug-shell_argument_absent_action:testaction:1" question_ref="ocil:ssg-grub2_systemd_debug-shell_argument_absent_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-zipl_audit_argument_action:testaction:1" question_ref="ocil:ssg-zipl_audit_argument_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-zipl_audit_backlog_limit_argument_action:testaction:1" question_ref="ocil:ssg-zipl_audit_backlog_limit_argument_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-zipl_bls_entries_only_action:testaction:1" question_ref="ocil:ssg-zipl_bls_entries_only_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-zipl_bootmap_is_up_to_date_action:testaction:1" question_ref="ocil:ssg-zipl_bootmap_is_up_to_date_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-zipl_enable_selinux_action:testaction:1" question_ref="ocil:ssg-zipl_enable_selinux_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-zipl_page_poison_argument_action:testaction:1" question_ref="ocil:ssg-zipl_page_poison_argument_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-zipl_slub_debug_argument_action:testaction:1" question_ref="ocil:ssg-zipl_slub_debug_argument_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-zipl_systemd_debug-shell_argument_absent_action:testaction:1" question_ref="ocil:ssg-zipl_systemd_debug-shell_argument_absent_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-zipl_vsyscall_argument_action:testaction:1" question_ref="ocil:ssg-zipl_vsyscall_argument_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_acpi_custom_method_action:testaction:1" question_ref="ocil:ssg-kernel_config_acpi_custom_method_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_binfmt_misc_action:testaction:1" question_ref="ocil:ssg-kernel_config_binfmt_misc_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_bug_action:testaction:1" question_ref="ocil:ssg-kernel_config_bug_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_compat_brk_action:testaction:1" question_ref="ocil:ssg-kernel_config_compat_brk_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_compat_vdso_action:testaction:1" question_ref="ocil:ssg-kernel_config_compat_vdso_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_debug_credentials_action:testaction:1" question_ref="ocil:ssg-kernel_config_debug_credentials_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_debug_fs_action:testaction:1" question_ref="ocil:ssg-kernel_config_debug_fs_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_debug_list_action:testaction:1" question_ref="ocil:ssg-kernel_config_debug_list_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_debug_notifiers_action:testaction:1" question_ref="ocil:ssg-kernel_config_debug_notifiers_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_debug_sg_action:testaction:1" question_ref="ocil:ssg-kernel_config_debug_sg_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_default_mmap_min_addr_action:testaction:1" question_ref="ocil:ssg-kernel_config_default_mmap_min_addr_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_devkmem_action:testaction:1" question_ref="ocil:ssg-kernel_config_devkmem_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_hibernation_action:testaction:1" question_ref="ocil:ssg-kernel_config_hibernation_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_ia32_emulation_action:testaction:1" question_ref="ocil:ssg-kernel_config_ia32_emulation_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_ipv6_action:testaction:1" question_ref="ocil:ssg-kernel_config_ipv6_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_kexec_action:testaction:1" question_ref="ocil:ssg-kernel_config_kexec_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_legacy_ptys_action:testaction:1" question_ref="ocil:ssg-kernel_config_legacy_ptys_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_module_sig_action:testaction:1" question_ref="ocil:ssg-kernel_config_module_sig_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_module_sig_all_action:testaction:1" question_ref="ocil:ssg-kernel_config_module_sig_all_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_module_sig_force_action:testaction:1" question_ref="ocil:ssg-kernel_config_module_sig_force_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_module_sig_hash_action:testaction:1" question_ref="ocil:ssg-kernel_config_module_sig_hash_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_module_sig_key_action:testaction:1" question_ref="ocil:ssg-kernel_config_module_sig_key_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_module_sig_sha512_action:testaction:1" question_ref="ocil:ssg-kernel_config_module_sig_sha512_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_page_poisoning_no_sanity_action:testaction:1" question_ref="ocil:ssg-kernel_config_page_poisoning_no_sanity_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_page_poisoning_zero_action:testaction:1" question_ref="ocil:ssg-kernel_config_page_poisoning_zero_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_page_table_isolation_action:testaction:1" question_ref="ocil:ssg-kernel_config_page_table_isolation_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_panic_on_oops_action:testaction:1" question_ref="ocil:ssg-kernel_config_panic_on_oops_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_panic_timeout_action:testaction:1" question_ref="ocil:ssg-kernel_config_panic_timeout_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_proc_kcore_action:testaction:1" question_ref="ocil:ssg-kernel_config_proc_kcore_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_randomize_base_action:testaction:1" question_ref="ocil:ssg-kernel_config_randomize_base_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_randomize_memory_action:testaction:1" question_ref="ocil:ssg-kernel_config_randomize_memory_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_retpoline_action:testaction:1" question_ref="ocil:ssg-kernel_config_retpoline_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_seccomp_action:testaction:1" question_ref="ocil:ssg-kernel_config_seccomp_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_seccomp_filter_action:testaction:1" question_ref="ocil:ssg-kernel_config_seccomp_filter_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_security_action:testaction:1" question_ref="ocil:ssg-kernel_config_security_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_security_dmesg_restrict_action:testaction:1" question_ref="ocil:ssg-kernel_config_security_dmesg_restrict_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_security_writable_hooks_action:testaction:1" question_ref="ocil:ssg-kernel_config_security_writable_hooks_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_security_yama_action:testaction:1" question_ref="ocil:ssg-kernel_config_security_yama_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_slub_debug_action:testaction:1" question_ref="ocil:ssg-kernel_config_slub_debug_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_syn_cookies_action:testaction:1" question_ref="ocil:ssg-kernel_config_syn_cookies_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_unmap_kernel_at_el0_action:testaction:1" question_ref="ocil:ssg-kernel_config_unmap_kernel_at_el0_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_config_x86_vsyscall_emulation_action:testaction:1" question_ref="ocil:ssg-kernel_config_x86_vsyscall_emulation_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode_action:testaction:1" question_ref="ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode_action:testaction:1" question_ref="ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_action:testaction:1" question_ref="ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-rsyslog_files_groupownership_action:testaction:1" question_ref="ocil:ssg-rsyslog_files_groupownership_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-rsyslog_files_ownership_action:testaction:1" question_ref="ocil:ssg-rsyslog_files_ownership_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-rsyslog_files_permissions_action:testaction:1" question_ref="ocil:ssg-rsyslog_files_permissions_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_systemd-journald_enabled_action:testaction:1" question_ref="ocil:ssg-service_systemd-journald_enabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-ensure_logrotate_activated_action:testaction:1" question_ref="ocil:ssg-ensure_logrotate_activated_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_syslogng_installed_action:testaction:1" question_ref="ocil:ssg-package_syslogng_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_syslogng_enabled_action:testaction:1" question_ref="ocil:ssg-service_syslogng_enabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-rsyslog_remote_loghost_action:testaction:1" question_ref="ocil:ssg-rsyslog_remote_loghost_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_rsyslog_installed_action:testaction:1" question_ref="ocil:ssg-package_rsyslog_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_rsyslog_enabled_action:testaction:1" question_ref="ocil:ssg-service_rsyslog_enabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_firewalld_installed_action:testaction:1" question_ref="ocil:ssg-package_firewalld_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_firewalld_enabled_action:testaction:1" question_ref="ocil:ssg-service_firewalld_enabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_libreswan_installed_action:testaction:1" question_ref="ocil:ssg-package_libreswan_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_ip6tables_enabled_action:testaction:1" question_ref="ocil:ssg-service_ip6tables_enabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_iptables_enabled_action:testaction:1" question_ref="ocil:ssg-service_iptables_enabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-set_ip6tables_default_rule_action:testaction:1" question_ref="ocil:ssg-set_ip6tables_default_rule_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-set_iptables_default_rule_action:testaction:1" question_ref="ocil:ssg-set_iptables_default_rule_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-set_iptables_default_rule_forward_action:testaction:1" question_ref="ocil:ssg-set_iptables_default_rule_forward_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_iptables_installed_action:testaction:1" question_ref="ocil:ssg-package_iptables_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_redirects_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv6_conf_all_accept_redirects_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_source_route_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv6_conf_all_accept_source_route_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_redirects_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv6_conf_default_accept_redirects_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-grub2_ipv6_disable_argument_action:testaction:1" question_ref="ocil:ssg-grub2_ipv6_disable_argument_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_module_ipv6_option_disabled_action:testaction:1" question_ref="ocil:ssg-kernel_module_ipv6_option_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv6_conf_default_disable_ipv6_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv6_conf_default_disable_ipv6_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_conf_all_accept_local_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_conf_all_accept_local_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_conf_all_accept_redirects_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_conf_all_accept_redirects_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_conf_all_accept_source_route_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_conf_all_accept_source_route_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_conf_all_log_martians_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_conf_all_log_martians_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_conf_all_route_localnet_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_conf_all_route_localnet_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_conf_all_rp_filter_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_conf_all_rp_filter_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_conf_all_secure_redirects_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_conf_all_secure_redirects_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_conf_all_shared_media_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_conf_all_shared_media_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_conf_default_accept_source_route_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_conf_default_accept_source_route_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_conf_default_log_martians_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_conf_default_log_martians_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_conf_default_rp_filter_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_conf_default_rp_filter_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_conf_default_shared_media_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_conf_default_shared_media_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_tcp_syncookies_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_tcp_syncookies_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_conf_all_send_redirects_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_conf_all_send_redirects_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_ipv4_ip_forward_action:testaction:1" question_ref="ocil:ssg-sysctl_net_ipv4_ip_forward_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_ufw_enabled_action:testaction:1" question_ref="ocil:ssg-service_ufw_enabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_module_atm_disabled_action:testaction:1" question_ref="ocil:ssg-kernel_module_atm_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_module_can_disabled_action:testaction:1" question_ref="ocil:ssg-kernel_module_can_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_module_firewire-core_disabled_action:testaction:1" question_ref="ocil:ssg-kernel_module_firewire-core_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_module_rds_disabled_action:testaction:1" question_ref="ocil:ssg-kernel_module_rds_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_module_sctp_disabled_action:testaction:1" question_ref="ocil:ssg-kernel_module_sctp_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_module_tipc_disabled_action:testaction:1" question_ref="ocil:ssg-kernel_module_tipc_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_module_bluetooth_disabled_action:testaction:1" question_ref="ocil:ssg-kernel_module_bluetooth_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_module_cfg80211_disabled_action:testaction:1" question_ref="ocil:ssg-kernel_module_cfg80211_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_module_iwlmvm_disabled_action:testaction:1" question_ref="ocil:ssg-kernel_module_iwlmvm_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_module_iwlwifi_disabled_action:testaction:1" question_ref="ocil:ssg-kernel_module_iwlwifi_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_module_mac80211_disabled_action:testaction:1" question_ref="ocil:ssg-kernel_module_mac80211_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_bluetooth_disabled_action:testaction:1" question_ref="ocil:ssg-service_bluetooth_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-wireless_disable_interfaces_action:testaction:1" question_ref="ocil:ssg-wireless_disable_interfaces_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-network_nmcli_permissions_action:testaction:1" question_ref="ocil:ssg-network_nmcli_permissions_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_backup_etc_group_action:testaction:1" question_ref="ocil:ssg-file_groupowner_backup_etc_group_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_backup_etc_gshadow_action:testaction:1" question_ref="ocil:ssg-file_groupowner_backup_etc_gshadow_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_backup_etc_passwd_action:testaction:1" question_ref="ocil:ssg-file_groupowner_backup_etc_passwd_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_backup_etc_shadow_action:testaction:1" question_ref="ocil:ssg-file_groupowner_backup_etc_shadow_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_etc_group_action:testaction:1" question_ref="ocil:ssg-file_groupowner_etc_group_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_etc_gshadow_action:testaction:1" question_ref="ocil:ssg-file_groupowner_etc_gshadow_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_etc_passwd_action:testaction:1" question_ref="ocil:ssg-file_groupowner_etc_passwd_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_etc_shadow_action:testaction:1" question_ref="ocil:ssg-file_groupowner_etc_shadow_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_backup_etc_group_action:testaction:1" question_ref="ocil:ssg-file_owner_backup_etc_group_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_backup_etc_gshadow_action:testaction:1" question_ref="ocil:ssg-file_owner_backup_etc_gshadow_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_backup_etc_passwd_action:testaction:1" question_ref="ocil:ssg-file_owner_backup_etc_passwd_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_backup_etc_shadow_action:testaction:1" question_ref="ocil:ssg-file_owner_backup_etc_shadow_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_etc_group_action:testaction:1" question_ref="ocil:ssg-file_owner_etc_group_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_etc_gshadow_action:testaction:1" question_ref="ocil:ssg-file_owner_etc_gshadow_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_etc_passwd_action:testaction:1" question_ref="ocil:ssg-file_owner_etc_passwd_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_etc_shadow_action:testaction:1" question_ref="ocil:ssg-file_owner_etc_shadow_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_backup_etc_group_action:testaction:1" question_ref="ocil:ssg-file_permissions_backup_etc_group_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_backup_etc_gshadow_action:testaction:1" question_ref="ocil:ssg-file_permissions_backup_etc_gshadow_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_backup_etc_passwd_action:testaction:1" question_ref="ocil:ssg-file_permissions_backup_etc_passwd_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_backup_etc_shadow_action:testaction:1" question_ref="ocil:ssg-file_permissions_backup_etc_shadow_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_etc_group_action:testaction:1" question_ref="ocil:ssg-file_permissions_etc_group_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_etc_gshadow_action:testaction:1" question_ref="ocil:ssg-file_permissions_etc_gshadow_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_etc_passwd_action:testaction:1" question_ref="ocil:ssg-file_permissions_etc_passwd_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_etc_shadow_action:testaction:1" question_ref="ocil:ssg-file_permissions_etc_shadow_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_var_log_action:testaction:1" question_ref="ocil:ssg-file_groupowner_var_log_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_var_log_messages_action:testaction:1" question_ref="ocil:ssg-file_groupowner_var_log_messages_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_groupowner_var_log_syslog_action:testaction:1" question_ref="ocil:ssg-file_groupowner_var_log_syslog_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_var_log_action:testaction:1" question_ref="ocil:ssg-file_owner_var_log_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_var_log_messages_action:testaction:1" question_ref="ocil:ssg-file_owner_var_log_messages_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_owner_var_log_syslog_action:testaction:1" question_ref="ocil:ssg-file_owner_var_log_syslog_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_var_log_action:testaction:1" question_ref="ocil:ssg-file_permissions_var_log_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_var_log_messages_action:testaction:1" question_ref="ocil:ssg-file_permissions_var_log_messages_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_var_log_syslog_action:testaction:1" question_ref="ocil:ssg-file_permissions_var_log_syslog_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-dir_ownership_binary_dirs_action:testaction:1" question_ref="ocil:ssg-dir_ownership_binary_dirs_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-dir_ownership_library_dirs_action:testaction:1" question_ref="ocil:ssg-dir_ownership_library_dirs_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-dir_permissions_binary_dirs_action:testaction:1" question_ref="ocil:ssg-dir_permissions_binary_dirs_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-dir_permissions_library_dirs_action:testaction:1" question_ref="ocil:ssg-dir_permissions_library_dirs_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_ownership_binary_dirs_action:testaction:1" question_ref="ocil:ssg-file_ownership_binary_dirs_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_ownership_library_dirs_action:testaction:1" question_ref="ocil:ssg-file_ownership_library_dirs_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_binary_dirs_action:testaction:1" question_ref="ocil:ssg-file_permissions_binary_dirs_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_library_dirs_action:testaction:1" question_ref="ocil:ssg-file_permissions_library_dirs_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-dir_perms_world_writable_sticky_bits_action:testaction:1" question_ref="ocil:ssg-dir_perms_world_writable_sticky_bits_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_systemmap_action:testaction:1" question_ref="ocil:ssg-file_permissions_systemmap_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-file_permissions_unauthorized_world_writable_action:testaction:1" question_ref="ocil:ssg-file_permissions_unauthorized_world_writable_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_fs_protected_hardlinks_action:testaction:1" question_ref="ocil:ssg-sysctl_fs_protected_hardlinks_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_fs_protected_symlinks_action:testaction:1" question_ref="ocil:ssg-sysctl_fs_protected_symlinks_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_module_cramfs_disabled_action:testaction:1" question_ref="ocil:ssg-kernel_module_cramfs_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_module_usb-storage_disabled_action:testaction:1" question_ref="ocil:ssg-kernel_module_usb-storage_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_autofs_disabled_action:testaction:1" question_ref="ocil:ssg-service_autofs_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_boot_nodev_action:testaction:1" question_ref="ocil:ssg-mount_option_boot_nodev_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_boot_nosuid_action:testaction:1" question_ref="ocil:ssg-mount_option_boot_nosuid_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_dev_shm_nodev_action:testaction:1" question_ref="ocil:ssg-mount_option_dev_shm_nodev_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_dev_shm_noexec_action:testaction:1" question_ref="ocil:ssg-mount_option_dev_shm_noexec_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_dev_shm_nosuid_action:testaction:1" question_ref="ocil:ssg-mount_option_dev_shm_nosuid_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_home_nodev_action:testaction:1" question_ref="ocil:ssg-mount_option_home_nodev_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_home_nosuid_action:testaction:1" question_ref="ocil:ssg-mount_option_home_nosuid_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_nodev_nonroot_local_partitions_action:testaction:1" question_ref="ocil:ssg-mount_option_nodev_nonroot_local_partitions_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_nodev_removable_partitions_action:testaction:1" question_ref="ocil:ssg-mount_option_nodev_removable_partitions_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_noexec_removable_partitions_action:testaction:1" question_ref="ocil:ssg-mount_option_noexec_removable_partitions_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_nosuid_removable_partitions_action:testaction:1" question_ref="ocil:ssg-mount_option_nosuid_removable_partitions_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_tmp_nodev_action:testaction:1" question_ref="ocil:ssg-mount_option_tmp_nodev_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_tmp_noexec_action:testaction:1" question_ref="ocil:ssg-mount_option_tmp_noexec_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_tmp_nosuid_action:testaction:1" question_ref="ocil:ssg-mount_option_tmp_nosuid_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_var_log_audit_nodev_action:testaction:1" question_ref="ocil:ssg-mount_option_var_log_audit_nodev_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_var_log_audit_noexec_action:testaction:1" question_ref="ocil:ssg-mount_option_var_log_audit_noexec_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_var_log_audit_nosuid_action:testaction:1" question_ref="ocil:ssg-mount_option_var_log_audit_nosuid_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_var_log_nodev_action:testaction:1" question_ref="ocil:ssg-mount_option_var_log_nodev_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_var_log_noexec_action:testaction:1" question_ref="ocil:ssg-mount_option_var_log_noexec_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_var_log_nosuid_action:testaction:1" question_ref="ocil:ssg-mount_option_var_log_nosuid_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_var_nodev_action:testaction:1" question_ref="ocil:ssg-mount_option_var_nodev_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_var_nosuid_action:testaction:1" question_ref="ocil:ssg-mount_option_var_nosuid_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_var_tmp_nodev_action:testaction:1" question_ref="ocil:ssg-mount_option_var_tmp_nodev_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_var_tmp_noexec_action:testaction:1" question_ref="ocil:ssg-mount_option_var_tmp_noexec_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-mount_option_var_tmp_nosuid_action:testaction:1" question_ref="ocil:ssg-mount_option_var_tmp_nosuid_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-coredump_disable_backtraces_action:testaction:1" question_ref="ocil:ssg-coredump_disable_backtraces_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-coredump_disable_storage_action:testaction:1" question_ref="ocil:ssg-coredump_disable_storage_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-disable_users_coredumps_action:testaction:1" question_ref="ocil:ssg-disable_users_coredumps_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-service_systemd-coredump_disabled_action:testaction:1" question_ref="ocil:ssg-service_systemd-coredump_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_fs_suid_dumpable_action:testaction:1" question_ref="ocil:ssg-sysctl_fs_suid_dumpable_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_kernel_kptr_restrict_action:testaction:1" question_ref="ocil:ssg-sysctl_kernel_kptr_restrict_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_kernel_randomize_va_space_action:testaction:1" question_ref="ocil:ssg-sysctl_kernel_randomize_va_space_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-coreos_page_poison_kernel_argument_action:testaction:1" question_ref="ocil:ssg-coreos_page_poison_kernel_argument_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-coreos_slub_debug_kernel_argument_action:testaction:1" question_ref="ocil:ssg-coreos_slub_debug_kernel_argument_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-kernel_module_uvcvideo_disabled_action:testaction:1" question_ref="ocil:ssg-kernel_module_uvcvideo_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_kernel_core_pattern_action:testaction:1" question_ref="ocil:ssg-sysctl_kernel_core_pattern_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_kernel_core_pattern_empty_string_action:testaction:1" question_ref="ocil:ssg-sysctl_kernel_core_pattern_empty_string_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_kernel_core_uses_pid_action:testaction:1" question_ref="ocil:ssg-sysctl_kernel_core_uses_pid_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_kernel_dmesg_restrict_action:testaction:1" question_ref="ocil:ssg-sysctl_kernel_dmesg_restrict_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_kernel_kexec_load_disabled_action:testaction:1" question_ref="ocil:ssg-sysctl_kernel_kexec_load_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_kernel_panic_on_oops_action:testaction:1" question_ref="ocil:ssg-sysctl_kernel_panic_on_oops_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_kernel_perf_event_paranoid_action:testaction:1" question_ref="ocil:ssg-sysctl_kernel_perf_event_paranoid_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_kernel_unprivileged_bpf_disabled_action:testaction:1" question_ref="ocil:ssg-sysctl_kernel_unprivileged_bpf_disabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_kernel_yama_ptrace_scope_action:testaction:1" question_ref="ocil:ssg-sysctl_kernel_yama_ptrace_scope_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_net_core_bpf_jit_harden_action:testaction:1" question_ref="ocil:ssg-sysctl_net_core_bpf_jit_harden_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_user_max_user_namespaces_action:testaction:1" question_ref="ocil:ssg-sysctl_user_max_user_namespaces_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-coreos_enable_selinux_kernel_argument_action:testaction:1" question_ref="ocil:ssg-coreos_enable_selinux_kernel_argument_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-grub2_enable_selinux_action:testaction:1" question_ref="ocil:ssg-grub2_enable_selinux_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_libselinux_installed_action:testaction:1" question_ref="ocil:ssg-package_libselinux_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_setroubleshoot-plugins_removed_action:testaction:1" question_ref="ocil:ssg-package_setroubleshoot-plugins_removed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_setroubleshoot-server_removed_action:testaction:1" question_ref="ocil:ssg-package_setroubleshoot-server_removed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-selinux_confinement_of_daemons_action:testaction:1" question_ref="ocil:ssg-selinux_confinement_of_daemons_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-selinux_policytype_action:testaction:1" question_ref="ocil:ssg-selinux_policytype_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-selinux_state_action:testaction:1" question_ref="ocil:ssg-selinux_state_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-encrypt_partitions_action:testaction:1" question_ref="ocil:ssg-encrypt_partitions_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-partition_for_home_action:testaction:1" question_ref="ocil:ssg-partition_for_home_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-partition_for_srv_action:testaction:1" question_ref="ocil:ssg-partition_for_srv_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-partition_for_tmp_action:testaction:1" question_ref="ocil:ssg-partition_for_tmp_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-partition_for_var_action:testaction:1" question_ref="ocil:ssg-partition_for_var_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-partition_for_var_log_action:testaction:1" question_ref="ocil:ssg-partition_for_var_log_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-partition_for_var_log_audit_action:testaction:1" question_ref="ocil:ssg-partition_for_var_log_audit_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-partition_for_var_tmp_action:testaction:1" question_ref="ocil:ssg-partition_for_var_tmp_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-gnome_gdm_disable_xdmcp_action:testaction:1" question_ref="ocil:ssg-gnome_gdm_disable_xdmcp_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-installed_OS_is_FIPS_certified_action:testaction:1" question_ref="ocil:ssg-installed_OS_is_FIPS_certified_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-configure_bind_crypto_policy_action:testaction:1" question_ref="ocil:ssg-configure_bind_crypto_policy_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-configure_crypto_policy_action:testaction:1" question_ref="ocil:ssg-configure_crypto_policy_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-configure_kerberos_crypto_policy_action:testaction:1" question_ref="ocil:ssg-configure_kerberos_crypto_policy_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-configure_libreswan_crypto_policy_action:testaction:1" question_ref="ocil:ssg-configure_libreswan_crypto_policy_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-configure_openssl_crypto_policy_action:testaction:1" question_ref="ocil:ssg-configure_openssl_crypto_policy_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-configure_ssh_crypto_policy_action:testaction:1" question_ref="ocil:ssg-configure_ssh_crypto_policy_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-harden_openssl_crypto_policy_action:testaction:1" question_ref="ocil:ssg-harden_openssl_crypto_policy_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-harden_ssh_client_crypto_policy_action:testaction:1" question_ref="ocil:ssg-harden_ssh_client_crypto_policy_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-harden_sshd_crypto_policy_action:testaction:1" question_ref="ocil:ssg-harden_sshd_crypto_policy_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_MFEhiplsm_installed_action:testaction:1" question_ref="ocil:ssg-package_MFEhiplsm_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-configure_user_data_backups_action:testaction:1" question_ref="ocil:ssg-configure_user_data_backups_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-enable_dracut_fips_module_action:testaction:1" question_ref="ocil:ssg-enable_dracut_fips_module_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-enable_fips_mode_action:testaction:1" question_ref="ocil:ssg-enable_fips_mode_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-etc_system_fips_exists_action:testaction:1" question_ref="ocil:ssg-etc_system_fips_exists_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-grub2_enable_fips_mode_action:testaction:1" question_ref="ocil:ssg-grub2_enable_fips_mode_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_dracut-fips-aesni_installed_action:testaction:1" question_ref="ocil:ssg-package_dracut-fips-aesni_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_dracut-fips_installed_action:testaction:1" question_ref="ocil:ssg-package_dracut-fips_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sysctl_crypto_fips_enabled_action:testaction:1" question_ref="ocil:ssg-sysctl_crypto_fips_enabled_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-aide_build_database_action:testaction:1" question_ref="ocil:ssg-aide_build_database_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_aide_installed_action:testaction:1" question_ref="ocil:ssg-package_aide_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-rpm_verify_ownership_action:testaction:1" question_ref="ocil:ssg-rpm_verify_ownership_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-rpm_verify_permissions_action:testaction:1" question_ref="ocil:ssg-rpm_verify_permissions_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_sudo_installed_action:testaction:1" question_ref="ocil:ssg-package_sudo_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sudo_add_noexec_action:testaction:1" question_ref="ocil:ssg-sudo_add_noexec_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sudo_add_requiretty_action:testaction:1" question_ref="ocil:ssg-sudo_add_requiretty_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sudo_add_use_pty_action:testaction:1" question_ref="ocil:ssg-sudo_add_use_pty_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sudo_custom_logfile_action:testaction:1" question_ref="ocil:ssg-sudo_custom_logfile_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sudo_remove_no_authenticate_action:testaction:1" question_ref="ocil:ssg-sudo_remove_no_authenticate_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sudo_remove_nopasswd_action:testaction:1" question_ref="ocil:ssg-sudo_remove_nopasswd_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sudo_require_authentication_action:testaction:1" question_ref="ocil:ssg-sudo_require_authentication_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sudo_vdsm_nopasswd_action:testaction:1" question_ref="ocil:ssg-sudo_vdsm_nopasswd_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sudoers_explicit_command_args_action:testaction:1" question_ref="ocil:ssg-sudoers_explicit_command_args_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sudoers_no_command_negation_action:testaction:1" question_ref="ocil:ssg-sudoers_no_command_negation_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-sudoers_no_root_target_action:testaction:1" question_ref="ocil:ssg-sudoers_no_root_target_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_gnutls-utils_installed_action:testaction:1" question_ref="ocil:ssg-package_gnutls-utils_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-package_nss-tools_installed_action:testaction:1" question_ref="ocil:ssg-package_nss-tools_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-ensure_redhat_gpgkey_installed_action:testaction:1" question_ref="ocil:ssg-ensure_redhat_gpgkey_installed_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-        <ocil:boolean_question_test_action id="ocil:ssg-prefer_64bit_os_action:testaction:1" question_ref="ocil:ssg-prefer_64bit_os_question:question:1">
-          <ocil:when_true>
-            <ocil:result>PASS</ocil:result>
-          </ocil:when_true>
-          <ocil:when_false>
-            <ocil:result>FAIL</ocil:result>
-          </ocil:when_false>
-        </ocil:boolean_question_test_action>
-      </ocil:test_actions>
-      <ocil:questions>
-        <ocil:boolean_question id="ocil:ssg-service_cron_enabled_question:question:1">
-          <ocil:question_text>
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Run the following command to determine the current status of the
-cron service:
-$ sudo systemctl is-active cron
-If the service is running, it should return the following: active
-      Is it the case that ?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_bind_removed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the bind package is installed:
-$ rpm -q bind
-      Is it the case that the package is installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-fapolicyd_prevent_home_folder_access_question:question:1">
-          <ocil:question_text>Verify that fapolicyd on Red Hat Enterprise Linux CoreOS 4 prevents ability of non-privileged users to grant other users direct access to the contents of their home directories/folders.
-Run the following command:
-
-grep -r "deny_audit perm=chmod path=/home" /etc/fapolicyd/rules.d
-      Is it the case that fapolicyd allows non-privileged users to grant other users direct access to the contents of their home directories/folders?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_fapolicyd_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the fapolicyd package is installed: $ rpm -q fapolicyd
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_fapolicyd_enabled_question:question:1">
-          <ocil:question_text>
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Run the following command to determine the current status of the
-fapolicyd service:
-$ sudo systemctl is-active fapolicyd
-If the service is running, it should return the following: active
-      Is it the case that the service is not enabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kerberos_disable_no_keytab_question:question:1">
-          <ocil:question_text>Run the following command to see if there are some keytabs
-that would potentially allow the use of Kerberos by system daemons.
-$ ls -la /etc/*.keytab
-The expected result is
-ls: cannot access '/etc/*.keytab': No such file or directory
-      Is it the case that a keytab file is present on the system?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_openldap-clients_removed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the openldap-clients package is installed:
-$ rpm -q openldap-clients
-      Is it the case that the package is installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-postfix_client_configure_mail_alias_question:question:1">
-          <ocil:question_text>Find the list of alias maps used by the Postfix mail server:
-$ sudo postconf alias_maps
-Query the Postfix alias maps for an alias for the root user:
-$ sudo postmap -q root hash:/etc/aliases
-The output should return an alias.
-      Is it the case that the alias is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-postfix_client_configure_mail_alias_postmaster_question:question:1">
-          <ocil:question_text>Find the list of alias maps used by the Postfix mail server:
-$ sudo postconf alias_maps
-Query the Postfix alias maps for an alias for the postmaster user:
-$ sudo postmap -q postmaster hash:/etc/aliases
-The output should return root.
-      Is it the case that the alias is not set or is not root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-postfix_client_configure_relayhost_question:question:1">
-          <ocil:question_text>Run the following command to ensure postfix routes mail to this system:
-$ grep relayhost /etc/postfix/main.cf
-If properly configured, the output should show only .
-      Is it the case that it is not?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_postfix_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the postfix package is installed: $ rpm -q postfix
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_sendmail_removed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the sendmail package is installed:
-$ rpm -q sendmail
-      Is it the case that the package is installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-no_all_squash_exports_question:question:1">
-          <ocil:question_text>To verify all squashing has been disabled, run the following command:
-$ grep all_squash /etc/exports
-      Is it the case that there is output?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-chronyd_client_only_question:question:1">
-          <ocil:question_text>To verify that port has been set properly, perform the following:
-$ grep '\bport\b' /etc/chrony.conf
-The output should return
-port 0
-      Is it the case that port is not set or port is set to a non-zero value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-chronyd_no_chronyc_network_question:question:1">
-          <ocil:question_text>To verify that cmdport has been set properly, perform the following:
-$ grep '\bcmdport\b' /etc/chrony.conf
-The output should return
-cmdport 0
-      Is it the case that cmdport is not set or cmdport is set to a non-zero value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-chronyd_or_ntpd_set_maxpoll_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 is securely comparing internal information system clocks at a regular interval with an NTP server with the following commands:
-
-To verify that maxpoll has been set properly, perform the following:
-$ sudo grep maxpoll /etc/ntp.conf /etc/chrony.conf
-The output should return:
-maxpoll .
-      Is it the case that maxpoll does not exist or maxpoll has not been set to the expected value of &lt;sub idref="var_time_service_set_maxpoll" /&gt;?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-chronyd_or_ntpd_specify_remote_server_question:question:1">
-          <ocil:question_text>To verify that a remote NTP service is configured for time synchronization,
-open the following file:
-
-/etc/chrony.conf in the case the system in question is
-configured to use the chronyd as the NTP daemon (default setting)
-/etc/ntp.conf in the case the system in question is configured
-to use the ntpd as the NTP daemon
-
-In the file, there should be a section similar to the following:
-server ntpserver
-      Is it the case that this is not the case?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-chronyd_server_directive_question:question:1">
-          <ocil:question_text>Run the following command and verify that time sources are only configure with server directive:
-# grep -E "^(server|pool)" /etc/chrony.conf
-A line with the appropriate server should be returned, any line returned starting with pool is a finding.
-      Is it the case that an authoritative remote time server is not configured or configured with pool directive?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-chronyd_specify_remote_server_question:question:1">
-          <ocil:question_text>Run the following command and verify remote server is configured properly:
-# grep -E "^(server|pool)" /etc/chrony.conf
-      Is it the case that a remote time server is not configured?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-ntpd_specify_remote_server_question:question:1">
-          <ocil:question_text>To verify that a remote NTP service is configured for time synchronization,
-open the following file:
-/etc/ntp.conf
-In the file, there should be a section similar to the following:
-server ntpserver
-      Is it the case that this is not the case?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_chrony_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the chrony package is installed: $ rpm -q chrony
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_ntp_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the ntp package is installed: $ rpm -q ntp
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_chronyd_enabled_question:question:1">
-          <ocil:question_text>
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Run the following command to determine the current status of the
-chronyd service:
-$ sudo systemctl is-active chronyd
-If the service is running, it should return the following: active
-      Is it the case that the chronyd process is not running?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_chronyd_or_ntpd_enabled_question:question:1">
-          <ocil:question_text>
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Run the following command to determine the current status of the
-chronyd service:
-$ sudo systemctl is-active chronyd
-If the service is running, it should return the following: active
-
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Run the following command to determine the current status of the
-ntpd service:
-$ sudo systemctl is-active ntpd
-If the service is running, it should return the following: active
-      Is it the case that ?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_ntp_enabled_question:question:1">
-          <ocil:question_text>
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Run the following command to determine the current status of the
-ntp service:
-$ sudo systemctl is-active ntp
-If the service is running, it should return the following: active
-      Is it the case that ?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_ntpd_enabled_question:question:1">
-          <ocil:question_text>
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Run the following command to determine the current status of the
-ntpd service:
-$ sudo systemctl is-active ntpd
-If the service is running, it should return the following: active
-      Is it the case that ?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-no_rsh_trust_files_question:question:1">
-          <ocil:question_text>The existence of the file /etc/hosts.equiv or a file named
-.rhosts inside a user home directory indicates the presence
-of an Rsh trust relationship.
-      Is it the case that these files exist?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_rngd_enabled_question:question:1">
-          <ocil:question_text>
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Run the following command to determine the current status of the
-rngd service:
-$ sudo systemctl is-active rngd
-If the service is running, it should return the following: active
-      Is it the case that the "rngd" service is disabled, masked, or not started.?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_samba-common_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the samba-common package is installed: $ rpm -q samba-common
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_net-snmp_removed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the net-snmp package is installed:
-$ rpm -q net-snmp
-      Is it the case that the package is installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-ssh_client_rekey_limit_question:question:1">
-          <ocil:question_text>To check if RekeyLimit is set correctly, run the following command:
-$ sudo grep RekeyLimit /etc/ssh/ssh_config.d/*.conf
-If configured properly, output should be
-/etc/ssh/ssh_config.d/02-rekey-limit.conf:
-RekeyLimit  
-Check also the main configuration file with the following command:
-$ sudo grep RekeyLimit /etc/ssh/ssh_config
-The command should not return any output.
-      Is it the case that it is commented out or is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-disable_host_auth_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's HostbasedAuthentication option is set, run the following command:
-
-$ sudo grep -i HostbasedAuthentication /etc/ssh/sshd_config
-
-If a line indicating no is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_allow_only_protocol2_question:question:1">
-          <ocil:question_text>To check which SSH protocol version is allowed, check version of openssh-server with following command:
-
-$ rpm -qi openssh-server | grep Version
-
-Versions equal to or higher than 7.4 only allow Protocol 2.
-If version is lower than 7.4, run the following command to check configuration:
-$ sudo grep Protocol /etc/ssh/sshd_config
-If configured properly, output should be Protocol 2
-      Is it the case that it is commented out or is not set correctly to Protocol 2?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_disable_compression_question:question:1">
-          <ocil:question_text>To check if compression is enabled or set correctly, run the
-following command:
-$ sudo grep Compression /etc/ssh/sshd_config
-If configured properly, output should be no or delayed.
-      Is it the case that it is commented out, or is not set to no or delayed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_disable_empty_passwords_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's PermitEmptyPasswords option is set, run the following command:
-
-$ sudo grep -i PermitEmptyPasswords /etc/ssh/sshd_config
-
-If a line indicating no is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_disable_gssapi_auth_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command:
-
-$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config
-
-If a line indicating no is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_disable_kerb_auth_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's KerberosAuthentication option is set, run the following command:
-
-$ sudo grep -i KerberosAuthentication /etc/ssh/sshd_config
-
-If a line indicating no is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_disable_pubkey_auth_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command:
-
-$ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config
-
-If a line indicating no is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_disable_rhosts_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's IgnoreRhosts option is set, run the following command:
-
-$ sudo grep -i IgnoreRhosts /etc/ssh/sshd_config
-
-If a line indicating yes is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_disable_rhosts_rsa_question:question:1">
-          <ocil:question_text>To check which SSH protocol version is allowed, check version of
-openssh-server with following command:
-$ rpm -qi openssh-server | grep Version
-Versions equal to or higher than 7.4 have deprecated the RhostsRSAAuthentication option.
-If version is lower than 7.4, run the following command to check configuration:
-To determine how the SSH daemon's RhostsRSAAuthentication option is set, run the following command:
-
-$ sudo grep -i RhostsRSAAuthentication /etc/ssh/sshd_config
-
-If a line indicating no is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_disable_root_login_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's PermitRootLogin option is set, run the following command:
-
-$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config
-
-If a line indicating no is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_disable_root_password_login_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's PermitRootLogin option is set, run the following command:
-
-$ sudo grep -i PermitRootLogin /etc/ssh/sshd_config
-
-If a line indicating prohibit-password is returned, then the required value is set.
-      Is it the case that it is commented out or not configured properly?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_disable_tcp_forwarding_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's AllowTcpForwarding option is set, run the following command:
-
-$ sudo grep -i AllowTcpForwarding /etc/ssh/sshd_config
-
-If a line indicating no is returned, then the required value is set.
-      Is it the case that The AllowTcpForwarding option exists and is disabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_disable_user_known_hosts_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's IgnoreUserKnownHosts option is set, run the following command:
-
-$ sudo grep -i IgnoreUserKnownHosts /etc/ssh/sshd_config
-
-If a line indicating yes is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_disable_x11_forwarding_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's X11Forwarding option is set, run the following command:
-
-$ sudo grep -i X11Forwarding /etc/ssh/sshd_config
-
-If a line indicating no is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_do_not_permit_user_env_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's PermitUserEnvironment option is set, run the following command:
-
-$ sudo grep -i PermitUserEnvironment /etc/ssh/sshd_config
-
-If a line indicating no is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_enable_gssapi_auth_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's GSSAPIAuthentication option is set, run the following command:
-
-$ sudo grep -i GSSAPIAuthentication /etc/ssh/sshd_config
-
-If a line indicating yes is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_enable_pam_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's UsePAM option is set, run the following command:
-
-$ sudo grep -i UsePAM /etc/ssh/sshd_config
-
-If a line indicating yes is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_enable_pubkey_auth_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's PubkeyAuthentication option is set, run the following command:
-
-$ sudo grep -i PubkeyAuthentication /etc/ssh/sshd_config
-
-If a line indicating yes is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_enable_strictmodes_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's StrictModes option is set, run the following command:
-
-$ sudo grep -i StrictModes /etc/ssh/sshd_config
-
-If a line indicating yes is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_enable_warning_banner_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's Banner option is set, run the following command:
-
-$ sudo grep -i Banner /etc/ssh/sshd_config
-
-If a line indicating /etc/issue is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_enable_warning_banner_net_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's Banner option is set, run the following command:
-
-$ sudo grep -i Banner /etc/ssh/sshd_config
-
-If a line indicating /etc/issue.net is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_enable_x11_forwarding_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's X11Forwarding option is set, run the following command:
-
-$ sudo grep -i X11Forwarding /etc/ssh/sshd_config
-
-If a line indicating yes is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_limit_user_access_question:question:1">
-          <ocil:question_text>To ensure sshd limits the users who can log in, run the following:
-$ sudo grep AllowUsers /etc/ssh/sshd_config
-If properly configured, the output should be a list of usernames allowed to log in
-to this system.
-      Is it the case that sshd does not limit the users who can log in?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_print_last_log_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's PrintLastLog option is set, run the following command:
-
-$ sudo grep -i PrintLastLog /etc/ssh/sshd_config
-
-If a line indicating yes is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_rekey_limit_question:question:1">
-          <ocil:question_text>To check if RekeyLimit is set correctly, run the
-following command:
-
-$ sudo grep RekeyLimit /etc/ssh/sshd_config
-
-If configured properly, output should be
-RekeyLimit  
-      Is it the case that it is commented out or is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_set_idle_timeout_question:question:1">
-          <ocil:question_text>Run the following command to see what the timeout interval is:
-$ sudo grep ClientAliveInterval /etc/ssh/sshd_config
-If properly configured, the output should be:
-ClientAliveInterval 
-      Is it the case that it is commented out or not configured properly?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_set_keepalive_question:question:1">
-          <ocil:question_text>To ensure ClientAliveInterval is set correctly, run the following command:
-$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config
-If properly configured, the output should be:
-ClientAliveCountMax 
-For SSH earlier than v8.2, a ClientAliveCountMax value of 0 causes an idle timeout precisely when
-the ClientAliveInterval is set.  Starting with v8.2, a value of 0 disables the timeout
-functionality completely.
-If the option is set to a number greater than 0, then the idle session will be disconnected after
-ClientAliveInterval * ClientAliveCountMax seconds.
-      Is it the case that it is commented out or not configured properly?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_set_keepalive_0_question:question:1">
-          <ocil:question_text>To ensure ClientAliveInterval is set correctly, run the following command:
-
-$ sudo grep ClientAliveCountMax /etc/ssh/sshd_config
-
-If properly configured, the output should be:
-ClientAliveCountMax 0
-
-In this case, the SSH idle timeout occurs precisely when
-the ClientAliveInterval is set.
-      Is it the case that it is commented out or not configured properly?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_set_login_grace_time_question:question:1">
-          <ocil:question_text>To ensure LoginGraceTime is set correctly, run the following command:
-$ sudo grep LoginGraceTime /etc/ssh/sshd_config
-If properly configured, the output should be:
-LoginGraceTime 
-If the option is set to a number greater than 0, then the unauthenticated session will be disconnected
-after the configured number seconds.
-      Is it the case that it is commented out or not configured properly?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_set_loglevel_info_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's LogLevel option is set, run the following command:
-
-$ sudo grep -i LogLevel /etc/ssh/sshd_config
-
-If a line indicating INFO is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_set_loglevel_verbose_question:question:1">
-          <ocil:question_text>To determine how the SSH daemon's LogLevel option is set, run the following command:
-
-$ sudo grep -i LogLevel /etc/ssh/sshd_config
-
-If a line indicating VERBOSE is returned, then the required value is set.
-
-      Is it the case that the required value is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_set_max_auth_tries_question:question:1">
-          <ocil:question_text>To ensure the MaxAuthTries parameter is set, run the following command:
-$ sudo grep MaxAuthTries /etc/ssh/sshd_config
-If properly configured, output should be:
-MaxAuthTries 
-      Is it the case that it is commented out or not configured properly?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_set_max_sessions_question:question:1">
-          <ocil:question_text>Run the following command to see what the max sessions number is:
-$ sudo grep MaxSessions /etc/ssh/sshd_config
-If properly configured, the output should be:
-MaxSessions 
-      Is it the case that MaxSessions is not configured or not configured correctly?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_set_maxstartups_question:question:1">
-          <ocil:question_text>To check if MaxStartups is configured, run the following command:
-$ sudo grep MaxStartups /etc/ssh/sshd_config
-If configured, this command should output the configuration.
-      Is it the case that maxstartups is not configured?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sshd_use_priv_separation_question:question:1">
-          <ocil:question_text>To check if UsePrivilegeSeparation is enabled or set correctly, run the
-following command:
-$ sudo grep UsePrivilegeSeparation /etc/ssh/sshd_config
-If configured properly, output should be .
-      Is it the case that it is commented out or is not enabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_groupowner_sshd_config_question:question:1">
-          <ocil:question_text>To check the group ownership of /etc/ssh/sshd_config,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/ssh/sshd_config
-If properly configured, the output should indicate the following group-owner:
-root
-      Is it the case that /etc/ssh/sshd_config does not have a group owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_owner_sshd_config_question:question:1">
-          <ocil:question_text>To check the ownership of /etc/ssh/sshd_config,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/ssh/sshd_config
-If properly configured, the output should indicate the following owner:
-root
-      Is it the case that /etc/ssh/sshd_config does not have an owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_sshd_config_question:question:1">
-          <ocil:question_text>To check the permissions of /etc/ssh/sshd_config,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -l /etc/ssh/sshd_config
-If properly configured, the output should indicate the following permissions:
--rw-------
-      Is it the case that /etc/ssh/sshd_config does not have unix mode -rw-------?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_sshd_private_key_question:question:1">
-          <ocil:question_text>To check the permissions of /etc/ssh/*_key,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -l /etc/ssh/*_key
-If properly configured, the output should indicate the following permissions:
--rw-r-----
-      Is it the case that /etc/ssh/*_key does not have unix mode -rw-r-----?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_sshd_pub_key_question:question:1">
-          <ocil:question_text>To check the permissions of /etc/ssh/*.pub,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -l /etc/ssh/*.pub
-If properly configured, the output should indicate the following permissions:
--rw-r--r--
-      Is it the case that /etc/ssh/*.pub does not have unix mode -rw-r--r--?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_openssh-server_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_openssh-server_removed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the openssh-server package is installed: $ rpm -q openssh-server
-      Is it the case that the package is installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sssd_enable_smartcards_question:question:1">
-          <ocil:question_text>To verify that smart cards are enabled in SSSD, run the following command:
-$ sudo grep pam_cert_auth /etc/sssd/sssd.conf
-If configured properly, output should be
-pam_cert_auth = True
-      Is it the case that smart cards are not enabled in SSSD?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sssd_offline_cred_expiration_question:question:1">
-          <ocil:question_text>
-To verify that SSSD expires offline credentials, run the following command:
-$ sudo grep offline_credentials_expiration /etc/sssd/sssd.conf
-If configured properly, output should be
-offline_credentials_expiration = 1
-      Is it the case that it does not exist or is not configured properly?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sssd_run_as_sssd_user_question:question:1">
-          <ocil:question_text>To verify that SSSD is configured to run as user sssd, run the following command:
-$ sudo grep -r '\buser\b' /etc/sssd
-If configured properly, output should similar to /etc/sssd/conf.d/ospp.conf:user = sssd.
-Sanity of SSSD configuration in general can be checked using $ sudo sssctl config-check
-      Is it the case that it does not exist or is not configured properly?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-configure_usbguard_auditbackend_question:question:1">
-          <ocil:question_text>To verify that Linux Audit logging is enabled for the USBGuard daemon,
-run the following command:
-$ sudo grep AuditBackend /etc/usbguard/usbguard-daemon.conf
-The output should be
-AuditBackend=LinuxAudit
-      Is it the case that AuditBackend is not set to LinuxAudit?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_usbguard_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the usbguard package is installed: $ rpm -q usbguard
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_usbguard_enabled_question:question:1">
-          <ocil:question_text>
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Run the following command to determine the current status of the
-usbguard service:
-$ sudo systemctl is-active usbguard
-If the service is running, it should return the following: active
-      Is it the case that the service is not enabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-usbguard_allow_hid_question:question:1">
-          <ocil:question_text>To verify that USB Human Interface Devices will be authorized by the USBGuard daemon,
-run the following command:
-$ sudo grep allow /etc/usbguard/rules.conf
-The output lines should include
-allow with-interface match-all { 03:*:* }
-      Is it the case that USB devices of class 3 are not authorized?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-usbguard_allow_hid_and_hub_question:question:1">
-          <ocil:question_text>To verify that USB Human Interface Devices and hubs will be authorized by the USBGuard daemon,
-run the following command:
-$ sudo grep allow /etc/usbguard/rules.conf
-The output lines should include
-allow with-interface match-all { 03:*:* 09:00:* }
-      Is it the case that USB devices of class 3 and 9:00 are not authorized?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-usbguard_allow_hub_question:question:1">
-          <ocil:question_text>To verify that USB hubs will be authorized by the USBGuard daemon,
-run the following command:
-$ sudo grep allow /etc/usbguard/rules.conf
-One of the output lines should be
-allow with-interface match-all { 09:00:* }
-      Is it the case that USB devices of class 9 are not authorized?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-banner_etc_issue_question:question:1">
-          <ocil:question_text>To check if the system login banner is compliant,
-run the following command:
-$ cat /etc/issue
-      Is it the case that it does not display the required banner?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_groupowner_etc_issue_question:question:1">
-          <ocil:question_text>To check the group ownership of /etc/issue,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/issue
-If properly configured, the output should indicate the following group-owner:
-root
-      Is it the case that /etc/issue does not have a group owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_owner_etc_issue_question:question:1">
-          <ocil:question_text>To check the ownership of /etc/issue,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/issue
-If properly configured, the output should indicate the following owner:
-root
-      Is it the case that /etc/issue does not have an owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_etc_issue_question:question:1">
-          <ocil:question_text>To check the permissions of /etc/issue,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -l /etc/issue
-If properly configured, the output should indicate the following permissions:
--rw-r--r--
-      Is it the case that /etc/issue does not have unix mode -rw-r--r--?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-account_passwords_pam_faillock_audit_question:question:1">
-          <ocil:question_text>Verify the "/etc/security/faillock.conf" file is configured to log user name information when unsuccessful logon attempts occur:
-
-$ sudo grep audit /etc/security/faillock.conf
-
-audit
-      Is it the case that the "audit" option is not set, is missing or commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-account_passwords_pam_faillock_dir_question:question:1">
-          <ocil:question_text>Verify the "/etc/security/faillock.conf" file is configured use a non-default faillock directory to ensure contents persist after reboot:
-
-$ sudo grep 'dir =' /etc/security/faillock.conf
-
-dir = /var/log/faillock
-      Is it the case that the "dir" option is not set to a non-default documented tally log directory, is missing or commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-disallow_bypass_password_sudo_question:question:1">
-          <ocil:question_text>Verify the operating system is not configured to bypass password requirements for privilege
-escalation. Check the configuration of the "/etc/pam.d/sudo" file with the following command:
-$ sudo grep pam_succeed_if /etc/pam.d/sudo
-      Is it the case that system is configured to bypass password requirements for privilege escalation?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-display_login_attempts_question:question:1">
-          <ocil:question_text>Verify users are provided with feedback on when account accesses last occurred with the following command:
-
-$ grep pam_lastlog.so /etc/pam.d/postlogin
-      Is it the case that "pam_lastlog" is missing from "/etc/pam.d/postlogin" file, or the silent option is present?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-configure_bashrc_exec_tmux_question:question:1">
-          <ocil:question_text>To verify that tmux is configured to execute,
-run the following command:
-$ grep -A1 -B3 "case ..name. in sshd|login) exec tmux ;; esac" /etc/bashrc /etc/profile.d/*
-The output should return the following:
-if [ "$PS1" ]; then
-  parent=$(ps -o ppid= -p $$)
-  name=$(ps -o comm= -p $parent)
-  case "$name" in sshd|login) exec tmux ;; esac
-fi
-      Is it the case that exec tmux is not present at the end of bashrc?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-configure_tmux_lock_after_time_question:question:1">
-          <ocil:question_text>To verify that session locking after period of inactivity is configured in tmux,
-run the following command:
-
-$ sudo grep lock-after-time /etc/tmux.conf
-
-The output should return the following:
-
-set -g lock-after-time 900
-
-Then, verify that the /etc/tmux.conf file can be read by other users than root:
-
-$ sudo ls -al /etc/tmux.conf
-      Is it the case that lock-after-time is set to a value greater than 900 or zero?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-configure_tmux_lock_command_question:question:1">
-          <ocil:question_text>To verify that vlock is configured as a locking mechanism in tmux, run the following command:
-
-$ sudo grep lock-command /etc/tmux.conf
-
-The output should return the following:
-
-set -g lock-command vlock
-
-Then, verify that the /etc/tmux.conf file can be read by other users than root:
-
-$ sudo ls -al /etc/tmux.conf
-      Is it the case that lock-command is not set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-no_tmux_in_shells_question:question:1">
-          <ocil:question_text>To verify that tmux is not listed as allowed shell on the system
-run the following command:
-$ grep 'tmux$' /etc/shells
-The output should be empty.
-      Is it the case that tmux is listed in /etc/shells?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_tmux_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the tmux package is installed: $ rpm -q tmux
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-coreos_disable_interactive_boot_question:question:1">
-          <ocil:question_text>Inspect /proc/cmdline for any instances of
-systemd.confirm_spawn=(1|yes|true|on) in the kernel boot arguments.
-Presence of a systemd.confirm_spawn=(1|yes|true|on) indicates
-that interactive boot is enabled at boot time.
-      Is it the case that Interactive boot is enabled at boot time?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-disable_ctrlaltdel_burstaction_question:question:1">
-          <ocil:question_text>To ensure the system is configured to ignore the Ctrl-Alt-Del setting,
-enter the following command:
-$ sudo grep -i ctrlaltdelburstaction /etc/systemd/system.conf
-The output should return:
-CtrlAltDelBurstAction=none
-      Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed more than 7 times in 2 seconds.?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-disable_ctrlaltdel_reboot_question:question:1">
-          <ocil:question_text>To ensure the system is configured to mask the Ctrl-Alt-Del sequence, Check
-that the ctrl-alt-del.target is masked and not active with the following
-command:
-sudo systemctl status ctrl-alt-del.target
-The output should indicate that the target is masked and not active. It
-might resemble following output:
-ctrl-alt-del.target
-Loaded: masked (/dev/null; bad)
-Active: inactive (dead)
-      Is it the case that the system is configured to reboot when Ctrl-Alt-Del is pressed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-grub2_disable_interactive_boot_question:question:1">
-          <ocil:question_text>Inspect /etc/default/grub for any instances of
-systemd.confirm_spawn=(1|yes|true|on) in the kernel boot arguments.
-Presence of a systemd.confirm_spawn=(1|yes|true|on) indicates
-that interactive boot is enabled at boot time and verify that
-GRUB_DISABLE_RECOVERY=true to disable recovery boot.
-      Is it the case that Interactive boot is enabled at boot time?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-require_singleuser_auth_question:question:1">
-          <ocil:question_text>To check if authentication is required for single-user mode, run the following command:
-$ grep sulogin /usr/lib/systemd/system/rescue.service
-The output should be similar to the following, and the line must begin with
-ExecStart and /usr/lib/systemd/systemd-sulogin-shell.
-    ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
-
-
-Then, verify that the rescue service is in the runlevel1.target.
-Run the following command:
-$ sudo grep "^Requires=.*rescue.service" /usr/lib/systemd/system/runlevel1.target
-The output should be the following:
-Requires=sysinit.target rescue.service
-
-Then, check if there is no custom runlevel1 target configured in systemd configuration.
-Run the following command:
-$ sudo grep -r "^runlevel1.target$" /etc/systemd/system
-There should be no output.
-
-Then, check if there is no custom rescue service configured in systemd configuration.
-Run the following command:
-$ sudo grep -r "^rescue.service$" /etc/systemd/system
-There should be no output.
-      Is it the case that the output is different?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_debug-shell_disabled_question:question:1">
-          <ocil:question_text>To check that the debug-shell service is disabled in system boot configuration,
-You'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Subsequently,run the following command:
-$ sudo systemctl is-enabled debug-shell
-Output should indicate the debug-shell service has either not been installed,
-or has been disabled at all runlevels, as shown in the example below:
-$ sudo systemctl is-enabled debug-shell disabled
-
-Run the following command to verify debug-shell is not active (i.e. not running) through current runtime configuration:
-$ sudo systemctl is-active debug-shell
-
-If the service is not running the command will return the following output:
-inactive
-
-The service will also be masked, to check that the debug-shell is masked, run the following command:
-$ sudo systemctl show debug-shell | grep "LoadState\|UnitFileState"
-
-If the service is masked the command will return the following outputs:
-
-LoadState=masked
-
-UnitFileState=masked
-      Is it the case that the "debug-shell" is loaded and not masked?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-account_disable_post_pw_expiration_question:question:1">
-          <ocil:question_text>To verify the INACTIVE setting, run the following command:
-$ grep "INACTIVE" /etc/default/useradd
-The output should indicate the INACTIVE configuration option is set
-to an appropriate integer as shown in the example below:
-$ grep "INACTIVE" /etc/default/useradd
-INACTIVE=
-      Is it the case that the value of INACTIVE is greater than the expected value or is -1?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-account_unique_name_question:question:1">
-          <ocil:question_text>To verify all accounts have unique names, run the following command:
-$ sudo getent passwd | awk -F: '{ print $1}' | uniq -d
-No output should be returned.
-      Is it the case that a line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-account_use_centralized_automated_auth_question:question:1">
-          <ocil:question_text>Verify that the system is integrated with a centralized authentication mechanism
-such as as Active Directory, Kerberos, Directory Server, etc. that has
-automated account mechanisms in place.
-      Is it the case that the system is not using a centralized authentication mechanism, or it is not automated?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-accounts_maximum_age_login_defs_question:question:1">
-          <ocil:question_text>To check the maximum password age, run the command:
-$ grep PASS_MAX_DAYS /etc/login.defs
-The profile requirement is .
-      Is it the case that PASS_MAX_DAYS is not set equal to or greater than the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-accounts_minimum_age_login_defs_question:question:1">
-          <ocil:question_text>To check the minimum password age, run the command:
-$ grep PASS_MIN_DAYS /etc/login.defs
-      Is it the case that it is not equal to or greater than the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-accounts_password_minlen_login_defs_question:question:1">
-          <ocil:question_text>To check the minimum password length, run the command:
-$ grep PASS_MIN_LEN /etc/login.defs
-The DoD requirement is 15.
-      Is it the case that it is not set to the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-accounts_password_warn_age_login_defs_question:question:1">
-          <ocil:question_text>To check the password warning age, run the command:
-$ grep PASS_WARN_AGE /etc/login.defs
-The DoD requirement is 7.
-      Is it the case that it is not set to the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-accounts_password_all_shadowed_question:question:1">
-          <ocil:question_text>To check that no password hashes are stored in
-/etc/passwd, run the following command:
-awk '!/\S:x|\*/ {print}' /etc/passwd
-If it produces any output, then a password hash is
-stored in /etc/passwd.
-      Is it the case that any stored hashes are found in /etc/passwd?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-gid_passwd_group_same_question:question:1">
-          <ocil:question_text>To ensure all GIDs referenced in /etc/passwd are defined in /etc/group,
-run the following command:
-$ sudo pwck -qr
-There should be no output.
-      Is it the case that GIDs referenced in /etc/passwd are returned as not defined in /etc/group?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-no_empty_passwords_question:question:1">
-          <ocil:question_text>To verify that null passwords cannot be used, run the following command:
-
-$ grep nullok /etc/pam.d/system-auth /etc/pam.d/password-auth
-
-If this produces any output, it may be possible to log into accounts
-with empty passwords. Remove any instances of the nullok option to
-prevent logins with empty passwords.
-      Is it the case that NULL passwords can be used?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-no_empty_passwords_etc_shadow_question:question:1">
-          <ocil:question_text>To verify that null passwords cannot be used, run the following command:
-$ sudo awk -F: '!$2 {print $1}' /etc/shadow
-If this produces any output, it may be possible to log into accounts
-with empty passwords.
-      Is it the case that Blank or NULL passwords can be used?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-no_legacy_plus_entries_etc_group_question:question:1">
-          <ocil:question_text>To check for legacy lines in /etc/group, run the following command:
- grep '^\+' /etc/group
-The command should not return any output.
-      Is it the case that the file contains legacy lines?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-no_legacy_plus_entries_etc_passwd_question:question:1">
-          <ocil:question_text>To check for legacy lines in /etc/passwd, run the following command:
- grep '^\+' /etc/passwd
-The command should not return any output.
-      Is it the case that the file contains legacy lines?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-no_legacy_plus_entries_etc_shadow_question:question:1">
-          <ocil:question_text>To check for legacy lines in /etc/shadow, run the following command:
- grep '^\+' /etc/shadow
-The command should not return any output.
-      Is it the case that the file contains legacy lines?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-no_netrc_files_question:question:1">
-          <ocil:question_text>To check the system for the existence of any .netrc files,
-run the following command:
-$ sudo find /home -xdev -name .netrc
-      Is it the case that any .netrc files exist?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-accounts_no_uid_except_zero_question:question:1">
-          <ocil:question_text>Check the system for duplicate UID "0" assignments with the following command:
-$ awk -F: '($3 == \"0\") {print}' /etc/passwd
-      Is it the case that any account other than root has a UID of 0?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-accounts_root_gid_zero_question:question:1">
-          <ocil:question_text>To verify that root's primary group is zero run the following command:
-
-    grep '^root:' /etc/passwd | cut -d : -f 4
-
-The command should return:
-
-0
-
-      Is it the case that root has a primary gid not equal to zero?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-no_direct_root_logins_question:question:1">
-          <ocil:question_text>To ensure root may not directly login to the system over physical consoles,
-run the following command:
-cat /etc/securetty
-If any output is returned, this is a finding.
-      Is it the case that the /etc/securetty file is not empty?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-no_password_auth_for_systemaccounts_question:question:1">
-          <ocil:question_text>To obtain a listing of all users and the contents of their shadow password
-field, run the command:
-$ sudo awk -F: '$1 !~ /^root$/ &amp;&amp; $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow
-Identify the system accounts from this listing. These will primarily be the accounts
-with UID numbers less than UID_MIN, other than root. Value of the UID_MIN
-directive is set in /etc/login.defs configuration file. In the default
-configuration, UID_MIN is set to 500.
-      Is it the case that it is not?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-no_shelllogin_for_systemaccounts_question:question:1">
-          <ocil:question_text>To obtain a listing of all users, their UIDs, and their shells, run the
-command: $ awk -F: '{print $1 ":" $3 ":" $7}' /etc/passwd Identify
-the system accounts from this listing. These will primarily be the accounts
-with UID numbers less than UID_MIN, other than root. Value of the UID_MIN
-directive is set in /etc/login.defs configuration file. In the default
-configuration UID_MIN is set to 1000.
-      Is it the case that any system account (other than root) has a login shell?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-restrict_serial_port_logins_question:question:1">
-          <ocil:question_text>To check for serial port entries which permit root login,
-run the following command:
-$ sudo grep ^ttyS/[0-9] /etc/securetty
-If any output is returned, then root login over serial ports is permitted.
-      Is it the case that root login over serial ports is permitted?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-securetty_root_login_console_only_question:question:1">
-          <ocil:question_text>To check for virtual console entries which permit root login, run the
-following command:
-$ sudo grep ^vc/[0-9] /etc/securetty
-If any output is returned, then root logins over virtual console devices is permitted.
-      Is it the case that root login over virtual console devices is permitted?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-accounts_root_path_dirs_no_write_question:question:1">
-          <ocil:question_text>To ensure write permissions are disabled for group and other
- for each element in root's path, run the following command:
-# ls -ld DIR
-      Is it the case that group or other write permissions exist?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-accounts_umask_etc_bashrc_question:question:1">
-          <ocil:question_text>Verify the umask setting is configured correctly in the /etc/bashrc file by
-running the following command:
-$ sudo grep "umask" /etc/bashrc
-All output must show the value of umask set as shown below:
-umask 
-      Is it the case that the above command returns no output, or the umask is configured incorrectly?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-accounts_umask_etc_csh_cshrc_question:question:1">
-          <ocil:question_text>Verify the umask setting is configured correctly in the /etc/csh.cshrc file by
-running the following command:
-$ sudo grep "umask" /etc/csh.cshrc
-All output must show the value of umask set as shown in the below:
-umask 
-      Is it the case that the above command returns no output, or the umask is configured incorrectly?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-accounts_umask_etc_login_defs_question:question:1">
-          <ocil:question_text>Verify the UMASK setting is configured correctly in the /etc/login.defs file by
-running the following command:
-$ sudo grep "UMASK" /etc/login.defs
-All output must show the value of UMASK set as shown in the below:
-UMASK 
-      Is it the case that the above command returns no output, or the umask is configured incorrectly?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-accounts_umask_etc_profile_question:question:1">
-          <ocil:question_text>Verify the umask setting is configured correctly in the /etc/profile file by
-running the following command:
-$ sudo grep "umask" /etc/profile
-All output must show the value of umask set as shown in the below:
-umask 
-      Is it the case that the above command returns no output, or the umask is configured incorrectly?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-accounts_logon_fail_delay_question:question:1">
-          <ocil:question_text>Verify the FAIL_DELAY setting is configured correctly in the /etc/login.defs file by
-running the following command:
-$ sudo grep -i "FAIL_DELAY" /etc/login.defs
-All output must show the value of FAIL_DELAY set as shown in the below:
-$ sudo grep -i "FAIL_DELAY" /etc/login.defs
-FAIL_DELAY 
-      Is it the case that the above command returns no output, or FAIL_DELAY is configured less than the expected value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-accounts_max_concurrent_login_sessions_question:question:1">
-          <ocil:question_text>Run the following command to ensure the maxlogins value is
-configured for all users on the system:
-# grep "maxlogins" /etc/security/limits.conf /etc/security/limits.d/*.conf
-You should receive output similar to the following:
-*\t\thard\tmaxlogins\t
-      Is it the case that maxlogins is not equal to or less than the expected value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-accounts_polyinstantiated_tmp_question:question:1">
-          <ocil:question_text>Run the following command to ensure that /tmp is configured as a
-polyinstantiated directory:
-$ sudo grep /tmp /etc/security/namespace.conf
-The output should return the following:
-/tmp     /tmp/tmp-inst/            level      root,adm
-      Is it the case that is not configured?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-accounts_polyinstantiated_var_tmp_question:question:1">
-          <ocil:question_text>Run the following command to ensure that /var/tmp is configured as a
-polyinstantiated directory:
-$ sudo grep /var/tmp /etc/security/namespace.conf
-The output should return the following:
-/var/tmp /var/tmp/tmp-inst/    level      root,adm
-      Is it the case that is not configured?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-accounts_tmout_question:question:1">
-          <ocil:question_text>Run the following command to ensure the TMOUT value is configured for all users
-on the system:
-
-$ sudo grep TMOUT /etc/profile /etc/profile.d/*.sh
-
-The output should return the following:
-TMOUT=
-      Is it the case that TMOUT is not set or its value is greater than expected setting?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_home_dirs_question:question:1">
-          <ocil:question_text>To ensure the user home directory is not group-writable or world-readable, run the following:
-# ls -ld /home/USER
-      Is it the case that the user home directory is group-writable or world-readable?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_dac_modification_chmod_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-chmod system call, run the following command:
-$ sudo grep "chmod" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_dac_modification_chown_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-chown system call, run the following command:
-$ sudo grep "chown" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_dac_modification_fchmod_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-fchmod system call, run the following command:
-$ sudo grep "fchmod" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_dac_modification_fchmodat_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-fchmodat system call, run the following command:
-$ sudo grep "fchmodat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_dac_modification_fchown_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-fchown system call, run the following command:
-$ sudo grep "fchown" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_dac_modification_fchownat_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-fchownat system call, run the following command:
-$ sudo grep "fchownat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_dac_modification_fremovexattr_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-fremovexattr system call, run the following command:
-$ sudo grep "fremovexattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_dac_modification_fsetxattr_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-fsetxattr system call, run the following command:
-$ sudo grep "fsetxattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_dac_modification_lchown_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-lchown system call, run the following command:
-$ sudo grep "lchown" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_dac_modification_lremovexattr_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-lremovexattr system call, run the following command:
-$ sudo grep "lremovexattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_dac_modification_lsetxattr_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-lsetxattr system call, run the following command:
-$ sudo grep "lsetxattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_dac_modification_removexattr_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-removexattr system call, run the following command:
-$ sudo grep "removexattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_dac_modification_setxattr_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-setxattr system call, run the following command:
-$ sudo grep "setxattr" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_dac_modification_umount_question:question:1">
-          <ocil:question_text>Verify that Red Hat Enterprise Linux CoreOS 4 generates an audit record for all uses of the "umount" and system call.
-To determine if the system is configured to audit calls to the
-"umount" system call, run the following command:
-$ sudo grep "umount" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line like the following.
--a always,exit -F arch=b32 -S umount -F auid&gt;=1000 -F auid!=unset -k privileged-umount
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_dac_modification_umount2_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-umount2 system call, run the following command:
-$ sudo grep "umount2" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_execution_chcon_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for all uses of the "chcon" command.
-To verify that execution of the command is being audited, run the following command:
-$ sudo grep "path=/usr/bin/chcon" /etc/audit/audit.rules /etc/audit/rules.d/*
-The output should return something similar to:
--a always,exit -F path=/usr/bin/chcon -F auid&gt;=1000 -F auid!=unset -F key=perm_mod
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_execution_restorecon_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the restorecon command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w restorecon /etc/audit/audit.rules
-
--a always,exit -F path=/usr/sbin/restorecon -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-restorecon
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_execution_semanage_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for all uses of the "semanage" command.
-To verify that execution of the command is being audited, run the following command:
-$ sudo grep "path=/usr/sbin/semanage" /etc/audit/audit.rules /etc/audit/rules.d/*
-The output should return something similar to:
--a always,exit -F path=/usr/sbin/semanage -F auid&gt;=1000 -F auid!=unset -F key=perm_mod
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_execution_setfiles_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for all uses of the "setfiles" command.
-To verify that execution of the command is being audited, run the following command:
-$ sudo grep "path=/usr/sbin/setfiles" /etc/audit/audit.rules /etc/audit/rules.d/*
-The output should return something similar to:
--a always,exit -F path=/usr/sbin/setfiles -F auid&gt;=1000 -F auid!=unset -F key=privileged-setfiles
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_execution_setsebool_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for all uses of the "setsebool" command.
-To verify that execution of the command is being audited, run the following command:
-$ sudo grep "path=/usr/sbin/setsebool" /etc/audit/audit.rules /etc/audit/rules.d/*
-The output should return something similar to:
--a always,exit -F path=/usr/sbin/setsebool -F auid&gt;=1000 -F auid!=unset -F key=privileged
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_execution_seunshare_question:question:1">
-          <ocil:question_text>To verify that execution of the command is being audited, run the following command:
-$ sudo grep "path=/usr/sbin/seunshare" /etc/audit/audit.rules /etc/audit/rules.d/*
-The output should return something similar to:
--a always,exit -F path=/usr/sbin/seunshare -F auid&gt;=1000 -F auid!=unset -F key=privileged
-      Is it the case that ?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_file_deletion_events_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-rmdir system call, run the following command:
-$ sudo grep "rmdir" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-To determine if the system is configured to audit calls to the
-unlink system call, run the following command:
-$ sudo grep "unlink" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-To determine if the system is configured to audit calls to the
-unlinkat system call, run the following command:
-$ sudo grep "unlinkat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-To determine if the system is configured to audit calls to the
-rename system call, run the following command:
-$ sudo grep "rename" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-To determine if the system is configured to audit calls to the
-renameat system call, run the following command:
-$ sudo grep "renameat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_file_deletion_events_rename_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-rename system call, run the following command:
-$ sudo grep "rename" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_file_deletion_events_renameat_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-renameat system call, run the following command:
-$ sudo grep "renameat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_file_deletion_events_rmdir_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-rmdir system call, run the following command:
-$ sudo grep "rmdir" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_file_deletion_events_unlink_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-unlink system call, run the following command:
-$ sudo grep "unlink" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_file_deletion_events_unlinkat_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-unlinkat system call, run the following command:
-$ sudo grep "unlinkat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_question:question:1">
-          <ocil:question_text>To verify that the audit system collects unauthorized file accesses, run the following commands:
-$ sudo grep EACCES /etc/audit/audit.rules
-$ sudo grep EPERM /etc/audit/audit.rules
-      Is it the case that 32-bit and 64-bit system calls to creat, open, openat, open_by_handle_at, truncate, and ftruncate are not audited during EACCES and EPERM?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_chmod_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit unsuccessful calls
-to the chmod system call, run the following command:
-$ sudo grep "chmod" /etc/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_chown_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit unsuccessful calls
-to the chown system call, run the following command:
-$ sudo grep "chown" /etc/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_creat_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for unsuccessful attempts to use the creat system call.
-
-If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:
-
-$ sudo grep -r creat /etc/audit/rules.d
-
-If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
-
-$ sudo grep creat /etc/audit/audit.rules
-
-The output should be the following:
-
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_fchmod_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit unsuccessful calls
-to the fchmod system call, run the following command:
-$ sudo grep "fchmod" /etc/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_fchmodat_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit unsuccessful calls
-to the fchmodat system call, run the following command:
-$ sudo grep "fchmodat" /etc/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_fchown_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit unsuccessful calls
-to the fchown system call, run the following command:
-$ sudo grep "fchown" /etc/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_fchownat_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit unsuccessful calls
-to the fchownat system call, run the following command:
-$ sudo grep "fchownat" /etc/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_fremovexattr_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit unsuccessful calls
-to the fremovexattr system call, run the following command:
-$ sudo grep "fremovexattr" /etc/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_fsetxattr_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit unsuccessful calls
-to the fsetxattr system call, run the following command:
-$ sudo grep "fsetxattr" /etc/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_ftruncate_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for unsuccessful attempts to use the ftruncate system call.
-
-If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:
-
-$ sudo grep -r ftruncate /etc/audit/rules.d
-
-If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
-
-$ sudo grep ftruncate /etc/audit/audit.rules
-
-The output should be the following:
-
--a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_lchown_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit unsuccessful calls
-to the lchown system call, run the following command:
-$ sudo grep "lchown" /etc/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_lremovexattr_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit unsuccessful calls
-to the lremovexattr system call, run the following command:
-$ sudo grep "lremovexattr" /etc/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_lsetxattr_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit unsuccessful calls
-to the lsetxattr system call, run the following command:
-$ sudo grep "lsetxattr" /etc/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for unsuccessful attempts to use the open system call.
-
-If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:
-
-$ sudo grep -r open /etc/audit/rules.d
-
-If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
-
-$ sudo grep open /etc/audit/audit.rules
-
-The output should be the following:
-
--a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for unsuccessful attempts to use the open_by_handle_at system call.
-
-If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:
-
-$ sudo grep -r open_by_handle_at /etc/audit/rules.d
-
-If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
-
-$ sudo grep open_by_handle_at /etc/audit/audit.rules
-
-The output should be the following:
-
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_creat_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for unsuccessful attempts to create files using the open_by_handle_at system call with O_CREAT flag.
-
-If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command:
-
-$ sudo grep -r open_by_handle_at /etc/audit/rules.d
-
-If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
-
-$ sudo grep open_by_handle_at /etc/audit/audit.rules
-
-The output should be the following:
-
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_o_trunc_write_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for unsuccessful attempts to modify files using the open_by_handle_at system call with O_TRUNC_WRITE flag.
-
-If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command:
-
-$ sudo grep -r open_by_handle_at /etc/audit/rules.d
-
-If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
-
-$ sudo grep open_by_handle_at /etc/audit/audit.rules
-
-The output should be the following:
-
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_by_handle_at_rule_order_question:question:1">
-          <ocil:question_text>Verify that rules for unsuccessful calls of the open_by_handle_at syscall are in the order shown below.
-
-    If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix ".rules" in the directory "/etc/audit/rules.d".
-    If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, check the order of rules below in "/etc/audit/audit.rules" file.
-
-    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
-    -a always,exit -F arch=b32 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
-    -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
-    -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
-
-    If the system is 64 bit then also add the following lines:
-
-    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
-    -a always,exit -F arch=b64 -S open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
-    -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
-    -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
-      Is it the case that the rules are in a different order?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_creat_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for unsuccessful attempts to create files using the open system call with O_CREAT flag.
-
-If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command:
-
-$ sudo grep -r open /etc/audit/rules.d
-
-If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
-
-$ sudo grep open /etc/audit/audit.rules
-
-The output should be the following:
-
--a always,exit -F arch=b32 -S open -F a1&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open -F a1&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open -F a1&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open -F a1&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_o_trunc_write_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for unsuccessful attempts to modify files using the open system call with O_TRUNC_WRITE flag.
-
-If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command:
-
-$ sudo grep -r open /etc/audit/rules.d
-
-If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
-
-$ sudo grep open /etc/audit/audit.rules
-
-The output should be the following:
-
--a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_open_rule_order_question:question:1">
-          <ocil:question_text>Verify that rules for unsuccessful calls of the open syscall are in the order shown below.
-
-    If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix ".rules" in the directory "/etc/audit/rules.d".
-    If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, check the order of rules below in "/etc/audit/audit.rules" file.
-
-    -a always,exit -F arch=b32 -S open -F a1&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-    -a always,exit -F arch=b32 -S open -F a1&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-    -a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
-    -a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
-    -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
-    -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
-
-    If the system is 64 bit then also add the following lines:
-
-    -a always,exit -F arch=b64 -S open -F a1&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-    -a always,exit -F arch=b64 -S open -F a1&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-    -a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
-    -a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
-    -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
-    -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
-      Is it the case that the rules are in a different order?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for unsuccessful attempts to use the openat system call.
-
-If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:
-
-$ sudo grep -r openat /etc/audit/rules.d
-
-If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
-
-$ sudo grep openat /etc/audit/audit.rules
-
-The output should be the following:
-
--a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_creat_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for unsuccessful attempts to create files using the openat system call with O_CREAT flag.
-
-If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command:
-
-$ sudo grep -r openat /etc/audit/rules.d
-
-If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
-
-$ sudo grep openat /etc/audit/audit.rules
-
-The output should be the following:
-
--a always,exit -F arch=b32 -S openat -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S openat -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S openat -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S openat -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_o_trunc_write_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for unsuccessful attempts to modify files using the openat system call with O_TRUNC_WRITE flag.
-
-If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), run the following command:
-
-$ sudo grep -r openat /etc/audit/rules.d
-
-If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
-
-$ sudo grep openat /etc/audit/audit.rules
-
-The output should be the following:
-
--a always,exit -F arch=b32 -S openat -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b32 -S openat -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S openat -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
--a always,exit -F arch=b64 -S openat -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_openat_rule_order_question:question:1">
-          <ocil:question_text>Verify that rules for unsuccessful calls of the openat syscall are in the order shown below.
-
-    If the auditd daemon is configured to use the "augenrules" program to read audit rules during daemon startup (the default), check the order of rules below in a file with suffix ".rules" in the directory "/etc/audit/rules.d".
-    If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, check the order of rules below in "/etc/audit/audit.rules" file.
-
-    -a always,exit -F arch=b32 -S openat -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-    -a always,exit -F arch=b32 -S openat -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-    -a always,exit -F arch=b32 -S openat -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
-    -a always,exit -F arch=b32 -S openat -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
-    -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
-    -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
-
-    If the system is 64 bit then also add the following lines:
-
-    -a always,exit -F arch=b64 -S openat -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-    -a always,exit -F arch=b64 -S openat -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-create
-    -a always,exit -F arch=b64 -S openat -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
-    -a always,exit -F arch=b64 -S openat -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-modification
-    -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
-    -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccesful-access
-      Is it the case that the rules are in a different order?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_removexattr_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit unsuccessful calls
-to the removexattr system call, run the following command:
-$ sudo grep "removexattr" /etc/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_rename_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for unsuccessful attempts to use the rename system call.
-
-If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:
-
-$ sudo grep -r rename /etc/audit/rules.d
-
-If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
-
-$ sudo grep rename /etc/audit/audit.rules
-
-The output should be the following:
-
--a always,exit -F arch=b32 -S rename -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k unsuccessful-delete
--a always,exit -F arch=b64 -S rename -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k unsuccessful-delete
--a always,exit -F arch=b32 -S rename -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k unsuccessful-delete
--a always,exit -F arch=b64 -S rename -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k unsuccessful-delete
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_renameat_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for unsuccessful attempts to use the renameat system call.
-
-If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:
-
-$ sudo grep -r renameat /etc/audit/rules.d
-
-If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
-
-$ sudo grep renameat /etc/audit/audit.rules
-
-The output should be the following:
-
--a always,exit -F arch=b32 -S renameat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k unsuccessful-delete
--a always,exit -F arch=b64 -S renameat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k unsuccessful-delete
--a always,exit -F arch=b32 -S renameat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k unsuccessful-delete
--a always,exit -F arch=b64 -S renameat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k unsuccessful-delete
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_setxattr_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit unsuccessful calls
-to the setxattr system call, run the following command:
-$ sudo grep "setxattr" /etc/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_truncate_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for unsuccessful attempts to use the truncate system call.
-
-If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:
-
-$ sudo grep -r truncate /etc/audit/rules.d
-
-If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
-
-$ sudo grep truncate /etc/audit/audit.rules
-
-The output should be the following:
-
--a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k access
--a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
--a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k access
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_unlink_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for unsuccessful attempts to use the unlink system call.
-
-If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:
-
-$ sudo grep -r unlink /etc/audit/rules.d
-
-If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
-
-$ sudo grep unlink /etc/audit/audit.rules
-
-The output should be the following:
-
--a always,exit -F arch=b32 -S unlink -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k unsuccessful-delete
--a always,exit -F arch=b64 -S unlink -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k unsuccessful-delete
--a always,exit -F arch=b32 -S unlink -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k unsuccessful-delete
--a always,exit -F arch=b64 -S unlink -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k unsuccessful-delete
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_unsuccessful_file_modification_unlinkat_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates an audit record for unsuccessful attempts to use the unlinkat system call.
-
-If the auditd daemon is configured to use the "augenrules" program to to read audit rules during daemon startup (the default), run the following command:
-
-$ sudo grep -r unlinkat /etc/audit/rules.d
-
-If the auditd daemon is configured to use the "auditctl" utility to read audit rules during daemon startup, run the following command:
-
-$ sudo grep unlinkat /etc/audit/audit.rules
-
-The output should be the following:
-
--a always,exit -F arch=b32 -S unlinkat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k unsuccessful-delete
--a always,exit -F arch=b64 -S unlinkat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -k unsuccessful-delete
--a always,exit -F arch=b32 -S unlinkat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k unsuccessful-delete
--a always,exit -F arch=b64 -S unlinkat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -k unsuccessful-delete
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_kernel_module_loading_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-init_module system call, run the following command:
-$ sudo grep "init_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-To determine if the system is configured to audit calls to the
-delete_module system call, run the following command:
-$ sudo grep "delete_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_kernel_module_loading_delete_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-delete_module system call, run the following command:
-$ sudo grep "delete_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_kernel_module_loading_finit_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-finit_module system call, run the following command:
-$ sudo grep "finit_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_kernel_module_loading_init_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-init_module system call, run the following command:
-$ sudo grep "init_module" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_login_events_faillock_question:question:1">
-          <ocil:question_text>To verify that auditing is configured for system administrator actions, run the following command:
-$ sudo auditctl -l | grep "watch=/var/run/faillock\|-w /var/run/faillock"
-      Is it the case that there is no output?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_login_events_lastlog_question:question:1">
-          <ocil:question_text>To verify that auditing is configured for system administrator actions, run the following command:
-$ sudo auditctl -l | grep "watch=/var/log/lastlog\|-w /var/log/lastlog"
-      Is it the case that there is not output?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_login_events_tallylog_question:question:1">
-          <ocil:question_text>To verify that auditing is configured for system administrator actions, run the following command:
-$ sudo auditctl -l | grep "watch=/var/log/tallylog\|-w /var/log/tallylog"
-      Is it the case that there is not output?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_privileged_commands_init_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the init command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w init /etc/audit/audit.rules
-
--a always,exit -F path=/usr/sbin/init -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-init
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_privileged_commands_poweroff_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the poweroff command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w poweroff /etc/audit/audit.rules
-
--a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-poweroff
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_privileged_commands_reboot_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the reboot command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w reboot /etc/audit/audit.rules
-
--a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-reboot
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_privileged_commands_shutdown_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the shutdown command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w shutdown /etc/audit/audit.rules
-
--a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-shutdown
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_question:question:1">
-          <ocil:question_text>To verify that auditing of privileged command use is configured, run the
-following command for each local partition PART to find relevant
-setuid / setgid programs:
-$ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2&gt;/dev/null
-Run the following command to verify entries in the audit rules for all programs
-found with the previous command:
-$ sudo grep path /etc/audit/audit.rules
-All relevant setuid / setgid programs have a line
-in the audit rules.
-      Is it the case that any setuid or setgid programs doesn't have a line in the audit rules?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_at_question:question:1">
-          <ocil:question_text>To verify that auditing of privileged command use is configured, run the
-following command:
-$ sudo grep '\bat\b' /etc/audit/audit.rules /etc/audit/rules.d/*
-It should return a relevant line in the audit rules.
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_chage_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the chage command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w chage /etc/audit/audit.rules
-
--a always,exit -F path=/usr/bin/chage -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-chage
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_chsh_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the chsh command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w chsh /etc/audit/audit.rules
-
--a always,exit -F path=/usr/bin/chsh -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-chsh
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_crontab_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the crontab command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w crontab /etc/audit/audit.rules
-
--a always,exit -F path=/usr/bin/crontab -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-crontab
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_gpasswd_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the gpasswd command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w gpasswd /etc/audit/audit.rules
-
--a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-gpasswd
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_mount_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the mount command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w mount /etc/audit/audit.rules
-
--a always,exit -F path=/usr/bin/mount -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-mount
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_newgidmap_question:question:1">
-          <ocil:question_text>To verify that auditing of privileged command use is configured, run the
-following command:
-$ sudo grep newgidmap /etc/audit/audit.rules /etc/audit/rules.d/*
-It should return a relevant line in the audit rules.
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_newgrp_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the newgrp command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w newgrp /etc/audit/audit.rules
-
--a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-newgrp
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_newuidmap_question:question:1">
-          <ocil:question_text>To verify that auditing of privileged command use is configured, run the
-following command:
-$ sudo grep newuidmap /etc/audit/audit.rules /etc/audit/rules.d/*
-It should return a relevant line in the audit rules.
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_pam_timestamp_check_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the pam_timestamp_check command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w pam_timestamp_check /etc/audit/audit.rules
-
--a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-pam_timestamp_check
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_passwd_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the passwd command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w passwd /etc/audit/audit.rules
-
--a always,exit -F path=/usr/bin/passwd -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-passwd
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_postdrop_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the postdrop command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w postdrop /etc/audit/audit.rules
-
--a always,exit -F path=/usr/bin/postdrop -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-postdrop
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_postqueue_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the postqueue command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w postqueue /etc/audit/audit.rules
-
--a always,exit -F path=/usr/bin/postqueue -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-postqueue
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_pt_chown_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the pt_chown command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w pt_chown /etc/audit/audit.rules
-
--a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-pt_chown
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_ssh_keysign_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the ssh-keysign command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w ssh-keysign /etc/audit/audit.rules
-
--a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-ssh-keysign
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_su_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the su command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w su /etc/audit/audit.rules
-
--a always,exit -F path=/usr/bin/su -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-su
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_sudo_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the sudo command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w sudo /etc/audit/audit.rules
-
--a always,exit -F path=/usr/bin/sudo -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-sudo
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_sudoedit_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the sudoedit command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w sudoedit /etc/audit/audit.rules
-
--a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-sudoedit
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_umount_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the umount command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w umount /etc/audit/audit.rules
-
--a always,exit -F path=/usr/bin/umount -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-umount
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_unix_chkpwd_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the unix_chkpwd command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w unix_chkpwd /etc/audit/audit.rules
-
--a always,exit -F path=/usr/bin/unix_chkpwd -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-unix_chkpwd
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_userhelper_question:question:1">
-          <ocil:question_text>Verify that an audit event is generated for any successful/unsuccessful use of the userhelper command by performing the following command to check the file system rules in "/etc/audit/audit.rules":
-
-$ sudo grep -w userhelper /etc/audit/audit.rules
-
--a always,exit -F path=/usr/bin/userhelper -F perm=x -F auid&gt;=1000 -F auid!=unset -k privileged-userhelper
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_privileged_commands_usernetctl_question:question:1">
-          <ocil:question_text>To verify that auditing of privileged command use is configured, run the
-following command:
-$ sudo grep usernetctl /etc/audit/audit.rules /etc/audit/rules.d/*
-It should return a relevant line in the audit rules.
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_time_adjtimex_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-adjtimex system call, run the following command:
-$ sudo grep "adjtimex" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_time_clock_settime_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-clock_settime system call, run the following command:
-$ sudo grep "clock_settime" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_time_settimeofday_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-settimeofday system call, run the following command:
-$ sudo grep "settimeofday" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_time_stime_question:question:1">
-          <ocil:question_text>If the system is not configured to audit time changes, this is a finding.
-If the system is 64-bit only, this is not applicable
-ocil: |
-To determine if the system is configured to audit calls to the
-stime system call, run the following command:
-$ sudo grep "stime" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_time_watch_localtime_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit attempts to
-alter time via the /etc/localtime file, run the following
-command:
-$ sudo auditctl -l | grep "watch=/etc/localtime"
-If the system is configured to audit this activity, it will return a line.
-      Is it the case that the system is not configured to audit time changes?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_etc_group_open_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-open system call, run the following command:
-$ sudo grep "open" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_etc_group_open_by_handle_at_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-open_by_handle_at system call, run the following command:
-$ sudo grep "open_by_handle_at" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_etc_group_openat_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-openat system call, run the following command:
-$ sudo grep "openat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_etc_gshadow_open_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-open system call, run the following command:
-$ sudo grep "open" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_etc_gshadow_open_by_handle_at_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-open_by_handle_at system call, run the following command:
-$ sudo grep "open_by_handle_at" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_etc_gshadow_openat_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-openat system call, run the following command:
-$ sudo grep "openat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_etc_passwd_open_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-open system call, run the following command:
-$ sudo grep "open" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_etc_passwd_open_by_handle_at_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-open_by_handle_at system call, run the following command:
-$ sudo grep "open_by_handle_at" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_etc_passwd_openat_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-openat system call, run the following command:
-$ sudo grep "openat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_etc_shadow_open_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-open system call, run the following command:
-$ sudo grep "open" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_etc_shadow_open_by_handle_at_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-open_by_handle_at system call, run the following command:
-$ sudo grep "open_by_handle_at" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_etc_shadow_openat_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-openat system call, run the following command:
-$ sudo grep "openat" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_immutable_question:question:1">
-          <ocil:question_text>Verify the audit system prevents unauthorized changes with the following command:
-
-$ sudo grep "^\s*[^#]" /etc/audit/audit.rules | tail -1
-
--e 2
-      Is it the case that the audit system is not set to be immutable by adding the "-e 2" option to the "/etc/audit/audit.rules"?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_mac_modification_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit changes to its SELinux
-configuration files, run the following command:
-$ sudo auditctl -l | grep "dir=/etc/selinux"
-If the system is configured to watch for changes to its SELinux
-configuration, a line should be returned (including
-perm=wa indicating permissions that are watched).
-      Is it the case that the system is not configured to audit attempts to change the MAC policy?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_media_export_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit calls to the
-mount system call, run the following command:
-$ sudo grep "mount" /etc/audit/audit.*
-If the system is configured to audit this activity, it will return a line.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_networkconfig_modification_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit changes to its network configuration,
-run the following command:
-auditctl -l | egrep '(/etc/issue|/etc/issue.net|/etc/hosts|/etc/sysconfig/network)'
-If the system is configured to watch for network configuration changes, a line should be returned for
-each file specified (and perm=wa should be indicated for each).
-      Is it the case that the system is not configured to audit changes of the network configuration?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_sysadmin_actions_question:question:1">
-          <ocil:question_text>To verify that auditing is configured for system administrator actions, run the following command:
-$ sudo auditctl -l | grep "watch=/etc/sudoers\|watch=/etc/sudoers.d\|-w /etc/sudoers\|-w /etc/sudoers.d"
-      Is it the case that there is not output?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_usergroup_modification_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit account changes,
-run the following command:
-auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'
-If the system is configured to watch for account changes, lines should be returned for
-each file specified (and with perm=wa for each).
-      Is it the case that the system is not configured to audit account changes?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_usergroup_modification_group_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/group" with the following command:
-
-$ sudo auditctl -l | egrep '(/etc/group)'
-
--w /etc/group -p wa -k identity
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_usergroup_modification_gshadow_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow" with the following command:
-
-$ sudo auditctl -l | egrep '(/etc/gshadow)'
-
--w /etc/gshadow -p wa -k identity
-
-If the command does not return a line, or the line is commented out, this is a finding.
-      Is it the case that the system is not configured to audit account changes?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_usergroup_modification_opasswd_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/security/opasswd" with the following command:
-
-$ sudo auditctl -l | egrep '(/etc/security/opasswd)'
-
--w /etc/security/opasswd -p wa -k identity
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_usergroup_modification_passwd_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command:
-
-$  sudo auditctl -l | egrep '(/etc/passwd)'
-
--w /etc/passwd -p wa -k identity
-      Is it the case that the command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_usergroup_modification_shadow_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd with the following command:
-
-$  sudo auditctl -l | egrep '(/etc/shadow)'
-
--w /etc/shadow -p wa -k identity
-      Is it the case that command does not return a line, or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-directory_access_var_log_audit_question:question:1">
-          <ocil:question_text>To determine if the system is configured to audit accesses to
-/var/log/audit directory, run the following command:
-$ sudo grep "dir=/var/log/audit" /etc/audit/audit.rules
-If the system is configured to audit this activity, it will return a line.
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-directory_permissions_var_log_audit_question:question:1">
-          <ocil:question_text>Verify the audit log directories have a correct mode or less permissive mode.
-
-Find the location of the audit logs:
-
-$ sudo grep "^log_file" /etc/audit/auditd.conf
-
-
-Find the group that owns audit logs:
-
-$ sudo grep "^log_group" /etc/audit/auditd.conf
-
-
-Run the following command to check the mode of the system audit logs:
-
-$ sudo stat -c "%a %n" [audit_log_directory]
-
-Replace "[audit_log_directory]" to the correct audit log directory path, by default this location is "/var/log/audit".
-
-
-If the log_group is "root" or is not set, the correct permissions are 0700, otherwise they are 0750.
-      Is it the case that audit logs have a more permissive mode?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_groupownership_audit_configuration_question:question:1">
-          <ocil:question_text>
-To properly set the group owner of /etc/audit/, run the command:
-$ sudo chgrp root /etc/audit/
-
-To properly set the group owner of /etc/audit/rules.d/, run the command:
-$ sudo chgrp root /etc/audit/rules.d/
-      Is it the case that ?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_ownership_audit_configuration_question:question:1">
-          <ocil:question_text>
-To properly set the owner of /etc/audit/, run the command:
-$ sudo chown root /etc/audit/ 
-
-To properly set the owner of /etc/audit/rules.d/, run the command:
-$ sudo chown root /etc/audit/rules.d/ 
-      Is it the case that ?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_ownership_var_log_audit_question:question:1">
-          <ocil:question_text>
-To properly set the owner of /var/log/audit, run the command:
-$ sudo chown root /var/log/audit 
-
-To properly set the owner of /var/log/audit/*, run the command:
-$ sudo chown root /var/log/audit/* 
-      Is it the case that ?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_var_log_audit_question:question:1">
-          <ocil:question_text>Run the following command to check the mode of the system audit logs:
-$ sudo grep -iw log_file /etc/audit/auditd.conf
-log_file=/var/log/audit/audit.log
-$ sudo stat -c "%n %a" /var/log/audit/*
-$ sudo ls -l /var/log/audit
-Audit logs must be mode 0640 or less permissive.
-      Is it the case that any permissions are more permissive?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_audispd_configure_remote_server_question:question:1">
-          <ocil:question_text>To verify the audispd plugin off-loads audit records onto a different system or
-media from the system being audited, run the following command:
-$ sudo grep -i remote_server /etc/audit/audisp-remote.conf
-The output should return something similar to
-remote_server = 
-      Is it the case that audispd is not sending logs to a remote system?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_audispd_disk_full_action_question:question:1">
-          <ocil:question_text>Inspect /etc/audit/audisp-remote.conf and locate the following line to
-determine if the system is configured to either send to syslog, switch to single user mode,
-or halt when the disk is full:
-$ sudo grep -i disk_full_action /etc/audit/audisp-remote.conf
-The output should return something similar to:
-disk_full_action = single
-Acceptable values also include syslog and halt.
-      Is it the case that the system is not configured to switch to single user mode for corrective action?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_audispd_encrypt_sent_records_question:question:1">
-          <ocil:question_text>To verify the audispd plugin encrypts audit records off-loaded onto a different
-system or media from the system being audited, run the following command:
-
-$ sudo grep -i enable_krb5 /etc/audit/audisp-remote.conf
-The output should return the following:
-enable_krb5 = yes
-      Is it the case that audispd is not encrypting audit records when sent over the network?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_audispd_network_failure_action_question:question:1">
-          <ocil:question_text>Inspect /etc/audit/audisp-remote.conf and locate the following line to
-determine if the system is configured to perform a correct action according to the policy:
-$ sudo grep -i network_failure_action /etc/audit/audisp-remote.conf
-The output should return:
-network_failure_action = 
-      Is it the case that the system is not configured to switch to single user mode for corrective action?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_audispd_syslog_plugin_activated_question:question:1">
-          <ocil:question_text>To verify the audispd's syslog plugin is active, run the following command:
-$ sudo grep active /etc/audit/plugins.d/syslog.conf
-If the plugin is active, the output will show yes.
-      Is it the case that it is not activated?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_data_disk_error_action_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 takes the appropriate action when an audit processing failure occurs.
-
-Check that Red Hat Enterprise Linux CoreOS 4 takes the appropriate action when an audit processing failure occurs with the following command:
-
-$ sudo grep disk_error_action /etc/audit/auditd.conf
-
-disk_error_action = 
-
-If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs.
-      Is it the case that there is no evidence of appropriate action?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_data_disk_error_action_stig_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 takes the appropriate action when an audit processing failure occurs.
-
-Check that Red Hat Enterprise Linux CoreOS 4 takes the appropriate action when an audit processing failure occurs with the following command:
-
-$ sudo grep disk_error_action /etc/audit/auditd.conf
-
-disk_error_action = HALT
-
-If the value of the "disk_error_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs.
-      Is it the case that there is no evidence of appropriate action?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_data_disk_full_action_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 takes the appropriate action when the audit storage volume is full.
-
-Check that Red Hat Enterprise Linux CoreOS 4 takes the appropriate action when the audit storage volume is full with the following command:
-
-$ sudo grep disk_full_action /etc/audit/auditd.conf
-
-disk_full_action = 
-
-If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full.
-      Is it the case that there is no evidence of appropriate action?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_data_disk_full_action_stig_question:question:1">
-          <ocil:question_text>Verify Red Hat Enterprise Linux CoreOS 4 takes the appropriate action when the audit storage volume is full.
-
-Check that Red Hat Enterprise Linux CoreOS 4 takes the appropriate action when the audit storage volume is full with the following command:
-
-$ sudo grep disk_full_action /etc/audit/auditd.conf
-
-disk_full_action = HALT
-
-If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full.
-      Is it the case that there is no evidence of appropriate action?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_data_retention_action_mail_acct_question:question:1">
-          <ocil:question_text>Verify that the Red Hat Enterprise Linux CoreOS 4 "auditd" service is configured to notify the SA and ISSO in the event of an audit processing failure.
-Inspect /etc/audit/auditd.conf and locate the following line to
-determine if the system is configured to send email to an
-account when it needs to notify an administrator:
-action_mail_acct = 
-      Is it the case that auditd is not configured to send emails per identified actions?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_data_retention_admin_space_left_action_question:question:1">
-          <ocil:question_text>Inspect /etc/audit/auditd.conf and locate the following line to
-determine if the system is configured to either suspend, switch to single user mode,
-or halt when disk space has run low:
-admin_space_left_action single
-      Is it the case that the system is not configured to switch to single user mode for corrective action?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_data_retention_flush_question:question:1">
-          <ocil:question_text>Inspect /etc/audit/auditd.conf and locate the following line to
-determine if the system is configured to synchronize audit event data
-with the log files on the disk:
-$ sudo grep flush /etc/audit/auditd.conf
-flush = DATA
-Acceptable values are DATA, and SYNC. The setting is
-case-insensitive.
-      Is it the case that auditd is not configured to synchronously write audit event data to disk?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_data_retention_max_log_file_question:question:1">
-          <ocil:question_text>Inspect /etc/audit/auditd.conf and locate the following line to
-determine how much data the system will retain in each audit log file:
-$ sudo grep max_log_file /etc/audit/auditd.conf
-max_log_file = 6
-      Is it the case that the system audit data threshold has not been properly configured?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_data_retention_max_log_file_action_question:question:1">
-          <ocil:question_text>Verify that the SA and ISSO (at a minimum) are notified when the audit storage volume is full.
-
-Check which action Red Hat Enterprise Linux CoreOS 4 takes when the audit storage volume is full with the following command:
-
-$ sudo grep max_log_file_action /etc/audit/auditd.conf
-max_log_file_action = 
-      Is it the case that the value of the "max_log_file_action" option is set to "ignore", "rotate", or "suspend", or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_data_retention_max_log_file_action_stig_question:question:1">
-          <ocil:question_text>Verify that the SA and ISSO (at a minimum) are notified when the audit storage volume is full.
-
-Check which action Red Hat Enterprise Linux CoreOS 4 takes when the audit storage volume is full with the following command:
-
-$ sudo grep max_log_file_action /etc/audit/auditd.conf
-max_log_file_action = 
-      Is it the case that the value of the "max_log_file_action" option is set to "ignore", "rotate", or "suspend", or the line is commented out?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_data_retention_num_logs_question:question:1">
-          <ocil:question_text>Inspect /etc/audit/auditd.conf and locate the following line to
-determine how many logs the system is configured to retain after rotation:
-$ sudo grep num_logs /etc/audit/auditd.conf
-num_logs = 5
-      Is it the case that the system log file retention has not been properly configured?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_data_retention_space_left_question:question:1">
-          <ocil:question_text>Inspect /etc/audit/auditd.conf and locate the following line to
-determine if the system is configured correctly:
-space_left SIZE_in_MB
-      Is it the case that the system is not configured a specfic size in MB to notify administrators of an issue?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_data_retention_space_left_action_question:question:1">
-          <ocil:question_text>Inspect /etc/audit/auditd.conf and locate the following line to
-determine if the system is configured to email the administrator when
-disk space is starting to run low:
-$ sudo grep space_left_action /etc/audit/auditd.conf
-space_left_action
-Acceptable values are email, suspend, single, and halt.
-      Is it the case that the system is not configured to send an email to the system administrator when disk space is starting to run low?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_freq_question:question:1">
-          <ocil:question_text>To verify that Audit Daemon is configured to flush to disk after
-every 50 records, run the following command:
-$ sudo grep freq /etc/audit/auditd.conf
-The output should return the following:
-freq = 50
-      Is it the case that freq isn't set to 50?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_local_events_question:question:1">
-          <ocil:question_text>To verify that Audit Daemon is configured to include local events, run the
-following command:
-$ sudo grep local_events /etc/audit/auditd.conf
-The output should return the following:
-local_events = yes
-      Is it the case that local_events isn't set to yes?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_log_format_question:question:1">
-          <ocil:question_text>To verify that Audit Daemon is configured to resolve all uid, gid, syscall,
-architecture, and socket address information before writing the event to disk,
-run the following command:
-$ sudo grep log_format /etc/audit/auditd.conf
-The output should return the following:
-log_format = ENRICHED
-      Is it the case that log_format isn't set to ENRICHED?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_name_format_question:question:1">
-          <ocil:question_text>To verify that Audit Daemon is configured to record the hostname
-in audit events, run the following command:
-$ sudo grep name_format /etc/audit/auditd.conf
-The output should return the following:
-name_format = hostname
-      Is it the case that name_format isn't set to hostname?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_overflow_action_question:question:1">
-          <ocil:question_text>Verify the audit system is configured to take an appropriate action when the internal event queue is full:
-$ sudo grep -i overflow_action /etc/audit/auditd.conf
-
-The output should contain overflow_action = syslog
-
-If the value of the "overflow_action" option is not set to syslog,
-single, halt or the line is commented out, ask the System Administrator
-to indicate how the audit logs are off-loaded to a different system or media.
-      Is it the case that auditd overflow action is not set correctly?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-auditd_write_logs_question:question:1">
-          <ocil:question_text>To verify that Audit Daemon is configured to write logs to the disk, run the
-following command:
-$ sudo grep write_logs /etc/audit/auditd.conf
-The output should return the following:
-write_logs = yes
-      Is it the case that write_logs isn't set to yes?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_access_failed_question:question:1">
-          <ocil:question_text>To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command:
-cat /etc/audit/rules.d/30-ospp-v42-3-access-failed.rules
-The output has to be exactly as follows:
-## Unsuccessful file access (any other opens) This has to go last.
--a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
--a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
--a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access
--a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-access    
-      Is it the case that the file does not exist or the content differs?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_access_success_question:question:1">
-          <ocil:question_text>To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command:
-cat /etc/audit/rules.d/30-ospp-v42-3-access-success.rules
-The output has to be exactly as follows:
-## Successful file access (any other opens) This has to go last.
-## These next two are likely to result in a whole lot of events
--a always,exit -F arch=b32 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access
--a always,exit -F arch=b64 -S open,openat,openat2,open_by_handle_at -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-access    
-      Is it the case that the file does not exist or the content differs?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_basic_configuration_question:question:1">
-          <ocil:question_text>To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command:
-cat /etc/audit/rules.d/10-base-config.rules
-The output has to be exactly as follows:
-## First rule - delete all
--D
-
-## Increase the buffers to survive stress events.
-## Make this bigger for busy systems
--b 8192
-
-## This determine how long to wait in burst of events
---backlog_wait_time 60000
-
-## Set failure mode to syslog
--f 1    
-      Is it the case that the file does not exist or the content differs?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_create_failed_question:question:1">
-          <ocil:question_text>To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command:
-cat /etc/audit/rules.d/30-ospp-v42-1-create-failed.rules
-The output has to be exactly as follows:
-## Unsuccessful file creation (open with O_CREAT)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b32 -S open -F a1&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b64 -S open -F a1&amp;0100 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b32 -S open -F a1&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b64 -S open -F a1&amp;0100 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create
--a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-create    
-      Is it the case that the file does not exist or the content differs?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_create_success_question:question:1">
-          <ocil:question_text>To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command:
-cat /etc/audit/rules.d/30-ospp-v42-1-create-success.rules
-The output has to be exactly as follows:
-## Successful file creation (open with O_CREAT)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S open -F a1&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S open -F a1&amp;0100 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b32 -S creat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create
--a always,exit -F arch=b64 -S creat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-create    
-      Is it the case that the file does not exist or the content differs?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_delete_failed_question:question:1">
-          <ocil:question_text>To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command:
-cat /etc/audit/rules.d/30-ospp-v42-4-delete-failed.rules
-The output has to be exactly as follows:
-## Unsuccessful file delete
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-delete    
-      Is it the case that the file does not exist or the content differs?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_delete_success_question:question:1">
-          <ocil:question_text>To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command:
-cat /etc/audit/rules.d/30-ospp-v42-4-delete-success.rules
-The output has to be exactly as follows:
-## Successful file delete
--a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-delete
--a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-delete    
-      Is it the case that the file does not exist or the content differs?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_immutable_login_uids_question:question:1">
-          <ocil:question_text>To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command:
-$ sudo cat /etc/audit/rules.d/11-loginuid.rules
-The output has to be exactly as follows:
-## Make the loginuid immutable. This prevents tampering with the auid.
---loginuid-immutable    
-      Is it the case that the file does not exist or the content differs?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_modify_failed_question:question:1">
-          <ocil:question_text>To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command:
-cat /etc/audit/rules.d/30-ospp-v42-2-modify-failed.rules
-The output has to be exactly as follows:
-## Unsuccessful file modifications (open for write or truncate)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b32 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b64 -S open -F a1&amp;01003 -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b32 -S truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification
--a always,exit -F arch=b64 -S truncate,ftruncate -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-modification    
-      Is it the case that the file does not exist or the content differs?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_modify_success_question:question:1">
-          <ocil:question_text>To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command:
-cat /etc/audit/rules.d/30-ospp-v42-2-modify-success.rules
-The output has to be exactly as follows:
-## Successful file modifications (open for write or truncate)
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;01003 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;01003 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b32 -S open -F a1&amp;01003 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S open -F a1&amp;01003 -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b32 -S truncate,ftruncate -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification
--a always,exit -F arch=b64 -S truncate,ftruncate -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-modification    
-      Is it the case that the file does not exist or the content differs?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_module_load_question:question:1">
-          <ocil:question_text>To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command:
-cat /etc/audit/rules.d/43-module-load.rules
-The output has to be exactly as follows:
-## These rules watch for kernel module insertion. By monitoring
-## the syscall, we do not need any watches on programs.
--a always,exit -F arch=b32 -S init_module,finit_module -F key=module-load
--a always,exit -F arch=b64 -S init_module,finit_module -F key=module-load
--a always,exit -F arch=b32 -S delete_module -F key=module-unload
--a always,exit -F arch=b64 -S delete_module -F key=module-unload    
-      Is it the case that the file does not exist or the content differs?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_ospp_general_question:question:1">
-          <ocil:question_text>To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command:
-cat /etc/audit/rules.d/30-ospp-v42.rules
-The output has to be exactly as follows:
-## The purpose of these rules is to meet the requirements for Operating
-## System Protection Profile (OSPP)v4.2. These rules depends on having
-## the following rule files copied to /etc/audit/rules.d:
-##
-## 10-base-config.rules, 11-loginuid.rules,
-## 30-ospp-v42-1-create-failed.rules, 30-ospp-v42-1-create-success.rules,
-## 30-ospp-v42-2-modify-failed.rules, 30-ospp-v42-2-modify-success.rules,
-## 30-ospp-v42-3-access-failed.rules, 30-ospp-v42-3-access-success.rules,
-## 30-ospp-v42-4-delete-failed.rules, 30-ospp-v42-4-delete-success.rules,
-## 30-ospp-v42-5-perm-change-failed.rules,
-## 30-ospp-v42-5-perm-change-success.rules,
-## 30-ospp-v42-6-owner-change-failed.rules,
-## 30-ospp-v42-6-owner-change-success.rules
-##
-## original copies may be found in /usr/share/audit/sample-rules/
-
-
-## User add delete modify. This is covered by pam. However, someone could
-## open a file and directly create or modify a user, so we'll watch passwd and
-## shadow for writes
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/passwd -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b32 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b64 -S openat,open_by_handle_at -F a2&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b32 -S open -F a1&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F arch=b64 -S open -F a1&amp;03 -F path=/etc/shadow -F auid&gt;=1000 -F auid!=unset -F key=user-modify
-
-## User enable and disable. This is entirely handled by pam.
-
-## Group add delete modify. This is covered by pam. However, someone could
-## open a file and directly create or modify a user, so we'll watch group and
-## gshadow for writes
--a always,exit -F path=/etc/passwd -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F path=/etc/shadow -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=user-modify
--a always,exit -F path=/etc/group -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=group-modify
--a always,exit -F path=/etc/gshadow -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=group-modify
-
-
-## Use of special rights for config changes. This would be use of setuid
-## programs that relate to user accts. This is not all setuid apps because
-## requirements are only for ones that affect system configuration.
--a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/sbin/seunshare -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/mount -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/newuidmap -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/newgidmap -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/umount -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/passwd -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/crontab -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
--a always,exit -F path=/usr/bin/at -F perm=x -F auid&gt;=1000 -F auid!=unset -F key=special-config-changes
-
-## Privilege escalation via su or sudo. This is entirely handled by pam.
-
-## Watch for configuration changes to privilege escalation.
--a always,exit -F path=/etc/sudoers -F perm=wa -F key=special-config-changes
--a always,exit -F dir=/etc/sudoers.d/ -F perm=wa -F key=special-config-changes
-
-## Audit log access
--a always,exit -F dir=/var/log/audit/ -F perm=r -F auid&gt;=1000 -F auid!=unset -F key=access-audit-trail
-## Attempts to Alter Process and Session Initiation Information
--a always,exit -F path=/var/run/utmp -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=session
--a always,exit -F path=/var/log/btmp -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=session
--a always,exit -F path=/var/log/wtmp -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=session
-
-## Attempts to modify MAC controls
--a always,exit -F dir=/etc/selinux/ -F perm=wa -F auid&gt;=1000 -F auid!=unset -F key=MAC-policy
-
-## Software updates. This is entirely handled by rpm.
-
-## System start and shutdown. This is entirely handled by systemd
-
-## Kernel Module loading. This is handled in 43-module-load.rules
-
-## Application invocation. The requirements list an optional requirement
-## FPT_SRP_EXT.1 Software Restriction Policies. This event is intended to
-## state results from that policy. This would be handled entirely by
-## that daemon.    
-      Is it the case that the file does not exist or the content differs?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_owner_change_failed_question:question:1">
-          <ocil:question_text>To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command:
-cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-failed.rules
-The output has to be exactly as follows:
-## Unsuccessful ownership change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-owner-change    
-      Is it the case that the file does not exist or the content differs?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_owner_change_success_question:question:1">
-          <ocil:question_text>To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command:
-cat /etc/audit/rules.d/30-ospp-v42-6-owner-change-success.rules
-The output has to be exactly as follows:
-## Successful ownership change
--a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-owner-change
--a always,exit -F arch=b64 -S lchown,fchown,chown,fchownat -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-owner-change    
-      Is it the case that the file does not exist or the content differs?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_perm_change_failed_question:question:1">
-          <ocil:question_text>To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command:
-cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-failed.rules
-The output has to be exactly as follows:
-## Unsuccessful permission change
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-perm-change
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EACCES -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-perm-change
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-perm-change
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F exit=-EPERM -F auid&gt;=1000 -F auid!=unset -F key=unsuccessful-perm-change    
-      Is it the case that the file does not exist or the content differs?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_perm_change_success_question:question:1">
-          <ocil:question_text>To verify that the Audit is correctly configured according to recommended rules, check the content of the file with the following command:
-cat /etc/audit/rules.d/30-ospp-v42-5-perm-change-success.rules
-The output has to be exactly as follows:
-## Successful permission change
--a always,exit -F arch=b32 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-perm-change
--a always,exit -F arch=b64 -S chmod,fchmod,fchmodat,setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F success=1 -F auid&gt;=1000 -F auid!=unset -F key=successful-perm-change    
-      Is it the case that the file does not exist or the content differs?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-audit_rules_for_ospp_question:question:1">
-          <ocil:question_text>To verify that audit is configured for OSPP v4.2.1, run the following commands:
-for file in "10-base-config" "11-loginuid" "30-ospp-v42" "43-module-load";do diff /etc/audit/rules.d/$file.rules /usr/share/doc/audit*/rules/$file.rules; done
-
-If the system is configured properly, no lines should be returned.
-      Is it the case that the files are not there or differ?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-coreos_audit_backlog_limit_kernel_argument_question:question:1">
-          <ocil:question_text>Inspect the form of all the BLS (Boot Loader Specification) entries
-('options' line) in /boot/loader/entries/*.conf. If they include
-audit=1, then auditing is enabled at boot time.
-
-To ensure audit_backlog_limit=8192 is configured on the installed kernel, add
-the kernel argument via a MachineConfig object to the appropriate
-pools.
-      Is it the case that audit backlog limit is not configured?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-coreos_audit_option_question:question:1">
-          <ocil:question_text>Inspect the form of BLS (Boot Loader Specification) options lines for the Linux operating system
-in /boot/loader/entries/*.conf. If they include audit=1, then auditing
-is enabled at boot time.
-# grep 'options.*audit=1.*' /boot/loader/entires/*.conf
-
-      Is it the case that auditing is not enabled at boot time?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_audispd-plugins_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the audispd-plugins package is installed: $ rpm -q audispd-plugins
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_audit-audispd-plugins_installed_question:question:1">
-          <ocil:question_text>
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_audit_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the audit package is installed: $ rpm -q audit
-      Is it the case that the audit package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_auditd_enabled_question:question:1">
-          <ocil:question_text>
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Run the following command to determine the current status of the
-auditd service:
-$ sudo systemctl is-active auditd
-If the service is running, it should return the following: active
-      Is it the case that the auditd service is not running?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-grub2_uefi_admin_username_question:question:1">
-          <ocil:question_text>To verify the boot loader superuser account has been set, run the following
-command:
-sudo grep -A1 "superusers" /boot/grub2/grub.cfg
-The output should show the following:
-set superusers="superusers-account"
-export superusers
-where superusers-account is the actual account name different from common names like root,
-admin, or administrator and different from any other existing user name.
-      Is it the case that superuser account is not set or is set to an existing name or to a common name?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-grub2_uefi_password_question:question:1">
-          <ocil:question_text>To verify the boot loader superuser password has been set, run the following command:
-$ sudo grep "^[\s]*GRUB2_PASSWORD=grub\.pbkdf2\.sha512.*$" /boot/grub2/user.cfg
-The output should be similar to:
-GRUB2_PASSWORD=grub.pbkdf2.sha512.10000.C4E08AC72FBFF7E837FD267BFAD7AEB3D42DDC
-2C99F2A94DD5E2E75C2DC331B719FE55D9411745F82D1B6CFD9E927D61925F9BBDD1CFAA0080E0
-916F7AB46E0D.1302284FCCC52CD73BA3671C6C12C26FF50BA873293B24EE2A96EE3B57963E6D7
-0C83964B473EC8F93B07FE749AA6710269E904A9B08A6BBACB00A2D242AD828
-      Is it the case that no password is set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-coreos_pti_kernel_argument_question:question:1">
-          <ocil:question_text>Inspect the form of all the BLS (Boot Loader Specification) entries
-('options' line) in /boot/loader/entries/*.conf. If they include
-pti=on, then Kernel page-table isolation is enabled at boot time.
-
-To ensure pti=on is configured on the installed kernel, add
-the kernel argument via a MachineConfig object to the appropriate
-pools.
-      Is it the case that Kernel page-table isolation is not enabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-coreos_vsyscall_kernel_argument_question:question:1">
-          <ocil:question_text>Inspect the form of all the BLS (Boot Loader Specification) entries
-('options' line) in /boot/loader/entries/*.conf. If they include
-vsyscall=none, then virtual syscalls are not enabled at boot time.
-
-To ensure vsyscall=none is configured on the installed kernel, add
-the kernel argument via a MachineConfig object to the appropriate
-pools.
-      Is it the case that vsyscalls are enabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-grub2_disable_recovery_question:question:1">
-          <ocil:question_text>Verify that GRUB_DISABLE_RECOVERY is set to true in /etc/default/grub to disable recovery boot.
-Run the following command:
-
-$ sudo grep GRUB_DISABLE_RECOVERY /etc/default/grub
-      Is it the case that GRUB_DISABLE_RECOVERY is not set to true or is missing?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-grub2_enable_iommu_force_question:question:1">
-          <ocil:question_text>Inspect the form of default GRUB 2 command line for the Linux operating system
-in /boot/grub2/grubenv.
-If they include iommu=force, then the parameter
-is configured at boot time.
-$ sudo grep 'kernelopts.*iommu=force.*' GRUBENV_FILE_LOCATION
-Fill in GRUBENV_FILE_LOCATION based on information above.
-      Is it the case that I/OMMU is not activated?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-grub2_l1tf_argument_question:question:1">
-          <ocil:question_text>Inspect the form of default GRUB 2 command line for the Linux operating system
-in /boot/grub2/grubenv.
-If they include l1tf=, then the parameter
-is configured at boot time.
-$ sudo grep 'kernelopts.*l1tf=.*' GRUBENV_FILE_LOCATION
-Fill in GRUBENV_FILE_LOCATION based on information above.
-      Is it the case that l1tf mitigations are not configured appropriately?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-grub2_mce_argument_question:question:1">
-          <ocil:question_text>Inspect the form of default GRUB 2 command line for the Linux operating system
-in /boot/grub2/grubenv.
-If they include mce=0, then the parameter
-is configured at boot time.
-$ sudo grep 'kernelopts.*mce=0.*' GRUBENV_FILE_LOCATION
-Fill in GRUBENV_FILE_LOCATION based on information above.
-      Is it the case that MCE tolerance is not set to zero?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-grub2_nosmap_argument_absent_question:question:1">
-          <ocil:question_text>Make sure that the kernel is not disabling SMAP with the following
-commands.
-grep -q nosmap /boot/config-`uname -r`
-If the command returns a line, it means that SMAP is being disabled.
-      Is it the case that the kernel is configured to disable SMAP?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-grub2_nosmep_argument_absent_question:question:1">
-          <ocil:question_text>Make sure that the kernel is not disabling SMEP with the following
-commands.
-grep -q nosmep /boot/config-`uname -r`
-If the command returns a line, it means that SMEP is being disabled.
-      Is it the case that the kernel is configured to disable SMEP?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-grub2_rng_core_default_quality_argument_question:question:1">
-          <ocil:question_text>Inspect the form of default GRUB 2 command line for the Linux operating system
-in /boot/grub2/grubenv.
-If they include rng_core.default_quality=, then the parameter
-is configured at boot time.
-$ sudo grep 'kernelopts.*rng_core.default_quality=.*' GRUBENV_FILE_LOCATION
-Fill in GRUBENV_FILE_LOCATION based on information above.
-      Is it the case that trust on hardware random number generator is not configured appropriately?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-grub2_slab_nomerge_argument_question:question:1">
-          <ocil:question_text>Inspect the form of default GRUB 2 command line for the Linux operating system
-in /boot/grub2/grubenv.
-If they include slab_nomerge=yes, then the parameter
-is configured at boot time.
-$ sudo grep 'kernelopts.*slab_nomerge=yes.*' GRUBENV_FILE_LOCATION
-Fill in GRUBENV_FILE_LOCATION based on information above.
-      Is it the case that merging of slabs with similar size is enabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-grub2_spec_store_bypass_disable_argument_question:question:1">
-          <ocil:question_text>Inspect the form of default GRUB 2 command line for the Linux operating system
-in /boot/grub2/grubenv.
-If they include spec_store_bypass_disable=, then the parameter
-is configured at boot time.
-$ sudo grep 'kernelopts.*spec_store_bypass_disable=.*' GRUBENV_FILE_LOCATION
-Fill in GRUBENV_FILE_LOCATION based on information above.
-      Is it the case that SSB is not configured appropriately?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-grub2_spectre_v2_argument_question:question:1">
-          <ocil:question_text>Inspect the form of default GRUB 2 command line for the Linux operating system
-in /boot/grub2/grubenv.
-If they include spectre_v2=on, then the parameter
-is configured at boot time.
-$ sudo grep 'kernelopts.*spectre_v2=on.*' GRUBENV_FILE_LOCATION
-Fill in GRUBENV_FILE_LOCATION based on information above.
-      Is it the case that spectre_v2 mitigation is not enforced?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-grub2_systemd_debug-shell_argument_absent_question:question:1">
-          <ocil:question_text>Ensure that debug-shell service is not enabled with the following command:
-grep systemd\.debug-shell=1 /boot/grub2/grubenv /etc/default/grub
-If the command returns a line, it means that debug-shell service is being enabled.
-      Is it the case that the comand returns a line?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-zipl_audit_argument_question:question:1">
-          <ocil:question_text>To check that audit is enabled at boot time, check all boot entries with following command:
-sudo grep -L "^options\s+.*\baudit=1\b" /boot/loader/entries/*.conf
-No line should be returned, each line returned is a boot entry that doesn't enable audit.
-      Is it the case that auditing is not enabled at boot time?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-zipl_audit_backlog_limit_argument_question:question:1">
-          <ocil:question_text>To check that all boot entries extend the backlog limit;
-Check that all boot entries extend the log events queue:
-sudo grep -L "^options\s+.*\baudit_backlog_limit=8192\b" /boot/loader/entries/*.conf
-No line should be returned, each line returned is a boot entry that does not extend the log events queue.
-      Is it the case that audit backlog limit is not configured?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-zipl_bls_entries_only_question:question:1">
-          <ocil:question_text>Check that no boot image file is specified in /etc/zipl.conf:
-grep -R "^image\s*=" /etc/zipl.conf
-No line should be returned, if a line is returned non BLS compliant boot entries are configured for zIPL.
-      Is it the case that a non BLS boot entry is configured?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-zipl_bootmap_is_up_to_date_question:question:1">
-          <ocil:question_text>Make sure that /boot/bootmap is newer than /boot/loader/entries/*.conf
-and /etc/zipl.conf:
-find /boot/loader/entries/*.conf /etc/zipl.conf -newer /boot/bootmap
-No line should be returned, if a line is returned /boot/bootmap is outdated and needs to be regenerated.
-      Is it the case that the bootmap is outdated?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-zipl_enable_selinux_question:question:1">
-          <ocil:question_text>To check that SELinux is not disabled at boot time;
-Check that no boot entry disables selinux:
-sudo grep -L "^options\s+.*\bselinux=0\b" /boot/loader/entries/*.conf
-No line should be returned, each line returned is a boot entry that disables SELinux.
-      Is it the case that SELinux is disabled at boot time?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-zipl_page_poison_argument_question:question:1">
-          <ocil:question_text>To check that page poisoning is enabled at boot time, check all boot entries with following command:
-sudo grep -L "^options\s+.*\bpage_poison=1\b" /boot/loader/entries/*.conf
-No line should be returned, each line returned is a boot entry that doesn't enable page poisoning.
-      Is it the case that page allocator poisoning is not enabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-zipl_slub_debug_argument_question:question:1">
-          <ocil:question_text>To check that SLUB/SLAB poisoning is enabled, check all boot entries with following command;
-sudo grep -L "^options\s+.*\bslub_debug=P\b" /boot/loader/entries/*.conf
-No line should be returned, each line returned is a boot entry that does not enable poisoning.
-      Is it the case that SLUB/SLAB poisoning is not enabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-zipl_systemd_debug-shell_argument_absent_question:question:1">
-          <ocil:question_text>Ensure that debug-shell service is not enabled with the following command:
-sudo grep -L "^options\s+.*\bsystemd.debug-shell=1\b" /boot/loader/entries/*.conf
-No line should be returned, each line returned is a boot entry that enables the debug-shell.
-      Is it the case that the comand returns a line?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-zipl_vsyscall_argument_question:question:1">
-          <ocil:question_text>To check that virtual syscalls are disabled at boot time, check all boot entries with following command:
-sudo grep -L "^options\s+.*\bvsyscall=none\b" /boot/loader/entries/*.conf
-No line should be returned, each line returned is a boot entry that doesn't disable virtual syscalls.
-      Is it the case that vsyscalls are enabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_acpi_custom_method_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_ACPI_CUSTOM_METHOD /boot/config.*
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_binfmt_misc_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_BINFMT_MISC /boot/config.*
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_bug_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_BUG /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_compat_brk_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_COMPAT_BRK /boot/config.*
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_compat_vdso_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_COMPAT_VDSO /boot/config.*
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_debug_credentials_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_DEBUG_CREDENTIALS /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_debug_fs_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_DEBUG_FS /boot/config.*
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_debug_list_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_DEBUG_LIST /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_debug_notifiers_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_DEBUG_NOTIFIERS /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_debug_sg_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_DEBUG_SG /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_default_mmap_min_addr_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_DEFAULT_MMAP_MIN_ADDR /boot/config.*
-    
-    For each kernel installed, a line with value "65536" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_devkmem_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_DEVKMEM /boot/config.*
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_hibernation_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_HIBERNATION /boot/config.*
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_ia32_emulation_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_IA32_EMULATION /boot/config.*
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_ipv6_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_IPV6 /boot/config.*
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_kexec_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_KEXEC /boot/config.*
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_legacy_ptys_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_LEGACY_PTYS /boot/config.*
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_module_sig_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_MODULE_SIG /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_module_sig_all_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_MODULE_SIG_ALL /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_module_sig_force_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_MODULE_SIG_FORCE /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_module_sig_hash_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_MODULE_SIG_HASH /boot/config.*
-    
-    For each kernel installed, a line with value "" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_module_sig_key_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_MODULE_SIG_KEY /boot/config.*
-    
-    For each kernel installed, a line with value "" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_module_sig_sha512_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_MODULE_SIG_SHA512 /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_page_poisoning_no_sanity_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_PAGE_POISONING_NO_SANITY /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_page_poisoning_zero_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_PAGE_POISONING_ZERO /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_page_table_isolation_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_PAGE_TABLE_ISOLATION /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_panic_on_oops_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_PANIC_ON_OOPS /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_panic_timeout_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_PANIC_TIMEOUT /boot/config.*
-    
-    For each kernel installed, a line with value "" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_proc_kcore_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_PROC_KCORE /boot/config.*
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_randomize_base_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_RANDOMIZE_BASE /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_randomize_memory_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_RANDOMIZE_MEMORY /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_retpoline_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_RETPOLINE /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_seccomp_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_SECCOMP /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_seccomp_filter_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_SECCOMP_FILTER /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_security_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_SECURITY /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_security_dmesg_restrict_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_SECURITY_DMESG_RESTRICT /boot/config.*
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_security_writable_hooks_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_SECURITY_WRITABLE_HOOKS /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_security_yama_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_SECURITY_YAMA /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_slub_debug_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_SLUB_DEBUG /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_syn_cookies_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_SYN_COOKIES /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_unmap_kernel_at_el0_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_UNMAP_KERNEL_AT_EL0 /boot/config.*
-    
-    For each kernel installed, a line with value "y" should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_config_x86_vsyscall_emulation_question:question:1">
-          <ocil:question_text>To determine the config value the kernel was built with, run the following command:
-    $ grep CONFIG_X86_VSYSCALL_EMULATION /boot/config.*
-    
-    Configs with value 'n' are not explicitly set in the file, so either commented lines or no
-    lines should be returned.
-    
-      Is it the case that the kernel was not built with the required value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdriverauthmode_question:question:1">
-          <ocil:question_text>Verify the operating system authenticates the remote logging server for off-loading audit logs with the following command:
-
-$ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
-The output should be
-$/etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name
-      Is it the case that $ActionSendStreamDriverAuthMode in /etc/rsyslog.conf is not set to x509/name?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-rsyslog_encrypt_offload_actionsendstreamdrivermode_question:question:1">
-          <ocil:question_text>Verify the operating system encrypts audit records off-loaded onto a different system
-or media from the system being audited with the following commands:
-
-$ sudo grep -i '$ActionSendStreamDriverMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
-
-The output should be:
-
-/etc/rsyslog.conf:$ActionSendStreamDriverMode 1
-      Is it the case that rsyslogd ActionSendStreamDriverMode is not set to 1?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-rsyslog_encrypt_offload_defaultnetstreamdriver_question:question:1">
-          <ocil:question_text>Verify the operating system encrypts audit records off-loaded onto a different system
-or media from the system being audited with the following commands:
-
-$ sudo grep -i '$DefaultNetstreamDriver' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
-
-The output should be:
-
-/etc/rsyslog.conf:$DefaultNetstreamDriver gtls
-      Is it the case that rsyslogd DefaultNetstreamDriver not set to gtls?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-rsyslog_files_groupownership_question:question:1">
-          <ocil:question_text>The group-owner of all log files written by rsyslog should be .
-These log files are determined by the second part of each Rule line in
-/etc/rsyslog.conf and typically all appear in /var/log.
-To see the group-owner of a given log file, run the following command:
-$ ls -l LOGFILE
-      Is it the case that the group-owner is not correct?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-rsyslog_files_ownership_question:question:1">
-          <ocil:question_text>The owner of all log files written by rsyslog should be .
-These log files are determined by the second part of each Rule line in
-/etc/rsyslog.conf and typically all appear in /var/log.
-To see the owner of a given log file, run the following command:
-$ ls -l LOGFILE
-      Is it the case that the owner is not correct?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-rsyslog_files_permissions_question:question:1">
-          <ocil:question_text>The file permissions for all log files written by rsyslog should
-be set to 600, or more restrictive. These log files are determined by the
-second part of each Rule line in /etc/rsyslog.conf and typically
-all appear in /var/log. To see the permissions of a given log
-file, run the following command:
-$ ls -l LOGFILE
-The permissions should be 600, or more restrictive.
-      Is it the case that the permissions are not correct?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_systemd-journald_enabled_question:question:1">
-          <ocil:question_text>
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Run the following command to determine the current status of the
-systemd-journald service:
-$ sudo systemctl is-active systemd-journald
-If the service is running, it should return the following: active
-      Is it the case that the systemd-journald service is not running?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-ensure_logrotate_activated_question:question:1">
-          <ocil:question_text>To determine the status and frequency of logrotate, run the following command:
-$ sudo grep logrotate /var/log/cron*
-If logrotate is configured properly, output should include references to
-/etc/cron.daily.
-      Is it the case that logrotate is not configured to run daily?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_syslogng_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the syslog-ng-core package is installed: $ rpm -q syslog-ng-core
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_syslogng_enabled_question:question:1">
-          <ocil:question_text>
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Run the following command to determine the current status of the
-syslog-ng service:
-$ sudo systemctl is-active syslog-ng
-If the service is running, it should return the following: active
-      Is it the case that the "syslog-ng" service is disabled, masked, or not started.?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-rsyslog_remote_loghost_question:question:1">
-          <ocil:question_text>To ensure logs are sent to a remote host, examine the file
-/etc/rsyslog.conf.
-If using UDP, a line similar to the following should be present:
- *.* @
-If using TCP, a line similar to the following should be present:
- *.* @@
-If using RELP, a line similar to the following should be present:
- *.* :omrelp:
-      Is it the case that no evidence that the audit logs are being off-loaded to another system or media?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_rsyslog_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the rsyslog package is installed: $ rpm -q rsyslog
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_rsyslog_enabled_question:question:1">
-          <ocil:question_text>
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Run the following command to determine the current status of the
-rsyslog service:
-$ sudo systemctl is-active rsyslog
-If the service is running, it should return the following: active
-      Is it the case that the "rsyslog" service is disabled, masked, or not started.?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_firewalld_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the firewalld package is installed: $ rpm -q firewalld
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_firewalld_enabled_question:question:1">
-          <ocil:question_text>
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Run the following command to determine the current status of the
-firewalld service:
-$ sudo systemctl is-active firewalld
-If the service is running, it should return the following: active
-      Is it the case that the "firewalld" service is disabled, masked, or not started.?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_libreswan_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the libreswan package is installed: $ rpm -q libreswan
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_ip6tables_enabled_question:question:1">
-          <ocil:question_text>If IPv6 is disabled, this is not applicable.
-
-
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Run the following command to determine the current status of the
-ip6tables service:
-$ sudo systemctl is-active ip6tables
-If the service is running, it should return the following: active
-      Is it the case that ?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_iptables_enabled_question:question:1">
-          <ocil:question_text>
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Run the following command to determine the current status of the
-iptables service:
-$ sudo systemctl is-active iptables
-If the service is running, it should return the following: active
-      Is it the case that ?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-set_ip6tables_default_rule_question:question:1">
-          <ocil:question_text>If IPv6 is disabled, this is not applicable.
-
-Inspect the file /etc/sysconfig/ip6tables to determine
-the default policy for the INPUT chain. It should be set to DROP:
-$ sudo grep ":INPUT" /etc/sysconfig/ip6tables
-      Is it the case that the default policy for the INPUT chain is not set to DROP?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-set_iptables_default_rule_question:question:1">
-          <ocil:question_text>Inspect the file /etc/sysconfig/iptables to determine
-the default policy for the INPUT chain. It should be set to DROP:
-$ sudo grep ":INPUT" /etc/sysconfig/iptables
-      Is it the case that the default policy for the INPUT chain is not set to DROP?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-set_iptables_default_rule_forward_question:question:1">
-          <ocil:question_text>Run the following command to ensure the default FORWARD policy is DROP:
-grep ":FORWARD" /etc/sysconfig/iptables
-The output should be similar to the following:
-$ sudo grep ":FORWARD" /etc/sysconfig/iptables
-:FORWARD DROP [0:0
-      Is it the case that the default policy for the FORWARD chain is not set to DROP?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_iptables_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the iptables package is installed: $ rpm -q iptables
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_ra_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv6.conf.all.accept_ra kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv6.conf.all.accept_ra
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_redirects_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv6.conf.all.accept_redirects kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv6.conf.all.accept_redirects
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv6_conf_all_accept_source_route_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv6.conf.all.accept_source_route kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv6.conf.all.accept_source_route
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_ra_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv6.conf.default.accept_ra kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv6.conf.default.accept_ra
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_redirects_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv6.conf.default.accept_redirects kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv6.conf.default.accept_redirects
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv6_conf_default_accept_source_route_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv6.conf.default.accept_source_route kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv6.conf.default.accept_source_route
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-grub2_ipv6_disable_argument_question:question:1">
-          <ocil:question_text>Inspect the form of default GRUB 2 command line for the Linux operating system
-in /boot/grub2/grubenv.
-If they include ipv6.disable=1, then the parameter
-is configured at boot time.
-$ sudo grep 'kernelopts.*ipv6.disable=1.*' GRUBENV_FILE_LOCATION
-Fill in GRUBENV_FILE_LOCATION based on information above.
-      Is it the case that IPv6 is not disabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_module_ipv6_option_disabled_question:question:1">
-          <ocil:question_text>If the system uses IPv6, this is not applicable.
-
-If the system is configured to disable the
-ipv6 kernel module, it will contain a line
-of the form:
-options ipv6 disable=1
-Such lines may be inside any file in /etc/modprobe.d or the
-deprecated/etc/modprobe.conf.  This permits insertion of the IPv6
-kernel module (which other parts of the system expect to be present), but
-otherwise keeps it inactive.  Run the following command to search for such
-lines in all files in /etc/modprobe.d and the deprecated
-/etc/modprobe.conf:
-$ grep -r ipv6 /etc/modprobe.conf /etc/modprobe.d
-      Is it the case that the ipv6 kernel module is not disabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv6_conf_all_disable_ipv6_question:question:1">
-          <ocil:question_text>If the system uses IPv6, this is not applicable.
-
-If the system is configured to prevent the usage of the ipv6 on
-network interfaces, it will contain a line of the form:
-net.ipv6.conf.all.disable_ipv6 = 1
-Such lines may be inside any file in the /etc/sysctl.d directory.
-This permits insertion of the IPv6 kernel module (which other parts of the
-system expect to be present), but otherwise keeps all network interfaces
-from using IPv6. Run the following command to search for such lines in all
-files in /etc/sysctl.d:
-$ grep -r ipv6 /etc/sysctl.d
-      Is it the case that the ipv6 support is disabled on all network interfaces?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv6_conf_default_disable_ipv6_question:question:1">
-          <ocil:question_text>If the system uses IPv6, this is not applicable.
-
-If the system is configured to prevent the usage of the ipv6 on
-network interfaces, it will contain a line of the form:
-net.ipv6.conf.default.disable_ipv6 = 1
-Such lines may be inside any file in the /etc/sysctl.d directory.
-This permits insertion of the IPv6 kernel module (which other parts of the
-system expect to be present), but otherwise keeps network interfaces
-from using IPv6. Run the following command to search for such lines in all
-files in /etc/sysctl.d:
-$ grep -r ipv6 /etc/sysctl.d
-      Is it the case that the ipv6 support is disabled by default on network interfaces?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_conf_all_accept_local_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.conf.all.accept_local kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.conf.all.accept_local
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_conf_all_accept_redirects_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.conf.all.accept_redirects kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.conf.all.accept_redirects
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_conf_all_accept_source_route_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.conf.all.accept_source_route kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.conf.all.accept_source_route
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_conf_all_arp_filter_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.conf.all.arp_filter kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.conf.all.arp_filter
-.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_conf_all_arp_ignore_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.conf.all.arp_ignore kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.conf.all.arp_ignore
-.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_conf_all_log_martians_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.conf.all.log_martians kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.conf.all.log_martians
-1.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_conf_all_route_localnet_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.conf.all.route_localnet kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.conf.all.route_localnet
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_conf_all_rp_filter_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.conf.all.rp_filter parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.conf.all.rp_filter
-The output of the command should indicate either:
-net.ipv4.conf.all.rp_filter = 1
-or:
-net.ipv4.conf.all.rp_filter = 2
-The output of the command should not indicate:
-net.ipv4.conf.all.rp_filter = 0
-
-The preferable way how to assure the runtime compliance is to have
-correct persistent configuration, and rebooting the system.
-
-The persistent sysctl parameter configuration is performed by specifying the appropriate
-assignment in any file located in the /etc/sysctl.d directory.
-Verify that there is not any existing incorrect configuration by executing the following command:
-$ grep -r '^\s*net.ipv4.conf.all.rp_filter\s*=' /etc/sysctl.conf /etc/sysctl.d
-The command should not find any assignments other than:
-net.ipv4.conf.all.rp_filter = 1
-or:
-net.ipv4.conf.all.rp_filter = 2
-
-Conflicting assignments are not allowed.
-      Is it the case that the net.ipv4.conf.all.rp_filter is not set to 1 or 2 or is configured to be 0?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_conf_all_secure_redirects_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.conf.all.secure_redirects kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.conf.all.secure_redirects
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_conf_all_shared_media_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.conf.all.shared_media kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.conf.all.shared_media
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_conf_default_accept_redirects_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.conf.default.accept_redirects kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.conf.default.accept_redirects
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_conf_default_accept_source_route_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.conf.default.accept_source_route kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.conf.default.accept_source_route
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_conf_default_log_martians_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.conf.default.log_martians kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.conf.default.log_martians
-1.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_conf_default_rp_filter_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.conf.default.rp_filter kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.conf.default.rp_filter
-1.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_conf_default_secure_redirects_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.conf.default.secure_redirects kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.conf.default.secure_redirects
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_conf_default_shared_media_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.conf.default.shared_media kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.conf.default.shared_media
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_icmp_echo_ignore_broadcasts_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.icmp_echo_ignore_broadcasts kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.icmp_echo_ignore_broadcasts
-1.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_icmp_ignore_bogus_error_responses_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.icmp_ignore_bogus_error_responses kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.icmp_ignore_bogus_error_responses
-1.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_tcp_invalid_ratelimit_question:question:1">
-          <ocil:question_text>To verify that the operating system protects against or limits the effects of DoS
-attacks by ensuring implementation of rate-limiting measures
-on impacted network interfaces, run the following command:
-# grep 'net.ipv4.tcp_invalid_ratelimit' /etc/sysctl.conf /etc/sysctl.d/*
-The command should output the following line:
-/etc/sysctl.conf:net.ipv4.tcp_invalid_ratelimit = 
-The file where the line has been found can differ, but it must be either /etc/sysctl.conf
-or a file located under the /etc/sysctl.d/ directory.
-      Is it the case that rate limiting of duplicate TCP acknowledgments is not configured?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_tcp_syncookies_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.tcp_syncookies kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.tcp_syncookies
-1.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_conf_all_send_redirects_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.conf.all.send_redirects kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.conf.all.send_redirects
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_conf_default_send_redirects_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.conf.default.send_redirects kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.conf.default.send_redirects
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_ipv4_ip_forward_question:question:1">
-          <ocil:question_text>The runtime status of the net.ipv4.ip_forward kernel parameter can be queried
-by running the following command:
-$ sysctl net.ipv4.ip_forward
-0.
-The ability to forward packets is only appropriate for routers.
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_ufw_enabled_question:question:1">
-          <ocil:question_text>
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Run the following command to determine the current status of the
-ufw service:
-$ sudo systemctl is-active ufw
-If the service is running, it should return the following: active
-      Is it the case that the service is not enabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_module_atm_disabled_question:question:1">
-          <ocil:question_text>
-If the system is configured to prevent the loading of the atm kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
-These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
-
-Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
-$ grep -r atm /etc/modprobe.conf /etc/modprobe.d
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_module_can_disabled_question:question:1">
-          <ocil:question_text>
-If the system is configured to prevent the loading of the can kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
-These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
-
-Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
-$ grep -r can /etc/modprobe.conf /etc/modprobe.d
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_module_firewire-core_disabled_question:question:1">
-          <ocil:question_text>
-If the system is configured to prevent the loading of the firewire-core kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
-These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
-
-Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
-$ grep -r firewire-core /etc/modprobe.conf /etc/modprobe.d
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_module_rds_disabled_question:question:1">
-          <ocil:question_text>
-If the system is configured to prevent the loading of the rds kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
-These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
-
-Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
-$ grep -r rds /etc/modprobe.conf /etc/modprobe.d
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_module_sctp_disabled_question:question:1">
-          <ocil:question_text>
-If the system is configured to prevent the loading of the sctp kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
-These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
-
-Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
-$ grep -r sctp /etc/modprobe.conf /etc/modprobe.d
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_module_tipc_disabled_question:question:1">
-          <ocil:question_text>
-If the system is configured to prevent the loading of the tipc kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
-These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
-
-Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
-$ grep -r tipc /etc/modprobe.conf /etc/modprobe.d
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_module_bluetooth_disabled_question:question:1">
-          <ocil:question_text>
-If the system is configured to prevent the loading of the bluetooth kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
-These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
-
-Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
-$ grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_module_cfg80211_disabled_question:question:1">
-          <ocil:question_text>
-If the system is configured to prevent the loading of the cfg80211 kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
-These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
-
-Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
-$ grep -r cfg80211 /etc/modprobe.conf /etc/modprobe.d
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_module_iwlmvm_disabled_question:question:1">
-          <ocil:question_text>
-If the system is configured to prevent the loading of the iwlmvm kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
-These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
-
-Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
-$ grep -r iwlmvm /etc/modprobe.conf /etc/modprobe.d
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_module_iwlwifi_disabled_question:question:1">
-          <ocil:question_text>
-If the system is configured to prevent the loading of the iwlwifi kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
-These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
-
-Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
-$ grep -r iwlwifi /etc/modprobe.conf /etc/modprobe.d
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_module_mac80211_disabled_question:question:1">
-          <ocil:question_text>
-If the system is configured to prevent the loading of the mac80211 kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
-These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
-
-Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
-$ grep -r mac80211 /etc/modprobe.conf /etc/modprobe.d
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_bluetooth_disabled_question:question:1">
-          <ocil:question_text>To check that the bluetooth service is disabled in system boot configuration,
-You'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Subsequently,run the following command:
-$ sudo systemctl is-enabled bluetooth
-Output should indicate the bluetooth service has either not been installed,
-or has been disabled at all runlevels, as shown in the example below:
-$ sudo systemctl is-enabled bluetooth disabled
-
-Run the following command to verify bluetooth is not active (i.e. not running) through current runtime configuration:
-$ sudo systemctl is-active bluetooth
-
-If the service is not running the command will return the following output:
-inactive
-
-The service will also be masked, to check that the bluetooth is masked, run the following command:
-$ sudo systemctl show bluetooth | grep "LoadState\|UnitFileState"
-
-If the service is masked the command will return the following outputs:
-
-LoadState=masked
-
-UnitFileState=masked
-      Is it the case that the "bluetooth" is loaded and not masked?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-wireless_disable_interfaces_question:question:1">
-          <ocil:question_text>Verify that there are no wireless interfaces configured on the system
-with the following command:
-
-$ sudo nmcli device
-The output should only contain wireless devices in unavailable state, like in the
-following example:
-wlp0s20f3          wifi      unavailable             -- 
-      Is it the case that wireless interfaces are not active?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-network_nmcli_permissions_question:question:1">
-          <ocil:question_text>Using a non-privileged account, verify that users cannot modify or change
-network settings with the nmcli command with the following command:
-$ nmcli general permissions
-The output should contain the following:
-PERMISSION                                                        VALUE
-org.freedesktop.NetworkManager.enable-disable-network             auth
-org.freedesktop.NetworkManager.enable-disable-wifi                auth
-org.freedesktop.NetworkManager.enable-disable-wwan                auth
-org.freedesktop.NetworkManager.enable-disable-wimax               auth
-org.freedesktop.NetworkManager.sleep-wake                         auth
-org.freedesktop.NetworkManager.network-control                    auth
-org.freedesktop.NetworkManager.wifi.share.protected               auth
-org.freedesktop.NetworkManager.wifi.share.open                    auth
-org.freedesktop.NetworkManager.settings.modify.system             auth
-org.freedesktop.NetworkManager.settings.modify.own                auth
-org.freedesktop.NetworkManager.settings.modify.hostname           auth
-org.freedesktop.NetworkManager.settings.modify.global-dns         auth
-org.freedesktop.NetworkManager.reload                             auth
-org.freedesktop.NetworkManager.checkpoint-rollback                auth
-org.freedesktop.NetworkManager.enable-disable-statistics          auth
-org.freedesktop.NetworkManager.enable-disable-connectivity-check  auth
-org.freedesktop.NetworkManager.wifi.scan                          auth
-
-      Is it the case that non-privileged users can modify or change network settings?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_groupowner_backup_etc_group_question:question:1">
-          <ocil:question_text>To check the group ownership of /etc/group-,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/group-
-If properly configured, the output should indicate the following group-owner:
-root
-      Is it the case that /etc/group- does not have a group owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_groupowner_backup_etc_gshadow_question:question:1">
-          <ocil:question_text>To check the group ownership of /etc/gshadow-,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/gshadow-
-If properly configured, the output should indicate the following group-owner:
-root
-      Is it the case that /etc/gshadow- does not have a group owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_groupowner_backup_etc_passwd_question:question:1">
-          <ocil:question_text>To check the group ownership of /etc/passwd-,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/passwd-
-If properly configured, the output should indicate the following group-owner:
-root
-      Is it the case that /etc/passwd- does not have a group owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_groupowner_backup_etc_shadow_question:question:1">
-          <ocil:question_text>To check the group ownership of /etc/shadow-,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/shadow-
-If properly configured, the output should indicate the following group-owner:
-root
-      Is it the case that /etc/shadow- does not have a group owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_groupowner_etc_group_question:question:1">
-          <ocil:question_text>To check the group ownership of /etc/group,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/group
-If properly configured, the output should indicate the following group-owner:
-root
-      Is it the case that /etc/group does not have a group owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_groupowner_etc_gshadow_question:question:1">
-          <ocil:question_text>To check the group ownership of /etc/gshadow,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/gshadow
-If properly configured, the output should indicate the following group-owner:
-root
-      Is it the case that /etc/gshadow does not have a group owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_groupowner_etc_passwd_question:question:1">
-          <ocil:question_text>To check the group ownership of /etc/passwd,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/passwd
-If properly configured, the output should indicate the following group-owner:
-root
-      Is it the case that /etc/passwd does not have a group owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_groupowner_etc_shadow_question:question:1">
-          <ocil:question_text>To check the group ownership of /etc/shadow,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/shadow
-If properly configured, the output should indicate the following group-owner:
-root
-      Is it the case that /etc/shadow does not have a group owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_owner_backup_etc_group_question:question:1">
-          <ocil:question_text>To check the ownership of /etc/group-,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/group-
-If properly configured, the output should indicate the following owner:
-root
-      Is it the case that /etc/group- does not have an owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_owner_backup_etc_gshadow_question:question:1">
-          <ocil:question_text>To check the ownership of /etc/gshadow-,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/gshadow-
-If properly configured, the output should indicate the following owner:
-root
-      Is it the case that /etc/gshadow- does not have an owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_owner_backup_etc_passwd_question:question:1">
-          <ocil:question_text>To check the ownership of /etc/passwd-,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/passwd-
-If properly configured, the output should indicate the following owner:
-root
-      Is it the case that /etc/passwd- does not have an owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_owner_backup_etc_shadow_question:question:1">
-          <ocil:question_text>To check the ownership of /etc/shadow-,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/shadow-
-If properly configured, the output should indicate the following owner:
-root
-      Is it the case that /etc/shadow- does not have an owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_owner_etc_group_question:question:1">
-          <ocil:question_text>To check the ownership of /etc/group,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/group
-If properly configured, the output should indicate the following owner:
-root
-      Is it the case that /etc/group does not have an owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_owner_etc_gshadow_question:question:1">
-          <ocil:question_text>To check the ownership of /etc/gshadow,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/gshadow
-If properly configured, the output should indicate the following owner:
-root
-      Is it the case that /etc/gshadow does not have an owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_owner_etc_passwd_question:question:1">
-          <ocil:question_text>To check the ownership of /etc/passwd,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/passwd
-If properly configured, the output should indicate the following owner:
-root
-      Is it the case that /etc/passwd does not have an owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_owner_etc_shadow_question:question:1">
-          <ocil:question_text>To check the ownership of /etc/shadow,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /etc/shadow
-If properly configured, the output should indicate the following owner:
-root
-      Is it the case that /etc/shadow does not have an owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_backup_etc_group_question:question:1">
-          <ocil:question_text>To check the permissions of /etc/group-,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -l /etc/group-
-If properly configured, the output should indicate the following permissions:
--rw-r--r--
-      Is it the case that /etc/group- does not have unix mode -rw-r--r--?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_backup_etc_gshadow_question:question:1">
-          <ocil:question_text>To check the permissions of /etc/gshadow-,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -l /etc/gshadow-
-If properly configured, the output should indicate the following permissions:
-----------
-      Is it the case that /etc/gshadow- does not have unix mode ----------?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_backup_etc_passwd_question:question:1">
-          <ocil:question_text>To check the permissions of /etc/passwd-,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -l /etc/passwd-
-If properly configured, the output should indicate the following permissions:
--rw-r--r--
-      Is it the case that /etc/passwd- does not have unix mode -rw-r--r--?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_backup_etc_shadow_question:question:1">
-          <ocil:question_text>To check the permissions of /etc/shadow-,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -l /etc/shadow-
-If properly configured, the output should indicate the following permissions:
-----------
-      Is it the case that /etc/shadow- does not have unix mode ----------?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_etc_group_question:question:1">
-          <ocil:question_text>To check the permissions of /etc/group,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -l /etc/group
-If properly configured, the output should indicate the following permissions:
--rw-r--r--
-      Is it the case that /etc/group does not have unix mode -rw-r--r--?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_etc_gshadow_question:question:1">
-          <ocil:question_text>To check the permissions of /etc/gshadow,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -l /etc/gshadow
-If properly configured, the output should indicate the following permissions:
-----------
-      Is it the case that /etc/gshadow does not have unix mode ----------?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_etc_passwd_question:question:1">
-          <ocil:question_text>To check the permissions of /etc/passwd,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -l /etc/passwd
-If properly configured, the output should indicate the following permissions:
--rw-r--r--
-      Is it the case that /etc/passwd does not have unix mode -rw-r--r--?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_etc_shadow_question:question:1">
-          <ocil:question_text>To check the permissions of /etc/shadow,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -l /etc/shadow
-If properly configured, the output should indicate the following permissions:
-----------
-      Is it the case that /etc/shadow does not have unix mode ----------?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_groupowner_var_log_question:question:1">
-          <ocil:question_text>To check the group ownership of /var/log,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /var/log
-If properly configured, the output should indicate the following group-owner:
-root
-      Is it the case that /var/log does not have a group owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_groupowner_var_log_messages_question:question:1">
-          <ocil:question_text>To check the group ownership of /var/log/messages,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /var/log/messages
-If properly configured, the output should indicate the following group-owner:
-root
-      Is it the case that /var/log/messages does not have a group owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_groupowner_var_log_syslog_question:question:1">
-          <ocil:question_text>To check the group ownership of /var/log/syslog,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /var/log/syslog
-If properly configured, the output should indicate the following group-owner:
-adm
-      Is it the case that /var/log/syslog does not have a group owner of adm?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_owner_var_log_question:question:1">
-          <ocil:question_text>To check the ownership of /var/log,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /var/log
-If properly configured, the output should indicate the following owner:
-root
-      Is it the case that /var/log does not have an owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_owner_var_log_messages_question:question:1">
-          <ocil:question_text>To check the ownership of /var/log/messages,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /var/log/messages
-If properly configured, the output should indicate the following owner:
-root
-      Is it the case that /var/log/messages does not have an owner of root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_owner_var_log_syslog_question:question:1">
-          <ocil:question_text>To check the ownership of /var/log/syslog,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -lL /var/log/syslog
-If properly configured, the output should indicate the following owner:
-syslog
-      Is it the case that /var/log/syslog does not have an owner of syslog?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_var_log_question:question:1">
-          <ocil:question_text>To check the permissions of /var/log,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -l /var/log
-If properly configured, the output should indicate the following permissions:
-drwxr-xr-x
-      Is it the case that /var/log does not have unix mode drwxr-xr-x?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_var_log_messages_question:question:1">
-          <ocil:question_text>To check the permissions of /var/log/messages,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -l /var/log/messages
-If properly configured, the output should indicate the following permissions:
--rw-r-----
-      Is it the case that /var/log/messages does not have unix mode -rw-r-----?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_var_log_syslog_question:question:1">
-          <ocil:question_text>To check the permissions of /var/log/syslog,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -l /var/log/syslog
-If properly configured, the output should indicate the following permissions:
--rw-r-----
-      Is it the case that /var/log/syslog does not have unix mode -rw-r-----?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-dir_ownership_binary_dirs_question:question:1">
-          <ocil:question_text>System executables are stored in the following directories by default:
-/bin
-/sbin
-/usr/bin
-/usr/local/bin
-/usr/local/sbin
-/usr/sbin
-For each of these directories, run the following command to find files
-not owned by root:
-$ sudo find -L DIR/ ! -user root -type d -exec chown root {} \;
-      Is it the case that any system executables directories are found to not be owned by root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-dir_ownership_library_dirs_question:question:1">
-          <ocil:question_text>Verify the system-wide shared library directories are owned by "root" with the following command:
-
-$ sudo find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d -exec stat -c "%n %U" '{}' \;
-      Is it the case that any system-wide shared library directory is not owned by root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-dir_permissions_binary_dirs_question:question:1">
-          <ocil:question_text>System executables are stored in the following directories by default:
-/bin
-/sbin
-/usr/bin
-/usr/sbin
-/usr/local/bin
-/usr/local/sbin
-To find system executables directories that are group-writable or
-world-writable, run the following command for each directory DIR
-which contains system executables:
-$ sudo find -L DIR -perm /022 -type d
-      Is it the case that any of these files are group-writable or world-writable?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-dir_permissions_library_dirs_question:question:1">
-          <ocil:question_text>Shared libraries are stored in the following directories:
-/lib
-/lib64
-/usr/lib
-/usr/lib64
-
-To find shared libraries that are group-writable or world-writable,
-run the following command for each directory DIR which contains shared libraries:
-$ sudo find -L DIR -perm /022 -type d
-      Is it the case that any of these files are group-writable or world-writable?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_ownership_binary_dirs_question:question:1">
-          <ocil:question_text>Verify the system commands contained in the following directories are owned by "root" with the following command:
-
-$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin ! -user root -exec ls -l {} \;
-      Is it the case that any system commands are found to not be owned by root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_ownership_library_dirs_question:question:1">
-          <ocil:question_text>Verify the system-wide shared library files are owned by "root" with the following command:
-
-$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 ! -user root -exec ls -l {} \;
-      Is it the case that any system wide shared library file is not owned by root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_binary_dirs_question:question:1">
-          <ocil:question_text>Verify the system commands contained in the following directories have mode "755" or less permissive with the following command:
-
-$ sudo find -L /bin /sbin /usr/bin /usr/sbin /usr/libexec /usr/local/bin /usr/local/sbin -perm /022 -exec ls -l {} \;
-      Is it the case that any system commands are found to be group-writable or world-writable?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_library_dirs_question:question:1">
-          <ocil:question_text>Verify the system-wide shared library files contained in the following directories have mode "755" or less permissive with the following command:
-
-$ sudo find -L /lib /lib64 /usr/lib /usr/lib64 -perm /022 -type f -exec ls -l {} \;
-      Is it the case that any system-wide shared library file is found to be group-writable or world-writable?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-dir_perms_world_writable_sticky_bits_question:question:1">
-          <ocil:question_text>To find world-writable directories that lack the sticky bit, run the following command:
-$ sudo find / -type d \( -perm -0002 -a ! -perm -1000 \) -print 2&gt;/dev/null
-      Is it the case that any world-writable directories are missing the sticky bit?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_systemmap_question:question:1">
-          <ocil:question_text>To check the permissions of /boot/Sysem.map-*,
-you'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Then,run the command:
-$ ls -l /boot/Sysem.map-*
-If properly configured, the output should indicate the following permissions:
--rw-------
-      Is it the case that ?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-file_permissions_unauthorized_world_writable_question:question:1">
-          <ocil:question_text>To find world-writable files, run the following command:
-$ sudo find / -xdev -type f -perm -002
-      Is it the case that there is output?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_fs_protected_hardlinks_question:question:1">
-          <ocil:question_text>The runtime status of the fs.protected_hardlinks kernel parameter can be queried
-by running the following command:
-$ sysctl fs.protected_hardlinks
-1.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_fs_protected_symlinks_question:question:1">
-          <ocil:question_text>The runtime status of the fs.protected_symlinks kernel parameter can be queried
-by running the following command:
-$ sysctl fs.protected_symlinks
-1.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_module_cramfs_disabled_question:question:1">
-          <ocil:question_text>
-If the system is configured to prevent the loading of the cramfs kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
-These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
-
-Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
-$ grep -r cramfs /etc/modprobe.conf /etc/modprobe.d
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_module_usb-storage_disabled_question:question:1">
-          <ocil:question_text>
-If the system is configured to prevent the loading of the usb-storage kernel module,
-it will contain lines inside any file in /etc/modprobe.d or the deprecated /etc/modprobe.conf.
-These lines instruct the module loading system to run another program (such as /bin/true) upon a module install event.
-
-Run the following command to search for such lines in all files in /etc/modprobe.d and the deprecated /etc/modprobe.conf:
-$ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_autofs_disabled_question:question:1">
-          <ocil:question_text>To check that the autofs service is disabled in system boot configuration,
-You'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Subsequently,run the following command:
-$ sudo systemctl is-enabled autofs
-Output should indicate the autofs service has either not been installed,
-or has been disabled at all runlevels, as shown in the example below:
-$ sudo systemctl is-enabled autofs disabled
-
-Run the following command to verify autofs is not active (i.e. not running) through current runtime configuration:
-$ sudo systemctl is-active autofs
-
-If the service is not running the command will return the following output:
-inactive
-
-The service will also be masked, to check that the autofs is masked, run the following command:
-$ sudo systemctl show autofs | grep "LoadState\|UnitFileState"
-
-If the service is masked the command will return the following outputs:
-
-LoadState=masked
-
-UnitFileState=masked
-      Is it the case that the "autofs" is loaded and not masked?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_boot_nodev_question:question:1">
-          <ocil:question_text>Verify the nodev option is configured for the /boot mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/boot\s'
-    . . . /boot . . . nodev . . .
-
-      Is it the case that the "/boot" file system does not have the "nodev" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_boot_nosuid_question:question:1">
-          <ocil:question_text>Verify the nosuid option is configured for the /boot mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/boot\s'
-    . . . /boot . . . nosuid . . .
-
-      Is it the case that the "/boot" file system does not have the "nosuid" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_dev_shm_nodev_question:question:1">
-          <ocil:question_text>Verify the nodev option is configured for the /dev/shm mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/dev/shm\s'
-    . . . /dev/shm . . . nodev . . .
-
-      Is it the case that the "/dev/shm" file system does not have the "nodev" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_dev_shm_noexec_question:question:1">
-          <ocil:question_text>Verify the noexec option is configured for the /dev/shm mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/dev/shm\s'
-    . . . /dev/shm . . . noexec . . .
-
-      Is it the case that the "/dev/shm" file system does not have the "noexec" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_dev_shm_nosuid_question:question:1">
-          <ocil:question_text>Verify the nosuid option is configured for the /dev/shm mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/dev/shm\s'
-    . . . /dev/shm . . . nosuid . . .
-
-      Is it the case that the "/dev/shm" file system does not have the "nosuid" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_home_nodev_question:question:1">
-          <ocil:question_text>Verify the nodev option is configured for the /home mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/home\s'
-    . . . /home . . . nodev . . .
-
-      Is it the case that the "/home" file system does not have the "nodev" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_home_nosuid_question:question:1">
-          <ocil:question_text>Verify the nosuid option is configured for the /home mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/home\s'
-    . . . /home . . . nosuid . . .
-
-      Is it the case that the "/home" file system does not have the "nosuid" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_nodev_nonroot_local_partitions_question:question:1">
-          <ocil:question_text>To verify the nodev option is configured for non-root local partitions, run the following command:
-$ sudo mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev'
-The output shows local non-root partitions mounted without the nodev option, and there should be no output at all.
-
-      Is it the case that some mounts appear among output lines?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_nodev_removable_partitions_question:question:1">
-          <ocil:question_text>Verify file systems that are used for removable media are mounted with the "nodev" option with the following command:
-
-$ sudo more /etc/fstab
-
-UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0
-      Is it the case that a file system found in "/etc/fstab" refers to removable media and it does not have the "nodev" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_noexec_removable_partitions_question:question:1">
-          <ocil:question_text>To verify that binaries cannot be directly executed from removable media, run the following command:
-$ grep -v noexec /etc/fstab
-The resulting output will show partitions which do not have the noexec flag. Verify all partitions
-in the output are not removable media.
-      Is it the case that removable media partitions are present?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_nosuid_removable_partitions_question:question:1">
-          <ocil:question_text>Verify file systems that are used for removable media are mounted with the "nosuid" option with the following command:
-
-$ sudo more /etc/fstab
-
-UUID=2bc871e4-e2a3-4f29-9ece-3be60c835222 /mnt/usbflash vfat noauto,owner,ro,nosuid,nodev,noexec 0 0
-      Is it the case that file system found in "/etc/fstab" refers to removable media and it does not have the "nosuid" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_tmp_nodev_question:question:1">
-          <ocil:question_text>Verify the nodev option is configured for the /tmp mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/tmp\s'
-    . . . /tmp . . . nodev . . .
-
-      Is it the case that the "/tmp" file system does not have the "nodev" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_tmp_noexec_question:question:1">
-          <ocil:question_text>Verify the noexec option is configured for the /tmp mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/tmp\s'
-    . . . /tmp . . . noexec . . .
-
-      Is it the case that the "/tmp" file system does not have the "noexec" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_tmp_nosuid_question:question:1">
-          <ocil:question_text>Verify the nosuid option is configured for the /tmp mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/tmp\s'
-    . . . /tmp . . . nosuid . . .
-
-      Is it the case that the "/tmp" file system does not have the "nosuid" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_var_log_audit_nodev_question:question:1">
-          <ocil:question_text>Verify the nodev option is configured for the /var/log/audit mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/var/log/audit\s'
-    . . . /var/log/audit . . . nodev . . .
-
-      Is it the case that the "/var/log/audit" file system does not have the "nodev" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_var_log_audit_noexec_question:question:1">
-          <ocil:question_text>Verify the noexec option is configured for the /var/log/audit mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/var/log/audit\s'
-    . . . /var/log/audit . . . noexec . . .
-
-      Is it the case that the "/var/log/audit" file system does not have the "noexec" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_var_log_audit_nosuid_question:question:1">
-          <ocil:question_text>Verify the nosuid option is configured for the /var/log/audit mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/var/log/audit\s'
-    . . . /var/log/audit . . . nosuid . . .
-
-      Is it the case that the "/var/log/audit" file system does not have the "nosuid" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_var_log_nodev_question:question:1">
-          <ocil:question_text>Verify the nodev option is configured for the /var/log mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/var/log\s'
-    . . . /var/log . . . nodev . . .
-
-      Is it the case that the "/var/log" file system does not have the "nodev" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_var_log_noexec_question:question:1">
-          <ocil:question_text>Verify the noexec option is configured for the /var/log mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/var/log\s'
-    . . . /var/log . . . noexec . . .
-
-      Is it the case that the "/var/log" file system does not have the "noexec" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_var_log_nosuid_question:question:1">
-          <ocil:question_text>Verify the nosuid option is configured for the /var/log mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/var/log\s'
-    . . . /var/log . . . nosuid . . .
-
-      Is it the case that the "/var/log" file system does not have the "nosuid" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_var_nodev_question:question:1">
-          <ocil:question_text>Verify the nodev option is configured for the /var mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/var\s'
-    . . . /var . . . nodev . . .
-
-      Is it the case that the "/var" file system does not have the "nodev" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_var_nosuid_question:question:1">
-          <ocil:question_text>Verify the nosuid option is configured for the /var mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/var\s'
-    . . . /var . . . nosuid . . .
-
-      Is it the case that the "/var" file system does not have the "nosuid" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_var_tmp_nodev_question:question:1">
-          <ocil:question_text>Verify the nodev option is configured for the /var/tmp mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/var/tmp\s'
-    . . . /var/tmp . . . nodev . . .
-
-      Is it the case that the "/var/tmp" file system does not have the "nodev" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_var_tmp_noexec_question:question:1">
-          <ocil:question_text>Verify the noexec option is configured for the /var/tmp mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/var/tmp\s'
-    . . . /var/tmp . . . noexec . . .
-
-      Is it the case that the "/var/tmp" file system does not have the "noexec" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-mount_option_var_tmp_nosuid_question:question:1">
-          <ocil:question_text>Verify the nosuid option is configured for the /var/tmp mount point,
-    You'll need to log into a node in the cluster.
-    As a user with administrator privileges, log into a node in the relevant pool:
-    
-    $ oc debug node/$NODE_NAME
-    
-    At the sh-4.4# prompt, run:
-    
-    # chroot /host
-    
-
-    Subsequently,run the following command:
-    $ sudo mount | grep '\s/var/tmp\s'
-    . . . /var/tmp . . . nosuid . . .
-
-      Is it the case that the "/var/tmp" file system does not have the "nosuid" option set?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-coredump_disable_backtraces_question:question:1">
-          <ocil:question_text>Verify that logging core dump backtraces is disabled, run the
-following command:
-$ grep ProcessSizeMax /etc/systemd/coredump.conf
-      Is it the case that ProcessSizeMax is not set to zero?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-coredump_disable_storage_question:question:1">
-          <ocil:question_text>Verify that storing core dumps are disabled, run the following command:
-$ grep Storage /etc/systemd/coredump.conf
-      Is it the case that Storage is not set to none or is commented out and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core" item assigned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-disable_users_coredumps_question:question:1">
-          <ocil:question_text>Verify that core dumps are disabled for all users, run the following command:
-$ grep core /etc/security/limits.conf
-*     hard   core    0
-      Is it the case that the "core" item is missing, commented out, or the value is anything other than "0" and the need for core dumps is not documented with the Information System Security Officer (ISSO) as an operational requirement for all domains that have the "core"?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-service_systemd-coredump_disabled_question:question:1">
-          <ocil:question_text>To verify that acquiring, saving, and processing core dumps is disabled, run the
-following command:
-$ systemctl status systemd-coredump.socket
-The output should be similar to:
-&#x25CF; systemd-coredump.socket
-   Loaded: masked (Reason: Unit systemd-coredump.socket is masked.)
-   Active: inactive (dead) ...
-
-      Is it the case that unit systemd-coredump.socket is not masked or running?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_fs_suid_dumpable_question:question:1">
-          <ocil:question_text>The runtime status of the fs.suid_dumpable kernel parameter can be queried
-by running the following command:
-$ sysctl fs.suid_dumpable
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_kernel_kptr_restrict_question:question:1">
-          <ocil:question_text>The runtime status of the kernel.kptr_restrict kernel parameter can be queried
-by running the following command:
-$ sysctl kernel.kptr_restrict
-The output of the command should indicate either:
-kernel.kptr_restrict = 1
-or:
-kernel.kptr_restrict = 2
-The output of the command should not indicate:
-kernel.kptr_restrict = 0
-
-The preferable way how to assure the runtime compliance is to have
-correct persistent configuration, and rebooting the system.
-
-The persistent kernel parameter configuration is performed by specifying the appropriate
-assignment in any file located in the /etc/sysctl.d directory.
-Verify that there is not any existing incorrect configuration by executing the following command:
-$ grep -r '^\s*kernel.kptr_restrict\s*=' /etc/sysctl.conf /etc/sysctl.d
-The command should not find any assignments other than:
-kernel.kptr_restrict = 1
-or:
-kernel.kptr_restrict = 2
-
-Conflicting assignments are not allowed.
-      Is it the case that the kernel.kptr_restrict is not set to 1 or 2 or is configured to be 0?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_kernel_randomize_va_space_question:question:1">
-          <ocil:question_text>The runtime status of the kernel.randomize_va_space kernel parameter can be queried
-by running the following command:
-$ sysctl kernel.randomize_va_space
-2.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-coreos_page_poison_kernel_argument_question:question:1">
-          <ocil:question_text>Inspect the form of all the BLS (Boot Loader Specification) entries
-('options' line) in /boot/loader/entries/*.conf. If they include
-page_poison=1, then page poisoning is enabled at boot time.
-
-To ensure page_poison=1 is configured on the installed kernel, add
-the kernel argument via a MachineConfig object to the appropriate
-pools.
-      Is it the case that page allocator poisoning is not enabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-coreos_slub_debug_kernel_argument_question:question:1">
-          <ocil:question_text>Inspect the form of all the BLS (Boot Loader Specification) entries
-('options' line) in /boot/loader/entries/*.conf. If they include
-slub_debug=P, then SLUB/SLAB poisoning is enabled at boot time.
-
-To ensure slub_debug=P is configured on the installed kernel, add
-the kernel argument via a MachineConfig object to the appropriate
-pools.
-      Is it the case that SLUB/SLAB poisoning is not enabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-kernel_module_uvcvideo_disabled_question:question:1">
-          <ocil:question_text>If the device or Red Hat Enterprise Linux CoreOS 4 does not have a camera installed, this requirement is not applicable.
-
-This requirement is not applicable to mobile devices (smartphones and tablets), where the use of the camera is a local AO decision.
-
-This requirement is not applicable to dedicated VTC suites located in approved VTC locations that are centrally managed.
-
-For an external camera, if there is not a method for the operator to manually disconnect the camera at the end of collaborative computing sessions, this is a finding.
-
-For a built-in camera, the camera must be protected by a camera cover (e.g., laptop camera cover slide) when not in use. If the built-in camera is not protected with a camera cover, or is not physically disabled, this is a finding.
-
-If the camera is not disconnected, covered, or physically disabled, determine if it is being disabled via software with the following commands:
-
-Verify the operating system disables the ability to load the uvcvideo kernel module.
-
-$ sudo grep -r uvcvideo /etc/modprobe.d/* | grep "/bin/true"
-
-install uvcvideo /bin/true
-      Is it the case that the command does not return any output, or the line is commented out, and the collaborative computing device has not been authorized for use?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_kernel_core_pattern_question:question:1">
-          <ocil:question_text>The runtime status of the kernel.core_pattern kernel parameter can be queried
-by running the following command:
-$ sysctl kernel.core_pattern
-|/bin/false.
-
-      Is it the case that the returned line does not have a value of "|/bin/false", or a line is not
-returned and the need for core dumps is not documented with the Information
-System Security Officer (ISSO) as an operational requirement?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_kernel_core_pattern_empty_string_question:question:1">
-          <ocil:question_text>The runtime status of the kernel.core_pattern kernel parameter can be queried
-by running the following command:
-$ sysctl kernel.core_pattern
-''.
-
-      Is it the case that the returned line does not have a value of ''.?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_kernel_core_uses_pid_question:question:1">
-          <ocil:question_text>The runtime status of the kernel.core_uses_pid kernel parameter can be queried
-by running the following command:
-$ sysctl kernel.core_uses_pid
-0.
-      Is it the case that the returned line does not have a value of 0?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_kernel_dmesg_restrict_question:question:1">
-          <ocil:question_text>The runtime status of the kernel.dmesg_restrict kernel parameter can be queried
-by running the following command:
-$ sysctl kernel.dmesg_restrict
-1.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_kernel_kexec_load_disabled_question:question:1">
-          <ocil:question_text>The runtime status of the kernel.kexec_load_disabled kernel parameter can be queried
-by running the following command:
-$ sysctl kernel.kexec_load_disabled
-1.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_kernel_panic_on_oops_question:question:1">
-          <ocil:question_text>The runtime status of the kernel.panic_on_oops kernel parameter can be queried
-by running the following command:
-$ sysctl kernel.panic_on_oops
-1.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_kernel_perf_event_paranoid_question:question:1">
-          <ocil:question_text>The runtime status of the kernel.perf_event_paranoid kernel parameter can be queried
-by running the following command:
-$ sysctl kernel.perf_event_paranoid
-2.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_kernel_unprivileged_bpf_disabled_question:question:1">
-          <ocil:question_text>The runtime status of the kernel.unprivileged_bpf_disabled kernel parameter can be queried
-by running the following command:
-$ sysctl kernel.unprivileged_bpf_disabled
-1.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_kernel_yama_ptrace_scope_question:question:1">
-          <ocil:question_text>The runtime status of the kernel.yama.ptrace_scope kernel parameter can be queried
-by running the following command:
-$ sysctl kernel.yama.ptrace_scope
-1.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_net_core_bpf_jit_harden_question:question:1">
-          <ocil:question_text>The runtime status of the net.core.bpf_jit_harden kernel parameter can be queried
-by running the following command:
-$ sysctl net.core.bpf_jit_harden
-2.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_user_max_user_namespaces_question:question:1">
-          <ocil:question_text>Verify that Red Hat Enterprise Linux CoreOS 4 disables the use of user namespaces with the following commands:
-
-Note: User namespaces are used primarily for Linux containers. If containers are in use, this requirement is not applicable.
-
-The runtime status of the user.max_user_namespaces kernel parameter can be queried
-by running the following command:
-$ sysctl user.max_user_namespaces
-0.
-
-      Is it the case that the correct value is not returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-coreos_enable_selinux_kernel_argument_question:question:1">
-          <ocil:question_text>Inspect /proc/cmdline for any instances of selinux=0
-in the kernel boot arguments.  Presence of selinux=0 indicates
-that SELinux is disabled at boot time.
-
-If it would be disabled anywhere, make sure to enable it via a
-MachineConfig object.
-      Is it the case that SELinux is disabled at boot time?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-grub2_enable_selinux_question:question:1">
-          <ocil:question_text>Inspect /etc/default/grub for any instances of selinux=0
-in the kernel boot arguments.  Presence of selinux=0 indicates
-that SELinux is disabled at boot time.
-      Is it the case that SELinux is disabled at boot time?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_libselinux_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the libselinux package is installed: $ rpm -q libselinux
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_setroubleshoot-plugins_removed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the setroubleshoot-plugins package is installed:
-$ rpm -q setroubleshoot-plugins
-      Is it the case that the package is installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_setroubleshoot-server_removed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the setroubleshoot-server package is installed:
-$ rpm -q setroubleshoot-server
-      Is it the case that the package is installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-selinux_confinement_of_daemons_question:question:1">
-          <ocil:question_text>Ensure there are no unconfined daemons running on the system,
-the following command should produce no output:
-$ sudo ps -eZ | grep "unconfined_service_t"
-      Is it the case that There are unconfined daemons running on the system?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-selinux_policytype_question:question:1">
-          <ocil:question_text>Ensure that Red Hat Enterprise Linux CoreOS 4 verifies correct operation of security functions.
-
-Check the file /etc/selinux/config and ensure the following line appears:
-SELINUXTYPE=
-      Is it the case that SELINUXTYPE is set to the wrong value?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-selinux_state_question:question:1">
-          <ocil:question_text>Ensure that Red Hat Enterprise Linux CoreOS 4 verifies correct operation of security functions.
-
-Check if "SELinux" is active and in "" mode with the following command:
-
-$ sudo getenforce
-
-      Is it the case that SELINUX is not set to enforcing?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-encrypt_partitions_question:question:1">
-          <ocil:question_text>Check the system partitions to determine if they are encrypted with the following command:
-blkid
-
-Output will be similar to:
-/dev/sda1: UUID=" ab12c3de-4f56-789a-8f33-3850cc8ce3a2
-" TYPE="crypto_LUKS"
-/dev/sda2: UUID=" bc98d7ef-6g54-321h-1d24-9870de2ge1a2
-" TYPE="crypto_LUKS"
-
-The boot partition and pseudo-file systems, such as /proc, /sys, and tmpfs,
-are not required to use disk encryption and are not a finding.
-      Is it the case that partitions do not have a type of crypto_LUKS?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-partition_for_home_question:question:1">
-          <ocil:question_text>You'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Subsequently,Run the following command to determine if /home
-is on its own partition or logical volume:
-$ mount | grep "on /home"
-If /home has its own partition or volume group, a line will be returned.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-partition_for_srv_question:question:1">
-          <ocil:question_text>You'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Subsequently,Run the following command to determine if /srv
-is on its own partition or logical volume:
-$ mount | grep "on /srv"
-If /srv has its own partition or volume group, a line will be returned.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-partition_for_tmp_question:question:1">
-          <ocil:question_text>You'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Subsequently,Run the following command to determine if /tmp
-is on its own partition or logical volume:
-$ mount | grep "on /tmp"
-If /tmp has its own partition or volume group, a line will be returned.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-partition_for_var_question:question:1">
-          <ocil:question_text>You'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Subsequently,Run the following command to determine if /var
-is on its own partition or logical volume:
-$ mount | grep "on /var"
-If /var has its own partition or volume group, a line will be returned.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-partition_for_var_log_question:question:1">
-          <ocil:question_text>You'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Subsequently,Run the following command to determine if /var/log
-is on its own partition or logical volume:
-$ mount | grep "on /var/log"
-If /var/log has its own partition or volume group, a line will be returned.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-partition_for_var_log_audit_question:question:1">
-          <ocil:question_text>You'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Subsequently,Run the following command to determine if /var/log/audit
-is on its own partition or logical volume:
-$ mount | grep "on /var/log/audit"
-If /var/log/audit has its own partition or volume group, a line will be returned.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-partition_for_var_tmp_question:question:1">
-          <ocil:question_text>You'll need to log into a node in the cluster.
-As a user with administrator privileges, log into a node in the relevant pool:
-
-$ oc debug node/$NODE_NAME
-
-At the sh-4.4# prompt, run:
-
-# chroot /host
-
-
-Subsequently,Run the following command to determine if /var/tmp
-is on its own partition or logical volume:
-$ mount | grep "on /var/tmp"
-If /var/tmp has its own partition or volume group, a line will be returned.
-
-      Is it the case that no line is returned?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-gnome_gdm_disable_xdmcp_question:question:1">
-          <ocil:question_text>To ensure that XDMCP is disabled in /etc/gdm/custom.conf, run the following command:
-grep -Pzo "\[xdmcp\]\nEnable=false" /etc/gdm/custom.conf
-The output should return the following:
-
-[xdmcp]
-Enable=false
-
-      Is it the case that the Enable is not set to false or is missing in the xdmcp section of the /etc/gdm/custom.conf gdm configuration file?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-installed_OS_is_FIPS_certified_question:question:1">
-          <ocil:question_text>To verify that the installed operating system is supported or certified, run
-the following command:
-
-The output should contain something similar to:
-Red Hat Enterprise Linux CoreOS 4
-      Is it the case that the installed operating system is not FIPS 140-2 certified?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-configure_bind_crypto_policy_question:question:1">
-          <ocil:question_text>To verify that BIND uses the system crypto policy, check out that the BIND config file
-/etc/named.conf contains the include "/etc/crypto-policies/back-ends/bind.config";
-directive:
-$ sudo grep 'include "/etc/crypto-policies/back-ends/bind.config";' /etc/named.conf
-Verify that the directive is at the bottom of the options section of the config file.
-      Is it the case that BIND is installed and the BIND config file doesn't contain the
-&lt;pre&gt;include "/etc/crypto-policies/back-ends/bind.config";&lt;/pre&gt; directive?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-configure_crypto_policy_question:question:1">
-          <ocil:question_text>To verify that cryptography policy has been configured correctly, run the
-following command:
-$ update-crypto-policies --show
-The output should return .
-Run the command to check if the policy is correctly applied:
-$ update-crypto-policies --is-applied
-The output should be The configured policy is applied.
-Moreover, check if settings for selected crypto policy are as expected.
-List all libraries for which it holds that their crypto policies do not have symbolic link in /etc/crypto-policies/back-ends.
-$ ls -l /etc/crypto-policies/back-ends/ | grep '^[^l]' | tail -n +2 | awk -F' ' '{print $NF}' | awk -F'.' '{print $1}' | sort
-Subsequently, check if matching libraries have drop in files in the /etc/crypto-policies/local.d directory.
-$ ls /etc/crypto-policies/local.d/ | awk -F'-' '{print $1}' | uniq | sort
-Outputs of two previous commands should match.
-      Is it the case that cryptographic policy is not configured or is configured incorrectly?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-configure_kerberos_crypto_policy_question:question:1">
-          <ocil:question_text>Check that the symlink exists and target the correct Kerberos crypto policy, with the following command:
-file /etc/krb5.conf.d/crypto-policies
-If command ouput shows the following line, Kerberos is configured to use the system-wide crypto policy.
-/etc/krb5.conf.d/crypto-policies: symbolic link to /etc/crypto-policies/back-ends/krb5.config
-      Is it the case that the symlink does not exist or points to a different target?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-configure_libreswan_crypto_policy_question:question:1">
-          <ocil:question_text>To verify that Libreswan uses the system crypto policy, run the following command:
-$ grep include /etc/ipsec.conf
-The output should return something similar to:
-include /etc/crypto-policies/back-ends/libreswan.config
-      Is it the case that Libreswan is installed and &lt;tt&gt;/etc/ipsec.conf&lt;/tt&gt; does not contain &lt;tt&gt;include /etc/crypto-policies/back-ends/libreswan.config&lt;/tt&gt;?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-configure_openssl_crypto_policy_question:question:1">
-          <ocil:question_text>To verify that OpenSSL uses the system crypto policy, check out that the OpenSSL config file
-/etc/pki/tls/openssl.cnf contains the [ crypto_policy ] section with the
-.include /etc/crypto-policies/back-ends/opensslcnf.config directive:
-
-$ sudo grep '\.include\s* /etc/crypto-policies/back-ends/opensslcnf.config$' /etc/pki/tls/openssl.cnf.
-      Is it the case that the OpenSSL config file doesn't contain the whole section,
-or the section doesn't contain the &lt;pre&gt;.include /etc/crypto-policies/back-ends/opensslcnf.config&lt;/pre&gt; directive?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-configure_ssh_crypto_policy_question:question:1">
-          <ocil:question_text>Verify that sshd isn't configured to ignore the system wide cryptographic policy.
-
-Check that the CRYPTO_POLICY variable is not set or is commented out in the
-/etc/sysconfig/sshd.
-
-Run the following command:
-
-$ sudo grep CRYPTO_POLICY /etc/sysconfig/sshd
-      Is it the case that the CRYPTO_POLICY variable is set or is not commented out in the /etc/sysconfig/sshd?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-harden_openssl_crypto_policy_question:question:1">
-          <ocil:question_text>To verify if the OpenSSL uses defined Crypto Policy, run:
-$ grep 'Ciphersuites' /etc/crypto-policies/back-ends/opensslcnf.config | tail -n 1
-and verify that the line matches
-Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
-      Is it the case that Crypto Policy for OpenSSL is not configured according to CC requirements?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-harden_ssh_client_crypto_policy_question:question:1">
-          <ocil:question_text>To verify if the OpenSSH Client uses defined Crypto Policy, run:
-$ cat /etc/ssh/ssh_config.d/02-ospp.conf
-and verify that the line matches
-Match final all
-RekeyLimit 512M 1h
-GSSAPIAuthentication no
-Ciphers aes256-ctr,aes256-cbc,aes128-ctr,aes128-cbc
-PubkeyAcceptedKeyTypes ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256
-MACs hmac-sha2-512,hmac-sha2-256
-KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1
-      Is it the case that Crypto Policy for OpenSSH Client is not configured according to CC requirements?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-harden_sshd_crypto_policy_question:question:1">
-          <ocil:question_text>To verify if the OpenSSH server uses defined Crypto Policy, run:
-$ grep 'CRYPTO_POLICY' /etc/crypto-policies/back-ends/opensshserver.config | tail -n 1
-and verify that the line matches
-CRYPTO_POLICY='-oCiphers=aes256-ctr,aes128-ctr,aes256-cbc,aes128-cbc -oMACs=hmac-sha2-512,hmac-sha2-256 -oGSSAPIKeyExchange=no -oKexAlgorithms=ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256 -oPubkeyAcceptedKeyTypes=rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp384,ecdsa-sha2-nistp256'
-      Is it the case that Crypto Policy for OpenSSH Server is not configured according to CC requirements?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_MFEhiplsm_installed_question:question:1">
-          <ocil:question_text>To verify that McAfee HIPS is installed, run the following command(s):
-$ rpm -q MFEhiplsm
-      Is it the case that the HBSS HIPS module is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-configure_user_data_backups_question:question:1">
-          <ocil:question_text>Verify that the system backups user data.
-      Is it the case that it is not?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-enable_dracut_fips_module_question:question:1">
-          <ocil:question_text>To verify that the Dracut FIPS module is enabled, run the following command:
-grep "add_dracutmodules" /etc/dracut.conf.d/40-fips.conf
-The output should look like this:
-add_dracutmodules+=" fips "
-      Is it the case that the Dracut FIPS module is not enabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-enable_fips_mode_question:question:1">
-          <ocil:question_text>To verify that FIPS mode is enabled properly, run the following command:
-fips-mode-setup --check
-The output should contain the following:
-FIPS mode is enabled.
-To verify that the cryptographic policy has been configured correctly, run the
-following command:
-$ update-crypto-policies --show
-The output should return .
-      Is it the case that FIPS mode is not enabled?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-etc_system_fips_exists_question:question:1">
-          <ocil:question_text>To verify /etc/system-fips exists, run the following command:
-ls -l /etc/system-fips
-The output should be similar to the following:
--rw-r--r--. 1 root root 36 Nov 26 11:31 /etc/system-fips
-      Is it the case that /etc/system-fips does not exist?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-grub2_enable_fips_mode_question:question:1">
-          <ocil:question_text>To verify that FIPS is enabled properly in grub, run the following command:
-$ grep fips /etc/default/grub
-The output should contain fips=1
-      Is it the case that FIPS is not configured or enabled in grub?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_dracut-fips-aesni_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the dracut-fips-aesni package is installed: $ rpm -q dracut-fips-aesni
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_dracut-fips_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the dracut-fips package is installed: $ rpm -q dracut-fips
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sysctl_crypto_fips_enabled_question:question:1">
-          <ocil:question_text>To verify that kernel parameter 'crypto.fips_enabled' is set properly, run the following command:
-sysctl crypto.fips_enabled
-The output should contain the following:
-crypto.fips_enabled = 1
-      Is it the case that crypto.fips_enabled is not 1?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-aide_build_database_question:question:1">
-          <ocil:question_text>To find the location of the AIDE database file, run the following command:
-$ sudo ls -l DBDIR/database_file_name
-      Is it the case that there is no database file?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_aide_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the aide package is installed: $ rpm -q aide
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-rpm_verify_ownership_question:question:1">
-          <ocil:question_text>The following command will list which files on the system have ownership different from what
-is expected by the RPM database:
-$ rpm -Va | rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'
-      Is it the case that there is output?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-rpm_verify_permissions_question:question:1">
-          <ocil:question_text>The following command will list which files on the system have permissions different from what
-is expected by the RPM database:
-$ rpm -Va | awk '{ if (substr($0,2,1)=="M") print $NF }'
-      Is it the case that there is output?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_sudo_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the sudo package is installed: $ rpm -q sudo
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sudo_add_noexec_question:question:1">
-          <ocil:question_text>To determine if NOEXEC has been configured for sudo, run the following command:
-$ sudo grep -ri "^[\s]*Defaults.*\bnoexec\b.*" /etc/sudoers /etc/sudoers.d/
-The command should return a matching output.
-      Is it the case that noexec is not enabled in sudo?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sudo_add_requiretty_question:question:1">
-          <ocil:question_text>To determine if requiretty has been configured for sudo, run the following command:
-$ sudo grep -ri "^[\s]*Defaults.*\brequiretty\b.*" /etc/sudoers /etc/sudoers.d/
-The command should return a matching output.
-      Is it the case that requiretty is not enabled in sudo?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sudo_add_use_pty_question:question:1">
-          <ocil:question_text>To determine if use_pty has been configured for sudo, run the following command:
-$ sudo grep -ri "^[\s]*Defaults.*\buse_pty\b.*" /etc/sudoers /etc/sudoers.d/
-The command should return a matching output.
-      Is it the case that use_pty is not enabled in sudo?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sudo_custom_logfile_question:question:1">
-          <ocil:question_text>To determine if logfile has been configured for sudo, run the following command:
-$ sudo grep -ri "^[\s]*Defaults\s*\blogfile\b.*" /etc/sudoers /etc/sudoers.d/
-The command should return a matching output.
-      Is it the case that logfile is not enabled in sudo?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sudo_remove_no_authenticate_question:question:1">
-          <ocil:question_text>To determine if !authenticate has not been configured for sudo, run the following command:
-$ sudo grep -r \!authenticate /etc/sudoers /etc/sudoers.d/
-The command should return no output.
-      Is it the case that !authenticate is specified in the sudo config files?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sudo_remove_nopasswd_question:question:1">
-          <ocil:question_text>To determine if NOPASSWD has been configured for sudo, run the following command:
-$ sudo grep -ri nopasswd /etc/sudoers /etc/sudoers.d/
-The command should return no output.
-      Is it the case that nopasswd is specified in the sudo config files?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sudo_require_authentication_question:question:1">
-          <ocil:question_text>To determine if NOPASSWD or !authenticate have been configured for
-sudo, run the following command:
-$ sudo grep -ri "nopasswd\|\!authenticate" /etc/sudoers /etc/sudoers.d/
-The command should return no output.
-      Is it the case that nopasswd and/or !authenticate is enabled in sudo?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sudo_vdsm_nopasswd_question:question:1">
-          <ocil:question_text>To determine if NOPASSWD has been configured for the vdsm user for sudo,
-run the following command:
-$ sudo grep -ri nopasswd /etc/sudoers.d/
-The command should return output only for the vdsm user.
-      Is it the case that nopasswd is set for any users beyond vdsm?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sudoers_explicit_command_args_question:question:1">
-          <ocil:question_text>To determine if arguments that commands can be executed with are restricted, run the following command:
-$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+(?:[ \t]+[^,\s]+)+[ \t]*,)*(\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,\s]+[ \t]*(?:,|$))' /etc/sudoers /etc/sudoers.d/
-The command should return no output.
-      Is it the case that /etc/sudoers file contains user specifications that allow execution of commands with any arguments?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sudoers_no_command_negation_question:question:1">
-          <ocil:question_text>To determine if negation is used to define commands users are allowed to execute using sudo, run the following command:
-$ sudo grep -PR '^(?:\s*[^#=]+)=(?:\s*(?:\([^\)]+\))?\s*(?!\s*\()[^,!\n][^,\n]+,)*\s*(?:\([^\)]+\))?\s*(?!\s*\()(!\S+).*' /etc/sudoers /etc/sudoers.d/
-The command should return no output.
-      Is it the case that /etc/sudoers file contains rules that define the set of allowed commands using negation?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-sudoers_no_root_target_question:question:1">
-          <ocil:question_text>To determine if the users are allowed to run commands as root, run the following commands:
-$ sudo grep -PR '^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*[^\(\s]' /etc/sudoers /etc/sudoers.d/
-and
-$ sudo grep -PR '^\s*((?!root\b)[\w]+)\s*(\w+)\s*=\s*(.*,)?\s*\([\w\s]*\b(root|ALL)\b[\w\s]*\)' /etc/sudoers /etc/sudoers.d/
-Both commands should return no output.
-      Is it the case that /etc/sudoers file contains rules that allow non-root users to run commands as root?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_gnutls-utils_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the gnutls-utils package is installed: $ rpm -q gnutls-utils
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-package_nss-tools_installed_question:question:1">
-          <ocil:question_text>Run the following command to determine if the nss-tools package is installed: $ rpm -q nss-tools
-      Is it the case that the package is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-ensure_redhat_gpgkey_installed_question:question:1">
-          <ocil:question_text>To ensure that the GPG key is installed, run:
-$ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey
-The command should return the string below:
-gpg(Red Hat, Inc. (release key 2)  &lt;security@redhat.com&gt;
-      Is it the case that the Red Hat GPG Key is not installed?
-      </ocil:question_text>
-        </ocil:boolean_question>
-        <ocil:boolean_question id="ocil:ssg-prefer_64bit_os_question:question:1">
-          <ocil:question_text>To check if the installed Operating System is 64-bit, run the following command:
-$ uname -m
-The output should be one of the following: x86_64, aarch64, ppc64le or s390x.
-If the output is i686 or i386 the operating system is 32-bit.
-Check if the installed CPU supports 64-bit operating systems by running the following command:
-$ lscpu | grep "CPU op-mode"
-If the output contains 64bit, the CPU supports 64-bit operating systems.
-      Is it the case that the installed operating sytem is 32-bit but the CPU supports operation in 64-bit?
-      </ocil:question_text>
-        </ocil:boolean_question>
-      </ocil:questions>
-    </ocil:ocil>
-  </ds:component>
-  <ds:component id="scap_org.open-scap_comp_ssg-rhcos4-cpe-oval.xml" timestamp="2022-08-11T18:55:33">
-    <oval-def:oval_definitions xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd         http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
-      <oval-def:generator>
-        <oval:product_name>combine_ovals.py from SCAP Security Guide</oval:product_name>
-        <oval:product_version>ssg: [0, 1, 64], python: 3.10.6</oval:product_version>
-        <oval:schema_version>5.11</oval:schema_version>
-        <oval:timestamp>2022-08-11T18:55:18</oval:timestamp>
-      </oval-def:generator>
-      <oval-def:definitions>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_alinux2:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Alibaba Cloud Linux 2</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:Alibaba Cloud Linux:2" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Alibaba Cloud Linux 2</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="Alibaba Cloud Linux 2 is installed" test_ref="oval:ssg-test_alinux2:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_alinux3:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Alibaba Cloud Linux 3</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:Alibaba Cloud Linux:3" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Alibaba Cloud Linux 3</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="Alibaba Cloud Linux 3 is installed" test_ref="oval:ssg-test_alinux3:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_centos7:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>CentOS 7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:centos:centos:7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      CentOS 7</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="CentOS7 is installed" test_ref="oval:ssg-test_centos7:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_centos8:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>CentOS 8</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:centos:centos:8" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      CentOS 8</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="OS is CentOS" test_ref="oval:ssg-test_centos8_name:tst:1"/>
-            <oval-def:criterion comment="OS version is 8" test_ref="oval:ssg-test_centos8_version:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_centos9:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>CentOS Stream 9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:centos:centos:9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      CentOS Stream 9</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="OS is CentOS Stream" test_ref="oval:ssg-test_centos9_name:tst:1"/>
-            <oval-def:criterion comment="OS version is 9" test_ref="oval:ssg-test_centos9_version:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_debian:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Debian</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The operating system installed is a Debian System</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="System is Debian" operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="Debian is installed" test_ref="oval:ssg-test_debian:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_debian10:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Debian Linux 10</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:debian:debian_linux:10" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Debian 10</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Debian Linux is version 10" operator="AND">
-            <oval-def:extend_definition comment="Debian is installed" definition_ref="oval:ssg-installed_OS_is_debian:def:1"/>
-            <oval-def:criterion comment="Debian10 is installed" test_ref="oval:ssg-test_debian_10:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_debian11:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Debian Linux 11</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:debian:debian_linux:11" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Debian 11</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Debian Linux is version 11" operator="AND">
-            <oval-def:extend_definition comment="Debian is installed" definition_ref="oval:ssg-installed_OS_is_debian:def:1"/>
-            <oval-def:criterion comment="Debian11 is installed" test_ref="oval:ssg-test_debian_11:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_debian9:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Debian 9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:debian:debian_linux:9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Debian 9</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="current Debian version is Debian Stretch" operator="AND">
-            <oval-def:extend_definition comment="Debian is installed" definition_ref="oval:ssg-installed_OS_is_debian:def:1"/>
-            <oval-def:criterion comment="Debian9 is installed" test_ref="oval:ssg-test_debian_9:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_fedora:def:1" version="3">
-          <oval-def:metadata>
-            <oval-def:title>Installed operating system is Fedora</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:fedoraproject:fedora:33" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:fedoraproject:fedora:34" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:fedoraproject:fedora:35" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:fedoraproject:fedora:36" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Fedora</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="fedora-release RPM packages are installed" test_ref="oval:ssg-test_fedora_release_rpm:tst:1"/>
-            <oval-def:criterion comment="CPE vendor is 'fedoraproject' and product is 'fedora'" test_ref="oval:ssg-test_fedora_vendor_product:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ol7_family:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Oracle Linux 7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:oracle:linux:7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Oracle Linux 7</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Oracle Linux 7 System is installed" test_ref="oval:ssg-test_ol7_system:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ol8_family:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Oracle Linux 8</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:oracle:linux:8" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Oracle Linux 8</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Oracle Linux 8 System is installed" test_ref="oval:ssg-test_ol8_system:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ol9_family:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Oracle Linux 9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:oracle:linux:9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Oracle Linux 9</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Oracle Linux 9 System is installed" test_ref="oval:ssg-test_ol9_system:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_opensuse:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>openSUSE</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The operating system installed on the system is openSUSE.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="openSUSE is installed" test_ref="oval:ssg-test_opensuse_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_opensuse_leap15:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>openSUSE Leap 15</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:opensuse:leap:15.0" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is openSUSE Leap 15.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="openSUSE is installed" definition_ref="oval:ssg-installed_OS_is_opensuse:def:1"/>
-            <oval-def:criterion comment="openSUSE Leap 15 is installed" test_ref="oval:ssg-test_opensuse_leap15_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_opensuse_leap42:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>openSUSE Leap 42</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:opensuse:leap:42.1" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:opensuse:leap:42.2" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:opensuse:leap:42.3" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is openSUSE Leap 42.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="openSUSE is installed" definition_ref="oval:ssg-installed_OS_is_opensuse:def:1"/>
-            <oval-def:criterion comment="openSUSE Leap 42 is installed" test_ref="oval:ssg-test_opensuse_leap42_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_part_of_Unix_family:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Installed operating system is part of the Unix family</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The operating system installed on the system is part of the Unix OS family</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_unix_family:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhcos4:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux CoreOS</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux_coreos:4" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Enterprise Linux CoreOS release 4</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criteria operator="AND">
-              <oval-def:criterion comment="RHCOS is installed" test_ref="oval:ssg-test_rhcos:tst:1"/>
-              <oval-def:criterion comment="RHCOS version 4 is installed" test_ref="oval:ssg-test_rhcos4:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel7:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Enterprise Linux 7</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_rhel7_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="RHEL 7 Client is installed" test_ref="oval:ssg-test_rhel7_client:tst:1"/>
-              <oval-def:criterion comment="RHEL 7 Workstation is installed" test_ref="oval:ssg-test_rhel7_workstation:tst:1"/>
-              <oval-def:criterion comment="RHEL 7 Server is installed" test_ref="oval:ssg-test_rhel7_server:tst:1"/>
-              <oval-def:criterion comment="RHEL 7 Compute Node is installed" test_ref="oval:ssg-test_rhel7_computenode:tst:1"/>
-              <oval-def:criteria operator="AND" comment="Red Hat Enterprise Virtualization Host is installed">
-                <oval-def:criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="oval:ssg-test_rhvh4_version:tst:1"/>
-                <oval-def:criterion comment="Red Hat Enterprise Virtualization Host is based on RHEL 7" test_ref="oval:ssg-test_rhevh_rhel7_version:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Enterprise Linux 8</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_rhel8_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="RHEL 8 is installed" test_ref="oval:ssg-test_rhel8:tst:1"/>
-              <oval-def:criteria operator="AND" comment="Red Hat Enterprise Virtualization Host is installed">
-                <oval-def:criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="oval:ssg-test_rhvh4_version:tst:1"/>
-                <oval-def:criterion comment="Red Hat Enterprise Virtualization Host is based on RHEL 8" test_ref="oval:ssg-test_rhevh_rhel8_version:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_0:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.0</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.0" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.0</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.0 is installed" test_ref="oval:ssg-test_rhel8_0:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_1:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.1</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.1" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.1</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.1 is installed" test_ref="oval:ssg-test_rhel8_1:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_2:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.2</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.2" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.2</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.2 is installed" test_ref="oval:ssg-test_rhel8_2:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_3:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.3</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.3" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.3</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.3 is installed" test_ref="oval:ssg-test_rhel8_3:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_4:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.4</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.4" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.4</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.4 is installed" test_ref="oval:ssg-test_rhel8_4:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_5:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.5</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.5" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.5</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.5 is installed" test_ref="oval:ssg-test_rhel8_5:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_6:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.6</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.6" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.6</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.6 is installed" test_ref="oval:ssg-test_rhel8_6:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_7:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.7</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.7 is installed" test_ref="oval:ssg-test_rhel8_7:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_8:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.8</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.8" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.8</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.8 is installed" test_ref="oval:ssg-test_rhel8_8:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_9:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.9</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.9 is installed" test_ref="oval:ssg-test_rhel8_9:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel8_10:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 8.10</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:8.10" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Red Hat Enterprise Linux 8.10</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="RHEL 8.10 is installed" test_ref="oval:ssg-test_rhel8_10:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhel9:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Enterprise Linux 9</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:enterprise_linux:9" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Enterprise Linux 9</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_rhel9_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="RHEL 9 is installed" test_ref="oval:ssg-test_rhel9:tst:1"/>
-              <oval-def:criteria operator="AND" comment="Red Hat Enterprise Virtualization Host is installed">
-                <oval-def:criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="oval:ssg-test_rhvh4_version:tst:1"/>
-                <oval-def:criterion comment="Red Hat Enterprise Virtualization Host is based on RHEL 9" test_ref="oval:ssg-test_rhevh_rhel9_version:tst:1"/>
-              </oval-def:criteria>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_rhv4:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Virtualization 4</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:redhat:virtualization:4" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Red Hat Virtualization Host 4.4+ or Red Hat Enterprise Host.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:extend_definition comment="RHEL8 OS installed" definition_ref="oval:ssg-installed_OS_is_rhel8:def:1"/>
-            <oval-def:criterion comment="Red Hat Virtualization Host (RHVH)" test_ref="oval:ssg-test_rhvh4_version:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_sl7:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Scientific Linux 7</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:scientificlinux:scientificlinux:7" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      Scientific Linux 7</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="Scientific Linux 7 is installed" test_ref="oval:ssg-test_sl7:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_sle12:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>SUSE Linux Enterprise 12</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:suse:linux_enterprise_server:12" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:suse:linux_enterprise_desktop:12" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      SUSE Linux Enterprise 12.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_sle12_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="SLE 12 Desktop is installed" test_ref="oval:ssg-test_sle12_desktop:tst:1"/>
-              <oval-def:criterion comment="SLE 12 Server is installed" test_ref="oval:ssg-test_sle12_server:tst:1"/>
-              <oval-def:criterion comment="SLES 12 for SAP Applications is installed" test_ref="oval:ssg-test_sles_12_for_sap:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_sle15:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>SUSE Linux Enterprise 15</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:suse:linux_enterprise_server:15" source="CPE"/>
-            <oval-def:reference ref_id="cpe:/o:suse:linux_enterprise_desktop:15" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is
-      SUSE Linux Enterprise 15.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Installed operating system is part of the unix family" test_ref="oval:ssg-test_sle15_unix_family:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="SLE 15 Desktop is installed" test_ref="oval:ssg-test_sle15_desktop:tst:1"/>
-              <oval-def:criterion comment="SLE 15 Server is installed" test_ref="oval:ssg-test_sle15_server:tst:1"/>
-              <oval-def:criterion comment="SLES 15 for SAP Applications is installed" test_ref="oval:ssg-test_sles_15_for_sap:tst:1"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ubuntu:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ubuntu</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>The operating system installed is an Ubuntu System</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="System is Ubuntu" operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="lsb-based distrib" test_ref="oval:ssg-test_lsb:tst:1"/>
-            <oval-def:criterion comment="Ubuntu is installed" test_ref="oval:ssg-test_ubuntu:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ubuntu1604:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ubuntu 1604</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:canonical:ubuntu_linux:16.04" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Ubuntu 1604</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="current Ubuntu version is Xenial" operator="AND">
-            <oval-def:extend_definition comment="Ubuntu is installed" definition_ref="oval:ssg-installed_OS_is_ubuntu:def:1"/>
-            <oval-def:criterion comment="Xenial is installed" test_ref="oval:ssg-test_ubuntu_xenial:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ubuntu1804:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ubuntu 1804</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:canonical:ubuntu_linux:18.04" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Ubuntu 1804</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="current Ubuntu version is Bionic" operator="AND">
-            <oval-def:extend_definition comment="Ubuntu is installed" definition_ref="oval:ssg-installed_OS_is_ubuntu:def:1"/>
-            <oval-def:criterion comment="Bionic is installed" test_ref="oval:ssg-test_ubuntu_bionic:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_ubuntu2004:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Ubuntu 2004</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:canonical:ubuntu_linux:20.04" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is Ubuntu 2004</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="current Ubuntu version is Focal" operator="AND">
-            <oval-def:extend_definition comment="Ubuntu is installed" definition_ref="oval:ssg-installed_OS_is_ubuntu:def:1"/>
-            <oval-def:criterion comment="Focal is installed" test_ref="oval:ssg-test_ubuntu_focal:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_OS_is_uos20:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>UnionTech OS Server 20</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/o:UnionTech OS Server:20" source="CPE"/>
-            <oval-def:description>The operating system installed on the system is UnionTech OS Server 20</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:extend_definition comment="Installed OS is part of the Unix family" definition_ref="oval:ssg-installed_OS_is_part_of_Unix_family:def:1"/>
-            <oval-def:criterion comment="UnionTech OS Server 20 is installed" test_ref="oval:ssg-test_uos20:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_app_is_rhv4:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Red Hat Virtualization 4</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/a:redhat:virtualization:4" source="CPE"/>
-            <oval-def:description>The application installed installed on the system is
-      Red Hat Virtualization 4.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="RHEL7 OS installed" definition_ref="oval:ssg-installed_OS_is_rhel7:def:1"/>
-            <oval-def:criterion comment="Red Hat Virtualization Manager (RHVM)" test_ref="oval:ssg-test_rhevm4_version:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_audit_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package audit is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package audit is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:audit" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package audit is installed" test_ref="oval:ssg-test_env_has_audit_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_chrony_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package chrony is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package chrony is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:chrony" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package chrony is installed" test_ref="oval:ssg-test_env_has_chrony_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_gdm_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package gdm is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package gdm is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:gdm" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package gdm is installed" test_ref="oval:ssg-test_env_has_gdm_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_grub2_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package grub2 is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package grub2-common is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:grub2" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="AND">
-            <oval-def:criterion comment="Package grub2-common is installed" test_ref="oval:ssg-test_env_has_grub2_installed:tst:1"/>
-            <oval-def:criteria operator="OR">
-              <oval-def:criterion comment="Test for ppcle64 architecture" test_ref="oval:ssg-test_system_info_architecture_ppcle_64:tst:1" negate="true"/>
-              <oval-def:criterion comment="Test if OPAL is not used" test_ref="oval:ssg-test_system_using_opal:tst:1" negate="true"/>
-            </oval-def:criteria>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_libuser_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package libuser is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package libuser is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:libuser" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package libuser is installed" test_ref="oval:ssg-test_env_has_libuser_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_login_defs:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package providing /etc/login.defs is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package providing /etc/login.defs and is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:login_defs" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package providing /etc/login.defs is installed" test_ref="oval:ssg-test_env_has_login_defs_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_net-snmp_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package net-snmp is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package net-snmp is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:net-snmp" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package net-snmp is installed" test_ref="oval:ssg-test_env_has_net-snmp_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_no_ovirt:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Check if the system doesn't act as an oVirt host or manager</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if the system has neither ovirt-host nor ovirt-engine installed.</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Package ovirt-host is not installed" definition_ref="oval:ssg-installed_env_has_ovirt:def:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_nss-pam-ldapd_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package nss-pam-ldapd is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package nss-pam-ldapd is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:nss-pam-ldapd" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package nss-pam-ldapd is installed" test_ref="oval:ssg-test_env_has_nss-pam-ldapd_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_ntp_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package ntp is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package ntp is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:ntp" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package ntp is installed" test_ref="oval:ssg-test_env_has_ntp_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_ovirt:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Check if the system acts as an oVirt host or manager</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if the system has ovirt-host or ovirt-engine installed</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:ovirt-host" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="Package ovirt-host is installed" test_ref="oval:ssg-test_env_has_ovirt-host_installed:tst:1"/>
-            <oval-def:criterion comment="Package ovirt-engine is installed" test_ref="oval:ssg-test_env_has_ovirt-engine_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_pam_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package pam is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package pam is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:pam" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package pam is installed" test_ref="oval:ssg-test_env_has_pam_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_polkit_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package polkit is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package polkit is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:polkit" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package polkit is installed" test_ref="oval:ssg-test_env_has_polkit_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_postfix_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package postfix is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package postfix is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:postfix" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package postfix is installed" test_ref="oval:ssg-test_env_has_postfix_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_sssd-common_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package sssd-common is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package sssd-common is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:sssd" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package sssd-common is installed" test_ref="oval:ssg-test_env_has_sssd-common_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_sudo_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package sudo is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package sudo is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:sudo" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package sudo is installed" test_ref="oval:ssg-test_env_has_sudo_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_systemd_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package systemd is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package systemd is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:systemd" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package systemd is installed" test_ref="oval:ssg-test_env_has_systemd_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_tftp_server_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package tftp-server is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package tftp-server is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:tftp-server" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package tftp-server is installed" test_ref="oval:ssg-test_env_has_tftp_server_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_tmux_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package tmux is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package tmux is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:tmux" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package tmux is installed" test_ref="oval:ssg-test_env_has_tmux_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_usbguard_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package usbguard is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package usbguard is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:usbguard" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package usbguard is installed" test_ref="oval:ssg-test_env_has_usbguard_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_wifi_interface:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>WiFi interface is present</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if any wifi interface is present.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:wifi-iface" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="WiFi interface is present" test_ref="oval:ssg-test_proc_net_wireless_exists:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_yum_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Package yum is installed</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if package yum is installed.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:yum" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package yum is installed" test_ref="oval:ssg-test_env_has_yum_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_has_zipl_package:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>System uses zIPL</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Checks if system uses zIPL bootloader.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:zipl" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Package s390utils-base is installed" test_ref="oval:ssg-test_env_has_zipl_installed:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_is_a_container:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Check if the scan target is a container</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check for presence of files characterizing container filesystems.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:container" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria operator="OR">
-            <oval-def:criterion comment="Check if /.dockerenv exists" test_ref="oval:ssg-test_installed_env_is_a_docker_container:tst:1"/>
-            <oval-def:criterion comment="Check if /run/.containerenv exists" test_ref="oval:ssg-test_installed_env_is_a_podman_container:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-installed_env_is_a_machine:def:1" version="2">
-          <oval-def:metadata>
-            <oval-def:title>Check if the scan target is a machine</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check for absence of files characterizing container filesystems.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:machine" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="If environment is not a container, it is machine" definition_ref="oval:ssg-installed_env_is_a_container:def:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-krb5_server_older_than_1_17_18:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Kerberos server is older than 1.17-18</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/a:krb5_server_older_than_1_17-18" source="CPE"/>
-            <oval-def:description>Check if version of Kerberos server is lesser than 1.17-18
-            </oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Kerberos server version is lesser than 1.17-18" operator="OR">
-            <oval-def:criterion comment="Check if version of Kerberos server is lesser than 1.17-18" test_ref="oval:ssg-test_krb5_server_version_1_17_18:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-krb5_workstation_older_than_1_17_18:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Kerberos workstation is older than 1.17-18</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:reference ref_id="cpe:/a:krb5_workstation_older_than_1_17-18" source="CPE"/>
-            <oval-def:description>Check if version of Kerberos workstation is lesser than 1.17-18
-            </oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria comment="Kerberos workstation version is lesser than 1.17-18" operator="OR">
-            <oval-def:criterion comment="Check if version of Kerberos workstation is lesser than 1.17-18" test_ref="oval:ssg-test_krb5_workstation_version_1_17_18:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test that the architecture is aarch64</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is aarch64</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Architecture is aarch64" test_ref="oval:ssg-test_proc_sys_kernel_osrelease_arch_aarch64:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_not_aarch64:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for different architecture than aarch64</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is not aarch64</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Architecture is not aarch64" definition_ref="oval:ssg-proc_sys_kernel_osrelease_arch_aarch64:def:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_not_s390x:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test for different architecture than s390x</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is not s390x</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition comment="Architecture is not s390x" definition_ref="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_ppc64le:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test that the architecture is ppc64le</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is ppc64le</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Architecture is ppc64le" test_ref="oval:ssg-test_proc_sys_kernel_osrelease_arch_ppc64le:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-proc_sys_kernel_osrelease_arch_s390x:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Test that the architecture is s390x</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check that architecture of kernel in /proc/sys/kernel/osrelease is s390x</oval-def:description>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Architecture is s390x" test_ref="oval:ssg-test_proc_sys_kernel_osrelease_arch_s390x:tst:1"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-sssd_conf_uses_ldap:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>SSSD is configured to use LDAP</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Identification provider is not set to ad within /etc/sssd/sssd.conf</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:sssd-ldap" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion comment="Identification provider is not set to ad within /etc/sssd/sssd.conf" test_ref="oval:ssg-test_id_provider_is_set_to_ad:tst:1" negate="true"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-system_boot_mode_is_non_uefi:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>Non-UEFI system boot mode check</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if System boot mode is non-UEFI.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:non-uefi" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:extend_definition definition_ref="oval:ssg-system_boot_mode_is_uefi:def:1" negate="true" comment="Pass if System boot mode is non-UEFI"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-        <oval-def:definition class="inventory" id="oval:ssg-system_boot_mode_is_uefi:def:1" version="1">
-          <oval-def:metadata>
-            <oval-def:title>UEFI system boot mode check</oval-def:title>
-            <oval-def:affected family="unix">
-              <oval-def:platform>Red Hat Enterprise Linux CoreOS 4</oval-def:platform>
-            </oval-def:affected>
-            <oval-def:description>Check if system boot mode is UEFI.</oval-def:description>
-            <oval-def:reference ref_id="cpe:/a:uefi" source="CPE"/>
-          </oval-def:metadata>
-          <oval-def:criteria>
-            <oval-def:criterion test_ref="oval:ssg-test_efi_dir_existence:tst:1" comment="check if /sys/firmware/efi folder exists"/>
-          </oval-def:criteria>
-        </oval-def:definition>
-      </oval-def:definitions>
-      <oval-def:tests>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="alinux-release is version 2" id="oval:ssg-test_alinux2:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_alinux2:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_alinux2:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="alinux-release is version 3" id="oval:ssg-test_alinux3:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_alinux3:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_alinux3:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="centos-release is version 7" id="oval:ssg-test_centos7:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_centos7:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_centos7:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check os-release ID" id="oval:ssg-test_centos8_name:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_name_centos8:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_name_centos8:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="Check os-release VERSION_ID" id="oval:ssg-test_centos8_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_version_centos8:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_version_centos8:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check os-release ID" id="oval:ssg-test_centos9_name:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_name_centos9:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_name_centos9:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="Check os-release VERSION_ID" id="oval:ssg-test_centos9_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_version_centos9:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_version_centos9:ste:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="/etc/debian_version exists" id="oval:ssg-test_debian:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-obj_debian:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Debian version" id="oval:ssg-test_debian_10:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_debian_10:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Debian version" id="oval:ssg-test_debian_11:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_debian_11:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Debian version" id="oval:ssg-test_debian_9:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_debian_9:obj:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="fedora-release RPM packages are installed" id="oval:ssg-test_fedora_release_rpm:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-object_fedora_release_rpm:obj:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" comment="CPE vendor is 'fedoraproject' and 'product' is fedora" id="oval:ssg-test_fedora_vendor_product:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_fedora_vendor_product:obj:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="oraclelinux-release is version 7" id="oval:ssg-test_ol7_system:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_ol7_system:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_ol7_system:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="oraclelinux-release is version 8" id="oval:ssg-test_ol8_system:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_ol8_system:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_ol8_system:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="oraclelinux-release is version 9" id="oval:ssg-test_ol9_system:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_ol9_system:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_ol9_system:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="openSUSE is installed" id="oval:ssg-test_opensuse_installed:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_opensuse_installed:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_opensuse_installed:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="openSUSE Leap 15 is installed" id="oval:ssg-test_opensuse_leap15_installed:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_opensuse_leap15_installed:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_opensuse_leap15_installed:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="openSUSE Leap 42 is installed" id="oval:ssg-test_opensuse_leap42_installed:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_opensuse_leap42_installed:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_opensuse_leap42_installed:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:family_test id="oval:ssg-test_unix_family:tst:1" check="all" check_existence="at_least_one_exists" comment="Test installed OS is part of the unix family" version="1">
-          <ind:object object_ref="oval:ssg-object_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_unix_family:ste:1"/>
-        </ind:family_test>
-        <ind:textfilecontent54_test check="all" comment="os-release is rhcos" id="oval:ssg-test_rhcos:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhcos:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhcos:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" comment="rhcoreos is version 4" id="oval:ssg-test_rhcos4:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhcos4:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhcos4:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_rhel7_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhel7_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhel7_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-client is version 7" id="oval:ssg-test_rhel7_client:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel7_client:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel7_client:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-workstation is version 7" id="oval:ssg-test_rhel7_workstation:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel7_workstation:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel7_workstation:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-server is version 7" id="oval:ssg-test_rhel7_server:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel7_server:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel7_server:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release-computenode is version 7" id="oval:ssg-test_rhel7_computenode:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel7_computenode:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel7_computenode:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" comment="RHEVH base RHEL is version 7" id="oval:ssg-test_rhevh_rhel7_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhevh_rhel7_version:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhevh_rhel7_version:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_rhel8_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhel8_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhel8_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8" id="oval:ssg-test_rhel8:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.0" id="oval:ssg-test_rhel8_0:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_0:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_0:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.1" id="oval:ssg-test_rhel8_1:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_1:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_1:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.2" id="oval:ssg-test_rhel8_2:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_2:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_2:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.3" id="oval:ssg-test_rhel8_3:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_3:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_3:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.4" id="oval:ssg-test_rhel8_4:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_4:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_4:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.5" id="oval:ssg-test_rhel8_5:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_5:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_5:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.6" id="oval:ssg-test_rhel8_6:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_6:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_6:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.7" id="oval:ssg-test_rhel8_7:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_7:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_7:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.8" id="oval:ssg-test_rhel8_8:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_8:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_8:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.9" id="oval:ssg-test_rhel8_9:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_9:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_9:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 8.10" id="oval:ssg-test_rhel8_10:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel8_10:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel8_10:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" comment="RHEVH base RHEL is version 8" id="oval:ssg-test_rhevh_rhel8_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhevh_rhel8_version:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhevh_rhel8_version:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_rhel9_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhel9_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhel9_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="redhat-release is version 9" id="oval:ssg-test_rhel9:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhel9:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhel9:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" comment="RHEVH base RHEL is version 9" id="oval:ssg-test_rhevh_rhel9_version:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_rhevh_rhel9_version:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_rhevh_rhel9_version:ste:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="only_one_exists" comment="redhat-release-virtualization-host RPM package is installed" id="oval:ssg-test_rhvh4_version:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhvh4_version:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhvh4_version:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sl-release is version 7" id="oval:ssg-test_sl7:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sl7:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sl7:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_sle12_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sle12_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sle12_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sled-release is version 6" id="oval:ssg-test_sle12_desktop:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sle12_desktop:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sle12_desktop:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sles-release is version 6" id="oval:ssg-test_sle12_server:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sle12_server:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sle12_server:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="SLES_SAP-release is version 12" id="oval:ssg-test_sles_12_for_sap:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sles_12_for_sap:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sles_12_for_sap:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:family_test check="all" check_existence="at_least_one_exists" comment="installed OS part of unix family" id="oval:ssg-test_sle15_unix_family:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_sle15_unix_family:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_sle15_unix_family:ste:1"/>
-        </ind:family_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sled-release is version 15" id="oval:ssg-test_sle15_desktop:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sle15_desktop:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sle15_desktop:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="sles-release is version 15" id="oval:ssg-test_sle15_server:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sle15_server:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sle15_server:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="SLES_SAP-release is version 15" id="oval:ssg-test_sles_15_for_sap:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_sles_15_for_sap:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_sles_15_for_sap:ste:1"/>
-        </linux:rpminfo_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="/etc/lsb-release exists" id="oval:ssg-test_lsb:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-obj_lsb:obj:1"/>
-        </unix:file_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu" id="oval:ssg-test_ubuntu:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ubuntu:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu version" id="oval:ssg-test_ubuntu_xenial:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ubuntu_xenial:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu version" id="oval:ssg-test_ubuntu_bionic:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ubuntu_bionic:obj:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check Ubuntu version" id="oval:ssg-test_ubuntu_focal:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-obj_ubuntu_focal:obj:1"/>
-        </ind:textfilecontent54_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="uos-release is version 20" id="oval:ssg-test_uos20:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_uos20:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_uos20:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="rhevm4-appliance is installed" id="oval:ssg-test_rhevm4_version:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_rhevm4_version:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_rhevm4_version:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_audit_installed:tst:1" version="1" comment="system has package audit installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_audit_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_env_has_chrony_installed:tst:1" version="1" comment="package chrony is installed">
-          <linux:object object_ref="oval:ssg-obj_test_env_has_chrony_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_gdm_installed:tst:1" version="1" comment="system has package gdm installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_gdm_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_grub2_installed:tst:1" version="1" comment="system has package grub2-common installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_grub2_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Check if /sys/firmware/opal exists" id="oval:ssg-test_system_using_opal:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_system_using_opal:obj:1"/>
-        </unix:file_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_libuser_installed:tst:1" version="1" comment="system has package libuser installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_libuser_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_login_defs_installed:tst:1" version="1" comment="system has package shadow-utils installed, which provides the /etc/login.defs file.">
-          <linux:object object_ref="oval:ssg-obj_env_has_login_defs_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_net-snmp_installed:tst:1" version="1" comment="system has package net-snmp installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_net-snmp_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_nss-pam-ldapd_installed:tst:1" version="1" comment="system has package nss-pam-ldapd installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_nss-pam-ldapd_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_env_has_ntp_installed:tst:1" version="1" comment="package ntp is installed">
-          <linux:object object_ref="oval:ssg-obj_test_env_has_ntp_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_ovirt-host_installed:tst:1" version="1" comment="system has package ovirt-host installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_ovirt-host_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_ovirt-engine_installed:tst:1" version="1" comment="system has package ovirt-engine installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_ovirt-engine_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_pam_installed:tst:1" version="1" comment="system has package pam installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_pam_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_env_has_polkit_installed:tst:1" version="1" comment="package polkit is installed">
-          <linux:object object_ref="oval:ssg-obj_test_env_has_polkit_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="all_exist" id="oval:ssg-test_env_has_postfix_installed:tst:1" version="1" comment="package postfix is installed">
-          <linux:object object_ref="oval:ssg-obj_test_env_has_postfix_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_sssd-common_installed:tst:1" version="1" comment="system has package sssd-common installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_sssd-common_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_sudo_installed:tst:1" version="1" comment="system has package sudo installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_sudo_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_systemd_installed:tst:1" version="1" comment="system has package systemd installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_systemd_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_tftp_server_installed:tst:1" version="1" comment="system has package tftp-server installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_tftp_server_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_tmux_installed:tst:1" version="1" comment="system has package tmux installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_tmux_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_usbguard_installed:tst:1" version="1" comment="system has package usbguard installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_usbguard_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Test if /proc/net/wireless exists" id="oval:ssg-test_proc_net_wireless_exists:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_proc_net_wireless_exists:obj:1"/>
-        </unix:file_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_yum_installed:tst:1" version="1" comment="system has package yum installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_yum_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" id="oval:ssg-test_env_has_zipl_installed:tst:1" version="1" comment="system has package zipl installed">
-          <linux:object object_ref="oval:ssg-obj_env_has_zipl_installed:obj:1"/>
-        </linux:rpminfo_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Check if /.dockerenv exists" id="oval:ssg-test_installed_env_is_a_docker_container:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_installed_env_is_a_docker_container:obj:1"/>
-        </unix:file_test>
-        <unix:file_test check="all" check_existence="all_exist" comment="Check if /run/.containerenv exists" id="oval:ssg-test_installed_env_is_a_podman_container:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_installed_env_is_a_podman_container:obj:1"/>
-        </unix:file_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="Kerberos server version is lesser than 1.17-18" id="oval:ssg-test_krb5_server_version_1_17_18:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_krb5_server_version_1_17_18:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_krb5_server_version_1_17_18:ste:1"/>
-        </linux:rpminfo_test>
-        <linux:rpminfo_test check="all" check_existence="at_least_one_exists" comment="Kerberos workstaton version is lesser than 1.17-18" id="oval:ssg-test_krb5_workstation_version_1_17_18:tst:1" version="1">
-          <linux:object object_ref="oval:ssg-obj_krb5_workstation_version_1_17_18:obj:1"/>
-          <linux:state state_ref="oval:ssg-state_krb5_workstation_version_1_17_18:ste:1"/>
-        </linux:rpminfo_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="proc_sys_kernel is for aarch64 architecture" id="oval:ssg-test_proc_sys_kernel_osrelease_arch_aarch64:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_proc_sys_kernel_osrelease_arch_aarch64:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_proc_sys_kernel_osrelease_arch_aarch64:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="proc_sys_kernel is for ppc64le architecture" id="oval:ssg-test_proc_sys_kernel_osrelease_arch_ppc64le:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_proc_sys_kernel_osrelease_arch_ppc64le:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_proc_sys_kernel_osrelease_arch_ppc64le:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="proc_sys_kernel is for s390x architecture" id="oval:ssg-test_proc_sys_kernel_osrelease_arch_s390x:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_proc_sys_kernel_osrelease_arch_s390x:obj:1"/>
-          <ind:state state_ref="oval:ssg-state_proc_sys_kernel_osrelease_arch_s390x:ste:1"/>
-        </ind:textfilecontent54_test>
-        <ind:textfilecontent54_test check="all" check_existence="all_exist" comment="SSSD Configuration is set to use Active Directory" id="oval:ssg-test_id_provider_is_set_to_ad:tst:1" version="1">
-          <ind:object object_ref="oval:ssg-object_id_provider_is_set_to_ad:obj:1"/>
-        </ind:textfilecontent54_test>
-        <unix:file_test check="all" check_existence="at_least_one_exists" comment="Verify if /sys/firmware/efi folder exists" id="oval:ssg-test_efi_dir_existence:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_file_sys_firmware_efi:obj:1"/>
-        </unix:file_test>
-        <unix:uname_test check="all" comment="64 bit architecture" id="oval:ssg-test_system_info_architecture_ppcle_64:tst:1" version="1">
-          <unix:object object_ref="oval:ssg-object_system_info_architecture_ppcle_64:obj:1"/>
-          <unix:state state_ref="oval:ssg-state_system_info_architecture_ppcle_64:ste:1"/>
-        </unix:uname_test>
-      </oval-def:tests>
-      <oval-def:objects>
-        <linux:rpminfo_object id="oval:ssg-obj_alinux2:obj:1" version="1">
-          <linux:name>alinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_alinux3:obj:1" version="1">
-          <linux:name>alinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_centos7:obj:1" version="1">
-          <linux:name>centos-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_name_centos8:obj:1" version="1" comment="Check os-release ID">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^ID="(\w+)"$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_version_centos8:obj:1" version="1" comment="Check os-release VERSION_ID">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^VERSION_ID="(\d)"$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_name_centos9:obj:1" version="1" comment="Check os-release ID">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^ID="(\w+)"$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_version_centos9:obj:1" version="1" comment="Check os-release VERSION_ID">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^VERSION_ID="(\d)"$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object comment="check /etc/debian_version file" id="oval:ssg-obj_debian:obj:1" version="1">
-          <unix:filepath>/etc/debian_version</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_debian_10:obj:1" version="1" comment="Check Debian version">
-          <ind:filepath>/etc/debian_version</ind:filepath>
-          <ind:pattern operation="pattern match">^10.[0-9]+$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_debian_11:obj:1" version="1" comment="Check Debian version">
-          <ind:filepath>/etc/debian_version</ind:filepath>
-          <ind:pattern operation="pattern match">^11.[0-9]+$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_debian_9:obj:1" version="1" comment="Check Debian version">
-          <ind:filepath>/etc/debian_version</ind:filepath>
-          <ind:pattern operation="pattern match">^9.[0-9]+$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-object_fedora_release_rpm:obj:1" version="1">
-          <linux:name operation="pattern match">fedora-release.*</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_fedora_vendor_product:obj:1" version="1">
-          <ind:filepath>/etc/system-release-cpe</ind:filepath>
-          <ind:pattern operation="pattern match">^cpe:\/o:fedoraproject:fedora:[\d]+$</ind:pattern>
-          <ind:instance datatype="int" operation="equals">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-obj_ol7_system:obj:1" version="1">
-          <linux:name>oraclelinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_ol8_system:obj:1" version="1">
-          <linux:name>oraclelinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_ol9_system:obj:1" version="1">
-          <linux:name>oraclelinux-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_opensuse_installed:obj:1" version="1">
-          <linux:name>openSUSE-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_opensuse_leap15_installed:obj:1" version="1">
-          <linux:name>openSUSE-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_opensuse_leap42_installed:obj:1" version="1">
-          <linux:name>openSUSE-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:family_object id="oval:ssg-object_unix_family:obj:1" version="1"/>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhcos:obj:1" version="1">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^ID="(\w+)"$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhcos4:obj:1" version="1">
-          <ind:filepath>/etc/os-release</ind:filepath>
-          <ind:pattern operation="pattern match">^VERSION_ID="(\d)\.\d+"$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:family_object id="oval:ssg-obj_rhel7_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel7_client:obj:1" version="1">
-          <linux:name>redhat-release-client</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel7_workstation:obj:1" version="1">
-          <linux:name>redhat-release-workstation</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel7_server:obj:1" version="1">
-          <linux:name>redhat-release-server</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel7_computenode:obj:1" version="1">
-          <linux:name>redhat-release-computenode</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhevh_rhel7_version:obj:1" version="1">
-          <ind:filepath>/etc/redhat-release</ind:filepath>
-          <ind:pattern operation="pattern match">^Red Hat Enterprise Linux release (\d)\.\d+$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:family_object id="oval:ssg-obj_rhel8_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_0:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_1:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_2:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_3:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_4:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_5:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_6:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_7:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_8:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_9:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel8_10:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhevh_rhel8_version:obj:1" version="1">
-          <ind:filepath>/etc/redhat-release</ind:filepath>
-          <ind:pattern operation="pattern match">^Red Hat Enterprise Linux release (\d)\.\d+$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:family_object id="oval:ssg-obj_rhel9_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_rhel9:obj:1" version="1">
-          <linux:name>redhat-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_rhevh_rhel9_version:obj:1" version="1">
-          <ind:filepath>/etc/redhat-release</ind:filepath>
-          <ind:pattern operation="pattern match">^Red Hat Enterprise Linux release (\d)\.\d+$</ind:pattern>
-          <ind:instance operation="greater than or equal" datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhvh4_version:obj:1" version="1">
-          <linux:name>redhat-release-virtualization-host</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sl7:obj:1" version="1">
-          <linux:name>sl-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:family_object id="oval:ssg-obj_sle12_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_sle12_desktop:obj:1" version="1">
-          <linux:name>sled-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sle12_server:obj:1" version="1">
-          <linux:name>sles-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sles_12_for_sap:obj:1" version="1">
-          <linux:name>SLES_SAP-release</linux:name>
-        </linux:rpminfo_object>
-        <ind:family_object id="oval:ssg-obj_sle15_unix_family:obj:1" version="1"/>
-        <linux:rpminfo_object id="oval:ssg-obj_sle15_desktop:obj:1" version="1">
-          <linux:name>sled-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sle15_server:obj:1" version="1">
-          <linux:name>sles-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_sles_15_for_sap:obj:1" version="1">
-          <linux:name>SLES_SAP-release</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object comment="check /etc/lsb-release file" id="oval:ssg-obj_lsb:obj:1" version="1">
-          <unix:filepath>/etc/lsb-release</unix:filepath>
-        </unix:file_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ubuntu:obj:1" version="1" comment="Check Ubuntu">
-          <ind:filepath>/etc/lsb-release</ind:filepath>
-          <ind:pattern operation="pattern match">^DISTRIB_ID=Ubuntu$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ubuntu_xenial:obj:1" version="1" comment="Check Ubuntu version">
-          <ind:filepath>/etc/lsb-release</ind:filepath>
-          <ind:pattern operation="pattern match">^DISTRIB_CODENAME=xenial$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ubuntu_bionic:obj:1" version="1" comment="Check Ubuntu version">
-          <ind:filepath>/etc/lsb-release</ind:filepath>
-          <ind:pattern operation="pattern match">^DISTRIB_CODENAME=bionic$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-obj_ubuntu_focal:obj:1" version="1" comment="Check Ubuntu version">
-          <ind:filepath>/etc/lsb-release</ind:filepath>
-          <ind:pattern operation="pattern match">^DISTRIB_CODENAME=focal$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <linux:rpminfo_object id="oval:ssg-obj_uos20:obj:1" version="1">
-          <linux:name>uos-release</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_rhevm4_version:obj:1" version="1">
-          <linux:name>rhvm-appliance</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_audit_installed:obj:1" version="1">
-          <linux:name>audit</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_env_has_chrony_installed:obj:1" version="1">
-          <linux:name>chrony</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_gdm_installed:obj:1" version="1">
-          <linux:name>gdm</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_grub2_installed:obj:1" version="1">
-          <linux:name>grub2-common</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object id="oval:ssg-object_system_using_opal:obj:1" version="1">
-          <unix:filepath>/sys/firmware/opal</unix:filepath>
-        </unix:file_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_libuser_installed:obj:1" version="1">
-          <linux:name>libuser</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_login_defs_installed:obj:1" version="1">
-          <linux:name>shadow-utils</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_net-snmp_installed:obj:1" version="1">
-          <linux:name>net-snmp</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_nss-pam-ldapd_installed:obj:1" version="1">
-          <linux:name>nss-pam-ldapd</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_env_has_ntp_installed:obj:1" version="1">
-          <linux:name>ntp</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_ovirt-host_installed:obj:1" version="1">
-          <linux:name>ovirt-host</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_ovirt-engine_installed:obj:1" version="1">
-          <linux:name>ovirt-engine</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_pam_installed:obj:1" version="1">
-          <linux:name>pam</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_env_has_polkit_installed:obj:1" version="1">
-          <linux:name>polkit</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_test_env_has_postfix_installed:obj:1" version="1">
-          <linux:name>postfix</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_sssd-common_installed:obj:1" version="1">
-          <linux:name>sssd-common</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_sudo_installed:obj:1" version="1">
-          <linux:name>sudo</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_systemd_installed:obj:1" version="1">
-          <linux:name>systemd</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_tftp_server_installed:obj:1" version="1">
-          <linux:name>tftp-server</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_tmux_installed:obj:1" version="1">
-          <linux:name>tmux</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_usbguard_installed:obj:1" version="1">
-          <linux:name>usbguard</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object comment="/proc/net/wireless file" id="oval:ssg-object_proc_net_wireless_exists:obj:1" version="1">
-          <unix:filepath>/proc/net/wireless</unix:filepath>
-        </unix:file_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_yum_installed:obj:1" version="1">
-          <linux:name>yum</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_env_has_zipl_installed:obj:1" version="1">
-          <linux:name>s390utils-base</linux:name>
-        </linux:rpminfo_object>
-        <unix:file_object comment="Check file /.dockerenv" id="oval:ssg-object_installed_env_is_a_docker_container:obj:1" version="1">
-          <unix:filepath datatype="string">/.dockerenv</unix:filepath>
-        </unix:file_object>
-        <unix:file_object comment="Check file /run/.containerenv" id="oval:ssg-object_installed_env_is_a_podman_container:obj:1" version="1">
-          <unix:filepath datatype="string">/run/.containerenv</unix:filepath>
-        </unix:file_object>
-        <linux:rpminfo_object id="oval:ssg-obj_krb5_server_version_1_17_18:obj:1" version="1">
-          <linux:name>krb5-server</linux:name>
-        </linux:rpminfo_object>
-        <linux:rpminfo_object id="oval:ssg-obj_krb5_workstation_version_1_17_18:obj:1" version="1">
-          <linux:name>krb5-workstation</linux:name>
-        </linux:rpminfo_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_proc_sys_kernel_osrelease_arch_aarch64:obj:1" version="1">
-          <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-          <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_proc_sys_kernel_osrelease_arch_ppc64le:obj:1" version="1">
-          <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-          <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_proc_sys_kernel_osrelease_arch_s390x:obj:1" version="1">
-          <ind:filepath>/proc/sys/kernel/osrelease</ind:filepath>
-          <ind:pattern operation="pattern match">^.*\.(.*)$</ind:pattern>
-          <ind:instance datatype="int" operation="greater than or equal">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <ind:textfilecontent54_object id="oval:ssg-object_id_provider_is_set_to_ad:obj:1" version="1">
-          <ind:filepath>/etc/sssd/sssd.conf</ind:filepath>
-          <ind:pattern operation="pattern match">^[\s]*\[domain\/[^]]*]([^\n\[\]]*\n+)+?[\s]*id_provider[ \t]*=[ \t]*((?i)ad)[ \t]*$</ind:pattern>
-          <ind:instance datatype="int">1</ind:instance>
-        </ind:textfilecontent54_object>
-        <unix:file_object comment="/sys/firmware/efi" id="oval:ssg-object_file_sys_firmware_efi:obj:1" version="1">
-          <unix:path>/sys/firmware/efi</unix:path>
-          <unix:filename xsi:nil="true"/>
-        </unix:file_object>
-        <unix:uname_object comment="64 bit architecture" id="oval:ssg-object_system_info_architecture_ppcle_64:obj:1" version="1"/>
-      </oval-def:objects>
-      <oval-def:states>
-        <linux:rpminfo_state id="oval:ssg-state_alinux2:ste:1" version="1">
-          <linux:version operation="pattern match">^2.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_alinux3:ste:1" version="1">
-          <linux:version operation="pattern match">^3.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_centos7:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_name_centos8:ste:1" version="1">
-          <ind:subexpression>centos</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_version_centos8:ste:1" version="1">
-          <ind:subexpression>8</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_name_centos9:ste:1" version="1">
-          <ind:subexpression>centos</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_version_centos9:ste:1" version="1">
-          <ind:subexpression>9</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <linux:rpminfo_state id="oval:ssg-state_ol7_system:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_ol8_system:ste:1" version="1">
-          <linux:version operation="pattern match">^8.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_ol9_system:ste:1" version="1">
-          <linux:version operation="pattern match">^9.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_opensuse_installed:ste:1" version="1">
-          <linux:name operation="pattern match">openSUSE-release</linux:name>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_opensuse_leap15_installed:ste:1" version="1">
-          <linux:version operation="pattern match">^15.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_opensuse_leap42_installed:ste:1" version="1">
-          <linux:version operation="pattern match">^42.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:family_state id="oval:ssg-state_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhcos:ste:1" version="1">
-          <ind:subexpression operation="pattern match">rhcos</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhcos4:ste:1" version="1">
-          <ind:subexpression operation="pattern match">4</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:family_state id="oval:ssg-state_rhel7_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel7_client:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel7_workstation:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel7_server:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel7_computenode:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhevh_rhel7_version:ste:1" version="1">
-          <ind:subexpression operation="pattern match">7</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:family_state id="oval:ssg-state_rhel8_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8:ste:1" version="1">
-          <linux:version operation="pattern match">^8.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_0:ste:1" version="1">
-          <linux:version operation="pattern match">^8.0*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_1:ste:1" version="1">
-          <linux:version operation="pattern match">^8.1*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_2:ste:1" version="1">
-          <linux:version operation="pattern match">^8.2*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_3:ste:1" version="1">
-          <linux:version operation="pattern match">^8.3*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_4:ste:1" version="1">
-          <linux:version operation="pattern match">^8.4*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_5:ste:1" version="1">
-          <linux:version operation="pattern match">^8.5*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_6:ste:1" version="1">
-          <linux:version operation="pattern match">^8.6*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_7:ste:1" version="1">
-          <linux:version operation="pattern match">^8.7*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_8:ste:1" version="1">
-          <linux:version operation="pattern match">^8.8*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_9:ste:1" version="1">
-          <linux:version operation="pattern match">^8.9*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel8_10:ste:1" version="1">
-          <linux:version operation="pattern match">^8.10*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhevh_rhel8_version:ste:1" version="1">
-          <ind:subexpression operation="pattern match">8</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:family_state id="oval:ssg-state_rhel9_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhel9:ste:1" version="1">
-          <linux:version operation="pattern match">^9.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_rhevh_rhel9_version:ste:1" version="1">
-          <ind:subexpression operation="pattern match">9</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhvh4_version:ste:1" version="1">
-          <linux:evr datatype="evr_string" operation="greater than or equal">0:4.4</linux:evr>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sl7:ste:1" version="1">
-          <linux:version operation="pattern match">^7.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:family_state id="oval:ssg-state_sle12_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_sle12_desktop:ste:1" version="1">
-          <linux:version operation="pattern match">^12.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sle12_server:ste:1" version="1">
-          <linux:version operation="pattern match">^12.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sles_12_for_sap:ste:1" version="1">
-          <linux:version operation="pattern match">^12.*$</linux:version>
-        </linux:rpminfo_state>
-        <ind:family_state id="oval:ssg-state_sle15_unix_family:ste:1" version="1">
-          <ind:family>unix</ind:family>
-        </ind:family_state>
-        <linux:rpminfo_state id="oval:ssg-state_sle15_desktop:ste:1" version="1">
-          <linux:version operation="pattern match">^15.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sle15_server:ste:1" version="1">
-          <linux:version operation="pattern match">^15.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_sles_15_for_sap:ste:1" version="1">
-          <linux:version operation="pattern match">^15.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_uos20:ste:1" version="1">
-          <linux:version operation="pattern match">^20.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_rhevm4_version:ste:1" version="1">
-          <linux:version operation="pattern match">^4.*$</linux:version>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_krb5_server_version_1_17_18:ste:1" version="1">
-          <linux:evr datatype="evr_string" operation="less than">0:1.17-18</linux:evr>
-        </linux:rpminfo_state>
-        <linux:rpminfo_state id="oval:ssg-state_krb5_workstation_version_1_17_18:ste:1" version="1">
-          <linux:evr datatype="evr_string" operation="less than">0:1.17-18</linux:evr>
-        </linux:rpminfo_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_proc_sys_kernel_osrelease_arch_aarch64:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^aarch64$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_proc_sys_kernel_osrelease_arch_ppc64le:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^ppc64le$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <ind:textfilecontent54_state id="oval:ssg-state_proc_sys_kernel_osrelease_arch_s390x:ste:1" version="1">
-          <ind:subexpression datatype="string" operation="pattern match">^s390x$</ind:subexpression>
-        </ind:textfilecontent54_state>
-        <unix:uname_state comment="64 bit architecture" id="oval:ssg-state_system_info_architecture_ppcle_64:ste:1" version="1">
-          <unix:processor_type operation="equals">ppc64le</unix:processor_type>
-        </unix:uname_state>
-      </oval-def:states>
-    </oval-def:oval_definitions>
-  </ds:component>
-</ds:data-stream-collection>